[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SSL challenge -- broken !
-----BEGIN PGP SIGNED MESSAGE-----
SSL challenge -- broken
This is to announce the solution of the SSL challenge posted by Hal
Finney on July 17, 1995 (message-ID: <[email protected]>),
also found at: <URL:http://www.portal.com/~hfinney/sslchal.html>
The 40-bit secret part of the key is 7e f0 96 1f a6. I found it by a brute
force search on a network of about 120 workstations and a few parallel
computers at INRIA, Ecole Polytechnique, and ENS. The key was found after
scanning a little more than half the key space in 8 days.
The cleartext of the encrypted data is as follows:
The SERVER-VERIFY message is:
9C B1 C7 83 D9 BB B7 75 01 6F 19 19 03 58 EC 05 MAC-DATA
AF 84 A7 79 F8 13 69 20 25 9B 53 A0 60 AE 75 51 CHALLENGE
The CHALLENGE part is a copy of the challenge sent by the client in its
The answer is the CLIENT-FINISHED message:
22 BB 23 39 55 B0 7F B6 1A B0 35 85 F7 DB C1 E5 MAC-DATA
BF EB 90 F8 2C 0C E1 EA 18 AC 11 4C 83 14 21 B6 CONNECTION-ID
The next message is SERVER-FINISHED:
D4 CD F3 4E 38 F1 2B 1E DC FD 72 C8 34 02 CD FF MAC-DATA
23 1C 05 40 60 72 49 6E 83 BA D1 28 CC 9B 5F 63 SESSION-ID-DATA
Then comes the data message sent by the client. This is the juicy one.
I have broken the contents into its fields (the body was just one long
72 23 B5 98 0D D0 07 1A DA F1 C7 A4 40 41 5A 10 MAC-DATA
POST /order2.cgi HTTP/1.0
User-Agent: Mozilla/1.1N (Macintosh; I; PPC)
This order came from Mr Cosmic Kumquat, SSL Trusters Inc.,
1234 Squeamish Ossifrage Road, Anywhere, NY 12345 (USA).
Unfortunately, Mr Kumquat forgot to give his phone number, and the
server's reply (in two packets) is:
09 12 AD FE A5 A9 BF D1 8C 8C E2 6A A3 48 B9 75 MAC-DATA
HTTP/1.0 200 OK
Date: Wednesday, 12-Jul-95 05:40:30 GMT
1C CD C4 3D 80 F1 7B 94 11 AC E8 72 B1 99 BC FA MAC-DATA
The shipping address you supplied is not complete. The street address,
city, state, zip code, country and phone number are mandatory fields.
Please go back and specify the full shipping address. Thank you.
This result was found with a quick-and-dirty distributed search program,
which I wrote when I realized that the cypherpunks were going to be a few
weeks late with their collective effort. When the program was running,
it took little more than one week to find the key (it would have taken about
15 days to sweep the entire key space). I ran it on almost all the machines
I have access to, summarized in the following table:
type speed (keys/s) number notes
DEC (alpha) 18000-33000 34
DEC (MIPS) 2500-7500 11
SPARC 2000-13000 57
HP (HPPA/snake) 15000 3
Sony (R3000) 1100-4000 3
Sun 3 600 2
Sequent B8000 100 x 10 1 (1)
Multimax (NS532) 600 x 14 1 (1)
KSR 3200 x 64 1 (1) (2)
1. These are multiprocessor machines
2. The KSR spent only about 2 days on this computation.
The total average searching speed was about 850000 keys/s,
with a maximum of 1350000 keys/s (1150000 without the KSR).
* Many people have access to the amount of computing power that I used.
The exportable SSL protocol is supposed to be weak enough to be
easily broken by governments, yet strong enough to resist the attempts
of amateurs. It fails on the second count. Don't trust your credit
card number to this protocol.
* Cypherpunks write code, all right, but they shouldn't forget to run it.
I want to thank the people at INRIA, Ecole Polytechnique, and Ecole
Normale Superieure for giving their CPU time. (Most of them are on
You can find a copy of this text at
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
**** This is a timestamp of the above message:
-----BEGIN PGP MESSAGE-----
-----END PGP MESSAGE-----