

PS3 Master Key Found and PS3 Dongle ID Key Generator Released - y0ghur7_xxx
http://www.ps3hax.net/2010/12/ps3-dongle-id-key-generator/

======
NateLawson
The two exploits in the subject line are two completely separate things. The
main focus of the linked article at ps3hax.net is a key which is used to HMAC-
authenticate the service mode dongle. The source code for that is here:

<https://github.com/winocm/ps3-donglegen>

The more interesting hack was announced at 27c3. A team comprised of Wii
hackers has discovered Sony's main boot-signing private key. This is like
discovering Verisign's private key -- you can now issue any SSL cert you want.
They can sign any hypervisor they want, which leads to running any code you
want.

They were able to do this because (surprise), there was a crypto mistake in
the implementation. Two (or more) ECDSA signatures were generated with the
same secret nonce. Apparently Sony doesn't read our blog because we discussed
this flaw before:

[http://rdist.root.org/2010/11/19/dsa-requirements-for-
random...](http://rdist.root.org/2010/11/19/dsa-requirements-for-random-k-
value/)

And before that, we discussed a variant of this attack when the Debian PRNG
was broken:

[http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-
tha...](http://rdist.root.org/2009/05/17/the-debian-pgp-disaster-that-almost-
was/)

The cool thing about this flaw is that the private key is not present in the
PS3 anywhere. It (probably) only exists at some locked down code-signing
center. However, a software flaw in the way it generated the signatures was
effectively painting the private key on the side of every signed code module
released.

And people still think crypto isn't dangerous?

~~~
daeken
I know enough about crypto to know that I need to stay away from it. I can
tell people about common pitfalls and all that, but I'm nowhere near good
enough to stay out of all of them myself. It's times like these that I'm happy
to be on the side of analyzing this stuff rather than developing it.

~~~
NateLawson
It's definitely easier to look for known flaws, such as obvious spec
violations like this ECDSA signing flaw. It's much harder to review a high-
assurance system and be sure you've anticipated all possible ways something
might fail years down the road.

One point I have not said recently is that crypto review is very expensive in
terms of time and money. So the design approach to security problems should be
roughly:

1\. Avoid crypto if possible. Store data on the server, for example. Doing
this correctly is orders of magnitude easier than developing crypto protocols.

2\. If using crypto, use something high-level. GPG is a great example of a
bundle of crypto primitives with a well-understood protocol for encryption,
integrity protection, and key management. PGP has been around for 20 years
now.

3\. If none of the above works, develop custom crypto protocol. But budget 10x
for review as for design/implementation. So if you spend a week and $10,000
developing it, spend 10 weeks and $100,000 to review/improve it. This includes
external review, not just internal. This goes for everyone, even "experts".

My main point is: "Crypto costs a lot. Are you sure you want to pay for it?"
Because if you do implement custom crypto, you (or your users) will pay for it
one way or another.

------
rit
This sounds interesting but is completely lacking in context for those not
intimately familiar with the PS3 and hacking thereof.

What is the dongle ID exactly?

~~~
bennysaurus
Apologies if this is overly simplified, not sure of your level of expertise
(can give you the more complex one too if you want more information!). The
dongle in this case is a USB diagnostic tool used by Sony employees and
technicians to put a PS3 into service mode.

Essentially it's plugged in and the PS3 started up. The PS3 communicates with
the dongle and swaps a set of 'secure' keys to authenticate that the dongle is
a legitimate, then runs some code to give you access to all sorts of options
you normally wouldn't be able to see/use.

What these guys have done is found the master key found in all PS3s that
allows it to authenticate any/all service dongles. Using this information one
can generate their own service ID and ultimately create their own dongle.

Basically this was possible to do because the protection mechanisms in place
to protect the key relied on the rest of the system not being broken. Once the
system was hacked it was simply a matter of time before this was decoded as
well.

~~~
TheCondor
Thanks for that.

From my own experience, service mode on a lot of embedded devices typically
exposes some diagnostics maybe let's you load some things you couldn't
otherwise load, I assume it's the same on the PS3. I also assume this doesn't
compromise Sony's ability to sign software or allow third parties to sign
software, however in service mode you might not need "signed" software.

Heck, there are off the shelf solutions for this stuff, there are chips you
can load a set of keys in to at manufacturing time and they contain all the
crypto in the chip such that there is close to no way it could "leak" out. I'd
assume IBM, Toshiba and Sony would use something like that and if they
properly generate keys the only real way the "master key" could escape would
be a rogue employee leaking it. They knew people would attack the platform.

~~~
bennysaurus
No worries.

Yep you're spot-on in this case, and as you say the software signing keys
hasn't been compromised, though they aren't needed in service mode.

There are definitely ways the dongle keys could have been better protected
(and I'm sure a few people are having some very serious talks about why they
weren't), but have to give Sony kudos for having a system last 3 years without
being compromised, and even now it's only easily broken at ring 2; the gameOS
level of the system.

~~~
daeken
It's simple to protect the dongle keys better: sign the dongle ID. In this
way, only the public key exists on the PS3, and the system is secure (if
implemented properly). As it stands, their system is equivalent to having both
the public and private key sitting on the PS3. No matter how well you protect
this key, the system is still broken in theory.

~~~
bennysaurus
Agreed with the way it could be done better though they didn't actually have
the private key on the system. They really badly implemented their crypto so
they might as well have though.

