Flame crypto attack was very hard to pull off, security researcher says

The MD5 collision attack carried out by Flame's authors took more attempts to pull off than the RapidSSL one in 2008

The MD5 collision attack used by the creators of the Flame malware was significantly more difficult to pull off than an earlier attack that resulted in the creation of a rogue CA certificate, according to security researcher Alexander Sotirov.

In December 2008, at the Chaos Communication Congress (CCC) in Berlin, an international team of security researchers that included Sotirov presented a practical MD5 collision attack that allowed them to obtain a rogue CA certificate signed by VeriSign-owned RapidSSL.

The attack was significant because it showed for the first time that at least one of the known theoretical MD5 collision techniques could be used in practice to defeat the security of the HTTPS (HTTP Secure) protocol. To pull off the attack, the researchers used computing power generated by a cluster of 200 PlayStation 3s.

The creators of the Flame cyber-espionage malware used a similar attack to obtain a rogue digital certificate that allowed them to sign code as Microsoft. The certificate was used to distribute Flame to targeted computers as an official Windows update.

Last week, cryptanalysts announced that the MD5 collision attack used by Flame's creators was not identical to the RapidSSL one, which has been fully documented since 2009. Rather, the Flame attack uses a different method that might have been developed in parallel.

While this is an impressive achievement in itself, it turns out that the Flame attack was also significantly more difficult to pull off than the RapidSSL one.

The RapidSSL attackers had a one-second window to obtain a legitimate certificate with a serial number they predicted in advance and whose signature could be copied over to their rogue certificate. It took several attempts to time this right, and after each failed attempt they had to generate a new rogue certificate, which took several hours.

The Flame attackers had only a one-millisecond window to obtain the right certificate signed by Microsoft, said Sotirov, co-founder and chief scientist at security firm Trail of Bits, in a presentation at the SummerCon conference on Saturday. That means they probably needed a far greater number of attempts to succeed.

The RapidSSL attack would have cost around US$20,000 if it had been performed on Amazon's EC2 cloud. The Flame attack would have cost between 10 and 100 times more, Sotirov said.

"[Sotirov's] analysis on the time window seems to be correct and is excellent research," said Marc Stevens, a scientific staff member in the cryptology group at the Dutch national research center for mathematics and computer science (CWI), via email.

"This would significantly increase the overall cost and I agree with that assessment," said Stevens, another member of the team that performed the RapidSSL attack in 2008.

However, Stevens didn't agree with Sotirov's estimate for the theoretical cost of using Amazon's cloud for the attack. That's because there's currently not enough information about the MD5 collision method used in the Flame attack.

Sotirov assumes the attack had a similar cost-per-attempt as the RapidSSL one, Stevens said. However, the Flame attackers might have used a method that was faster, or one that was slower.

He expects they used a slower method, but that's still being researched and the findings won't be released until later.

The Flame attackers might also have had free access to powerful computer hardware, which would have significantly reduced the time required to perform the attack.

"More powerful hardware reduces the wall clock time," Stevens said. "The collision attack is highly parallelizable and a big cluster can be used very efficiently."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?