Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Crypto :: sslcrack.txt

Information on cracking Netscape's SSL encryption protocol




-----BEGIN PGP SIGNED MESSAGE-----

SSL challenge -- broken

This is to announce the solution of the SSL challenge posted by Hal
Finney on July 17, 1995 (message-ID: <3u6kmg$pm4@jobe.shell.portal.com>),
also found at: <URL:http://www.portal.com/~hfinney/sslchal.html>

The 40-bit secret part of the key is 7e f0 96 1f a6.  I found it by a brute
force search on a network of about 120 workstations and a few parallel
computers at INRIA, Ecole Polytechnique, and ENS.  The key was found after
scanning a little more than half the key space in 8 days.

The cleartext of the encrypted data is as follows:

The SERVER-VERIFY message is:

9C B1 C7 83 D9 BB B7 75 01 6F 19 19 03 58 EC 05     MAC-DATA
05                                                  MSG-SERVER-VERIFY
AF 84 A7 79 F8 13 69 20 25 9B 53 A0 60 AE 75 51     CHALLENGE

The CHALLENGE part is a copy of the challenge sent by the client in its
first message.

The answer is the CLIENT-FINISHED message:

22 BB 23 39 55 B0 7F B6 1A B0 35 85 F7 DB C1 E5     MAC-DATA
03                                                  MSG-CLIENT-FINISHED
BF EB 90 F8 2C 0C E1 EA 18 AC 11 4C 83 14 21 B6     CONNECTION-ID

The next message is SERVER-FINISHED:

D4 CD F3 4E 38 F1 2B 1E DC FD 72 C8 34 02 CD FF     MAC-DATA
06                                                  SERVER-FINISHED-BYTE
23 1C 05 40 60 72 49 6E 83 BA D1 28 CC 9B 5F 63     SESSION-ID-DATA

Then comes the data message sent by the client.  This is the juicy one.
I have broken the contents into its fields (the body was just one long
line)

72 23 B5 98 0D D0 07 1A DA F1 C7 A4 40 41 5A 10     MAC-DATA
POST /order2.cgi HTTP/1.0
Referer: https://order.netscape.com/order2.cgi
User-Agent: Mozilla/1.1N (Macintosh; I; PPC)
Accept: */*
Accept: image/gif
Accept: image/x-xbitmap
Accept: image/jpeg
Content-type: application/x-www-form-urlencoded
Content-length: 472

source-form=order2-cust.html&
order_number=31770&
prod_80-01020-00_Mac=1&
carrier_code=UM&
ship_first=Cosmic&
ship_last=Kumquat&
ship_org=SSL+Trusters+Inc.&
ship_addr1=1234+Squeamish+Ossifrage+Road&
ship_addr2=&
ship_city=Anywhere&
ship_state=NY&
ship_zip=12345&
ship_country=USA&
ship_phone=&
ship_fax=&
ship_email=&
bill_first=&
bill_last=&
bill_org=&
bill_addr1=&
bill_addr2=&
bill_city=&
bill_state=&
bill_zip=&
bill_country=USA&
bill_phone=&
bill_fax=&
bill_email=&
submit=+Submit+Customer+Data+

This order came from Mr Cosmic Kumquat, SSL Trusters Inc.,
1234 Squeamish Ossifrage Road, Anywhere, NY 12345 (USA).

Unfortunately, Mr Kumquat forgot to give his phone number, and the
server's reply (in two packets) is:

09 12 AD FE A5 A9 BF D1 8C 8C E2 6A A3 48 B9 75    MAC-DATA
HTTP/1.0 200 OK
Server: Netscape-Commerce/1.1
Date: Wednesday, 12-Jul-95 05:40:30 GMT
Content-type: text/html

1C CD C4 3D 80 F1 7B 94 11 AC E8 72 B1 99 BC FA    MAC-DATA
<TITLE>Error</TITLE><H1>Error</H1>
The shipping address you supplied is not complete.  The street address,
city, state, zip code, country and phone number are mandatory fields.
Please go back and specify the full shipping address.  Thank you.


