1995-08-17 - Re: SSL challenge – broken !

Header Data

From: aba@dcs.exeter.ac.uk
To: perry@piermont.com (“Perry E. Metzger”)
Message Hash: b2da7347583354b4384be0c9e4a0ead98337657d3de6ff4267bce29ed1065ded
Message ID: <7033.9508171341@exe.dcs.exeter.ac.uk>
Reply To: N/A
UTC Datetime: 1995-08-17 13:42:41 UTC
Raw Date: Thu, 17 Aug 95 06:42:41 PDT

Raw message

From: aba@dcs.exeter.ac.uk
Date: Thu, 17 Aug 95 06:42:41 PDT
To: perry@piermont.com ("Perry E. Metzger")
Subject: Re: SSL challenge -- broken !
Message-ID: <7033.9508171341@exe.dcs.exeter.ac.uk>
MIME-Version: 1.0
Content-Type: text/plain



> It has occured to me that, because the RC4 key crackers spend most
> of their time in key setup, you can crack N SSL sessions that you
> captured in not substantially more time than it took to crack
> 1. This is analagous to the way brute force Unix password file
> hacking operates.

This occurred to me a whila ago too, and I thought it a very cool
idea, as it would mean you could do loads of keys at once with little
additional compute time.  Then I changed my mind, there's a reason
this doesn't work with 40 + 88 SSL, I think.

It works well enough for straight RC4, as you just compare lots of
keys at once, the RC4 output which will be XORed just gets compared
against lots of sample plain text / cipher texts simulataneously.

The actual key used is the 40 bit key you're bruting, plus what is
effectively an 88 bit salt (in unix password nomenclature, only unix
password salts are typically 12 bits).

The actual 128 bit RC4 key is generated by taking the MD5 of the known
and unknown key bits, plus a couple of other things.  As the 88 known
bits are randomly generated you can't combine work.

If I have misunderstood something, or there is a way to work around
this, please explain, because being able to do this would be a huge
boon to the key breaker.  It would allow you to break keys at a
ferocious rate if you had lots of keys to break.

Adam






Thread