~~~
daeken
I'm referring purely to the dongle attack. When you use an HMAC in that way,
your secret _is_ your "private" key. It also just happens to be the "public"
key as well. That's why it's a terrible design.

------
robryan
Amazes me how resilient overall the PS3 has been to hacking/ playing copied
games give that so much stuff these days is cracked on release day.

~~~
burgerbrain
It's really not so amazing. Unlike other platforms, the PS3 gave hackers a
good deal of freedom to do as they wished when it was released. It was only a
few months ago when OtherOS was removed that people got pissed and actually
started looking at jailbreaking it in a serious way.

~~~
ygd
IIRC, there's a class-action lawsuit against Sony for removing OtherOS.

~~~
CamperBob
I believe it was recently thrown out.

~~~
honeycrisp
Citation? I the latest news I could find on google was that the nine or so
class-actions were consolidated into one, and that Sony has filed a motion to
dismiss, but nothing more that that.

------
y0ghur7_xxx
There is also a javascript Dongle Key Generator:

<http://www.teknoconsolas.es/usbdongle/usbdongle.html>

------
daeken
Why, oh why, would you ever use an HMAC in this way? HMACs are great for
validating your own data (e.g. "secure cookies"), but anyone who can validate
an HMAC can also generate them. Repeat after me: HMACs are not signatures.

~~~
aschobel
Can you expand on that?

For example AWS uses HMACs for signatures, what kind of scheme would you
propose?

~~~
Xk
The key difference here is one between a message authentication code [1] and
digital signature [2].

A digital signature uses public key cryptography: one person can generate and
sign messages, everyone else can verify. A common one is the DSA[3] -- but
there are many others, including freakishly fast elliptical curve versions.

[1] <http://en.wikipedia.org/wiki/Message_authentication_code>

[2] <http://en.wikipedia.org/wiki/Digital_signature>

[3] <http://en.wikipedia.org/wiki/Digital_Signature_Algorithm>

~~~
aschobel
Thanks for the clarification, I guess folks (AWS) have gotten sloppy with
semantics.

------
buymorechuck
I've condensed the key generator into a bit of Python:

import sys, hashlib, hmac

print hmac.new("46DCEAD317FE45D80923EB97E4956410D4CDB2C2".decode("hex"),
sys.argv[1].decode("hex"), hashlib.sha1).hexdigest()

# suitable for a t-shirt or something.

~~~
Corrado
Something like this?

<http://www.cafepress.com/UtopiaID>

------
phsr
What exactly does this mean? Running game backups?

~~~
y0ghur7_xxx
Essentially this will allow anyone to sign executables and run them on any
retail PS3 without the need for hardware modifications to the console.

~~~
mmastrac
Are you sure? I think that the PS3 uses real public-key crypto to sign the OS
all the way down from the initial boot. The best you could do with this is
load an alternate signed OS image (possibly an earlier one that is
exploitable).

I don't really know much about PS3 hacking, so this is all just a guess.

~~~
drivebyacct2
Uh, you have it backward. Since it's verified boot, you can't easily alter the
signed OS image. This is better as it allows individuals to sign executables
that will then execute natively in the regular OS.

This is how original Xbox and Xbox 360 softmods work. The regular OS boots and
either an exploit occurs in the font package, music player, MechAssault or
Splinter Cell (the latter two used for bootstrapping the former two) or in the
360 the xbox is "rebooted" virtually to avoid the verified boot into an
alternative kernel that has signature checking removed.

Note, I know nothing about PS3 hacking either and am making assumptions based
on the connotations of the word "master key", "signing" and other comments
here along with my knowledge of xbox1/360 hacking.

~~~
mmastrac
I think you are mistaking what "master key" means here. They found the dongle
HMAC secret, which means that anyone can create a new dongle for getting into
service mode, which is apparently useful for downgrading to a different OS in
some cases, but has no utility outside of that.

It's not the master key for cryptographically signing executables or OS
images.

~~~
drivebyacct2
Well that's a downer.

~~~
mmastrac
I think I'm wrong! I think that they might have figured out the private keys.
Watching this now to learn more:

<http://www.youtube.com/watch?v=X6CA4fqAdsc>

I'll post more info once I've seen what they say.

EDIT: WOW! Okay, looks like they screwed up big time. They used the same
random number for all their signatures, which means that they effectively
leaked their private key for various bootloaders in the system. The chain of
trust is toast.

~~~
drivebyacct2
You're sending me on a roller coaster of emotions here mmastrac! That's pretty
cool. I picked up a 360 modified it to play Reach and then sold it for over
twice what I paid. I need something new to mess around with, this could be
fun.

------
mmastrac
Interesting, although I don't know what it means exactly.

It looks like they use simple dongles for entering service mode. These dongles
are authenticated by an HMAC rather than public-key crypto (big mistake on
Sony's part).

------
yardie
So this means I'll have to sit through another 20-30 minute system update when
all I really want to do is play a game for 15 minutes (all the time I really
have for the PS3).

My PS3 is collecting dust because the AppleTV is a better media player and a
cheap PC with Steam installed is cheaper than a PS3 and just a few $70 game
discs.

------
kmfrk
This must feel like the biggest gut punch to PS3 developers.