This result was found with a quick-and-dirty distributed search program,
which I wrote when I realized that the cypherpunks were going to be a few
weeks late with their collective effort.  When the program was running,
it took little more than one week to find the key (it would have taken about
15 days to sweep the entire key space).  I ran it on almost all the machines
I have access to, summarized in the following table:

type                  speed (keys/s)    number     notes
- --------------------------------------------------------
DEC (alpha)           18000-33000        34
DEC (MIPS)            2500-7500          11
SPARC                 2000-13000         57
HP (HPPA/snake)       15000              3
Sony (R3000)          1100-4000          3
Sun 3                 600                2
Sequent B8000         100 x 10           1         (1)
Multimax (NS532)      600 x 14           1         (1)
KSR                   3200 x 64          1         (1) (2)

Notes:
1.  These are multiprocessor machines
2.  The KSR spent only about 2 days on this computation.

The total average searching speed was about 850000 keys/s,
with a maximum of 1350000 keys/s (1150000 without the KSR).


Conclusions:

* Many people have access to the amount of computing power that I used.
  The exportable SSL protocol is supposed to be weak enough to be
  easily broken by governments, yet strong enough to resist the attempts
  of amateurs.  It fails on the second count.  Don't trust your credit
  card number to this protocol.

* Cypherpunks write code, all right, but they shouldn't forget to run it.


I want to thank the people at INRIA, Ecole Polytechnique, and Ecole
Normale Superieure for giving their CPU time.  (Most of them are on
vacation anyway...)


You can find a copy of this text at
<URL:http://pauillac.inria.fr/~doligez/ssl/announce.txt>

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCSAwUBMDG4dVNZwSQVabihAQGeFAPnUZil4WlauoMke9HaULDNOVf1hLXS0i9U
VJWZsPHcihDbn6nBN9T6f3sW/S08N5YJFSCmuZzqO59c0nOAKILb6a3TsXjFEcu8
W8UfwFsZa6gx7iuYqandhoHBEkkc5NSwMe1f+lPiV2MdclzQ4/VtZ7Oa1VB+RftD
Am4+w/Y=
=Fju1
-----END PGP SIGNATURE-----

**** This is a timestamp of the above message:

-----BEGIN PGP MESSAGE-----
Version: 2.6.2

iQBVAwUAMDGsOeWrvYiumrHZAQF0QwIAnDWdVVTiVmUTY5lp08yPeLRoFetczb+U
E0WVgTUJ4a16tinOPaJl/6jOpPUUPWMjkDaD2N1xw8lGqm0UgZJiGIkAkgMFATAx
uKJTWcEkFWm4oQEBAQ8D5ixvYrpEAQYfeNXmbB46BTTnBwBPS/JjfVFEEnC0Zsoj
cyh/WELUsZf785b23vEq9JFvZB+bq1UsJTpttl335TrW344ZYof3kl6fdEF2Jf5q
LxQjkuP9s/OQX5iJZpHz4LUxbb+/hOwSdZ2O3LV7ETiHs9AK1+bnKfOGDyei
=qO7V
-----END PGP MESSAGE-----


FOLLOW-UP

As reported in today's Wall Street Journal, a French student at the Ecole 
Polytechnique has cracked Netscape's encryption scheme. It took 120 
computer workstations and two supercomputers eight days to crack the 
40-bit encryption key. The student reported his results on a cypherpunk 
news group. Netscape was upset about this because they are limited to a 
40-bit encryption scheme because of "archaic" export laws. The U.S. 
version of Netscape uses a 128-bit key. Netscape gets its encryption 
license from RSA which has previously complained to the government about 
the weakness in a 40-bit key. In an interesting twist, an unnamed group 
of software executives reported to the White House last week that the 
restrictive export regulations could impact America's competitiveness 
overseas.





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH