Flame crypto attack was very hard to pull off, security researcher says
The MD5 collision attack carried out by Flame's authors took more attempts to pull off than the RapidSSL one in 2008
By Lucian Constantin
June 12, 2012 — IDG News Service — The MD5 collision attack used by the creators of the Flame malware was significantly more difficult to pull off than an earlier attack that resulted in the creation of a rogue CA certificate, according to security researcher Alexander Sotirov.
In December 2008, at the Chaos Communication Congress (CCC) in Berlin, an international team of security researchers that included Sotirov presented a practical MD5 collision attack that allowed them to obtain a rogue CA certificate signed by VeriSign-owned RapidSSL.
The attack was significant because it showed for the first time that at least one of the known theoretical MD5 collision techniques could be used in practice to defeat the security of the HTTPS (HTTP Secure) protocol. To pull off the attack, the researchers used computing power generated by a cluster of 200 PlayStation 3s.
The creators of the Flame cyber-espionage malware used a similar attack to obtain a rogue digital certificate that allowed them to sign code as Microsoft. The certificate was used to distribute Flame to targeted computers as an official Windows update.
Last week, cryptanalysts announced that the MD5 collision attack used by Flame's creators was not identical to the RapidSSL one, which has been fully documented since 2009. Rather, the Flame attack uses a different method that might have been developed in parallel.
While this is an impressive achievement in itself, it turns out that the Flame attack was also significantly more difficult to pull off than the RapidSSL one.
The RapidSSL attackers had a one-second window to obtain a legitimate certificate with a serial number they predicted in advance and whose signature could be copied over to their rogue certificate. It took several attempts to time this right, and after each failed attempt they had to generate a new rogue certificate, which took several hours.
The Flame attackers had only a one-millisecond window to obtain the right certificate signed by Microsoft, said Sotirov, co-founder and chief scientist at security firm Trail of Bits, in a presentation at the SummerCon conference on Saturday. That means they probably needed a far greater number of attempts to succeed.
The RapidSSL attack would have cost around US$20,000 if it had been performed on Amazon's EC2 cloud. The Flame attack would have cost between 10 and 100 times more, Sotirov said.
"[Sotirov's] analysis on the time window seems to be correct and is excellent research," said Marc Stevens, a scientific staff member in the cryptology group at the Dutch national research center for mathematics and computer science (CWI), via email.