Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Researchers Create Web Skeleton Key With 200 PS3s

Illustration for article titled Researchers Create Web Skeleton Key With 200 PS3s

Using a cluster of 200 PS3s, an international group of researchers have crafted a "skeleton key" digital certificate that can perfectly impersonate any website on the internet.


The weak point that allows the technique to work—which researchers will be detailing at the 25th Chaos Communication Congress in Berlin—is the MD5 hash algorithm, which, basically, is what's used to create a fingerprint that makes it hard to forge digital certificates. Verisign's RapidSSL still uses the MD5 hash algorithm.

So, where do the crack-friendly PlayStation 3s come in? Well, they have to generate CA certificiate—the certificate that allows them to sign and verify certificates for any other site—and a website certificate that produce the same MD5 hash. A cluster of 200 PS3s were used to figure out where the MD5 hashes of their forged CA certificate and website certificate "collide," allowing them to "crunch out their forgery in about three days."


What's all this mean? David Molnar, a computer science PhD candidate, Threat Level talked to, explains it best: ""We can impersonate and you won't notice...The padlock will be there and everything will look like it's a perfectly ordinary certificate." Thankfully, the hack is hard, but the solution is pretty easy—just switch to a more secure hash, which many companies have done. Verisign is currently in the process of phasing out the MD5 hash. [Threat Level]

Share This Story

Get our newsletter


Wouldn't it have been easier (and faster?) to do this with some dual or quad core desktops? Maybe I'm missing something here, but PS3's seem less than optimal for this sort of thing.