08-26-2010 #21Keeper75 Guest
exactly... that's what i was trying to explain to you - you can have:
- A file with a encryption algo
- A file with a authentication algo
- A file with encryption AND authentication algo
08-26-2010 #22tripellex Guest
lol Guys, guys, I wasn't meaning it would crack MD5 encryption. I meant using a similar setup like what they used, with 200 PS3s brute forcing, we may be able to extract the encryption keys for the Cell. What I meant regarding MD5 was the hash comparison between an encrypted and decrypted EBOOT.BINs of a game, and somehow utilizing that to crack the encrypted EBOOT.
Now my question is, are the encryption keys for all PS3 games and systems the same? Or are they console-dependent? I would think that every system has a master set of keys, to decrypt any game on any console version on-the-fly.
08-26-2010 #23Keeper75 Guest
What those researchers have done, was that they were able to create two digital certificates to which they applied an hash hack attack which allowed them to sign the forged certificate so to make it a valid one.
Let me put it in other terms: imagine that you have a sheet of paper in which you have wrote say, your name, in plain text with your special RED pen (your MD5 hash). Now, someone else comes, see your sheet, and tries to write their own sheet with your name, but with their BLUE pen (their MD5 hash). The text is the same but the color is different. Of course you'll noticed that it's sheet is not the original. (blue vs red doesn't match - aka md5 hash)
Now, imagine the same concept but instead of using colored pens you used a pencil and you have replaced the letters by numbers in your paper (say 1=A; 2=B, 3=C) and you wrote "123" on it (encryption). Now assume that someone else tries to encrypt his name but they dont know that 1=A,2=B (your encryption scheme) - when you try to decrypt it it won't make sense, hence the decryption will fail.
So, all in all, you can authenticate and encrypt your documents which are two different things.
2nd, even if they were and assuming that they simply used a MD5 integrity check algo (which they probably don't use - maybe a SHA1 or SHA2), you could theoretically replace their master keys with your own and have them validated online by applying a MD5 hash attack on them.
08-28-2010 #24avojps24 Guest
According to Kanna Shimizu (the Security Architect for the Cell Broadband Engine) this type of authentication check has many flavors, but one method it uses is "the hardware root of trust" or simply put ; a hardware key that is generated arbitrarily within the LS (local store).
B) regardless whether the code is booted before or after the RSB, it is not possible to execute a program to successfully brute force calls to the isolated SPE. This mainly due to the fact that this so called "program" would first need to be authenticated by one of the cryptographic-based authentication checks, and as we know the integrity of these authentication checks are highly proficient, as they use both software and hardware based methods to ensure their reliability...
Even if you used geohot's hypervisor memory exploit or found an exploit yourself, and gained LV1 & LV2 access. and had full control over the PPE , you would still not able to gain access to the isolated spe due to the SPV, RSB, and hardware root of secrecy , thus never having a chance to decrypt the hardware keys, etc.
C) exactly, the system would halt , thus eliminating any chance of breaking into isolated spe.
D) let us first try and gain access to the ISPE before we can even think about attempting to decrypt any of their hardware root keys, but to answer your question we do not have any clue to what type of encryption schema the ISPEs use. If I were to guess, it would be one that is NOT easily decrypt-able.
Here are some reference links to the information I talked about above
Cell Broadband Engine Security : http://www.ibm.com/developerworks/po...-cellsecurity/
geohot's exploit: http://rdist.root.org/2010/01/27/how...or-was-hacked/
programming apps on the Cell: http://www.ibm.com/developerworks/li...pa-linuxps3-1/
list of lv1 hypervisor calls: http://wiki.ps2dev.org/ps3:hypervisor
I hope this information has better helped you understand the security of the cell.
08-29-2010 #25avojps24 Guest
looks like sony uses AACS (Advanced Access Content System) type encryption on their blu-ray and digital content.
08-29-2010 #26rumblpak Guest
Yes, they use AACS on their discs but I guarantee they use other encryption schemes in their hardware than on their discs.
08-30-2010 #27avojps24 Guest