Jump to content

SSL unexploitable to mankind?


bytedeez

Recommended Posts

Haven't read the article yet, but most of the current crypto is based on the concept of using numbers so large an exhaustive search of the keyspace isn't feasible. As soon as another Einstein jumps up and say "Yeah, but did you consider ..." and a crypto guy goes "Yeah we... umm.. what? No. Is that even possible?" you're fucked. Supposedly quantum computing is going to be that silver bullet, although the tech is still some ways off from practical use.

Update: I checked the link. The article is from august of last year and refers to a StackExchange question from november 2011 which, incidentally, I didn't see a link to in the original article (Bad reporter! Bad! No coffee for you).

What they wondered was what the cost would be to crack a 256-bit AES key in 1 year. So, given that timeframe what computational might needs to be put to task to crack the crypto and what would the power cost of that be.

Assumptions:

- Price of enercy = $0.12/kWh

- Server power consumption = 430 W

- Computational might of 1 server = 10^14 decryptions per second

They cite the computational power as very optimistic but considering a single Titan X is already at 5^11 I would call it nothing more than 'just' optimistic. Give it a few more years and we're probably down to 'available but very expensive' level. Put some financial incentive into the mix as has happened with Bitcoin mining and you'd be amazed what can happen. The problems start when you realize you need quite a few of these machines to be able to crack it within a year. It comes down to 1.84∗10^55 machines. Let's say you could cram that machine into the size of an 11" pizza box which would be 29*29*4.5 cm for those that left the dark ages. That amounts to 696.348 *10^44 cubic meters. The volume of the earth is just 1.1 * 10^20 cubic meters.

In conclusion: Going by the numbers and playing by the rules it can't be done. You need more computers than there is mass in the earth, run it non-stop for a year and in the process consume more electricity than can be imagined (I'm thinking more energy would be expelled than our sun is currently managing...). The only way to solve the problem is using some breakthrough in looking at the algorithm - something that would allow you to reduce the keyspace by several orders of magnitude. And I'm quite confident such a thing will eventually occur, probably still within my lifetime.

I mean, my next phone is likely to have a processor in it that can put a typical desktop machine from the previous century to shame. Back then SHA-1 was considered pretty good. Technology progresses at a merciless pace and it's going to catch up one way or the other. It's one of the reasons why we have multiple algorithms aswell as multiple keysizes - if something gets broken you know you have alternatives.

Edited by Cooper
Link to comment
Share on other sites

Since the last set of attacks against SSLv3 the concept of SSL has been considered dead, to be replaced by TLS. TLS will last a few years and then someone will find either a weakness in the crypto or the common implementations of it and it to will become weak and breakable and we will move on to something else.

Link to comment
Share on other sites

Advances in mathematics are not that frequent but when they happen the revolutionize encryption. The most secure cryptography today will one day be weak encryption that you shouldn't use.

Link to comment
Share on other sites

If you're looking to decrypt SSL/TLS traffic, you're going to need to think outside of the box a bit... One way or another, you are going to need to get your hands on a valid private key that the client sees as a trusted authority... Lots of ways to do that, really depends on circumstances... If you are already authorized on the victim network, you could perform a MitM-style attack + DNS spoof, in which you'd lure the victim to accept your self-signed certificate... Lots of ways to do that. Really, at the end of the day there is more than one way to skin a cat.

Link to comment
Share on other sites

These responses are great.

You see i agree with what you all are saying.

I believe that today the easiest way is good ole fashioned SE. Along with improper implementation based on either SSL/TSL protocol or human error.

I personally think the guys at sensepost are on the right track to fully exploit the implementation. Now they are just at the tip of the iceberg but it is a start.

I don't believe its going to be a single individual that does crack the encryption, the encryption is strong. I think for now its a waste of time and resources for people or organization of people to worry about.

but the protocol that which its implemented now that something is say we'll see exploited within in the next few years.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...