The many failures of the PS3 Encryption
PS3 Overview
- Its a Video Game system
- Released in 2006
-
It runs on a modified version of linux
1st Failure
USB
- The thing you cant seem to plugin correctly the first time
- The PS3 has a recovery mode which allows a Operating System loaded over USB
- This is how Sony fixes broken PS3's in its factory
So why can't I also do that?
The Operating System that is sent over USB is encrypted with a Symmetric Key.
Cryptography 101
- Symmetric Key: encrypting and decrypting data use the same key.
- If you find a key for decryption you can use it to encrypt data.
- If you find a key for encryption you can use it to decrypt data.
How to Find Sony's Key
- On Sony's Servers
- On Sony's developers computers
- On the PS3
Now anyone can push an OS to the PS3
2nd Failure
PS3 Programs
- Linux biased programs
- Before the program is run it is checked that it has been authorized by Sony
- This Prevents unauthorized programs from running
- This is done by a Cryptographic Signature
- Cryptographic Signature are created using Asymmetric Keys
Cryptography 102
- Asymmetric Keys: Encrypting and decrypting data uses different keys
- These keys are related to each other and are inverses
- If you know the Decryption Key you also know the Encryption Key
- But If you know the Encryption Key you don't know the Decryption key
- Decryption Key as Private Key
- Encryption Key as Public Key
Cryptography 103
- Cryptographic Signature: A way that you can trust the origin or validity of data.
- Creating a Signature is done by using the Decryption Key on the some message.
- signature = Decryption(message, ...)
- This can be verified using the corresponding Encryption Key
- Encrypting the Signature gets back the original message
- message = Encryption(Decryption(message, ...))
- message = Encryption(signature, ...)
Sony's Signature
- Uses Elliptic Curve Digital Signature Algorithm (ECDSA)
- This algorithm needs a large random number to generate a secure signature.
- Sign(random_number, message, sony_private_key) = random_output, signature
- This is only secure when random_number is unique on for every message
- If random_number is repeated on two different messages everything is broken.
So what did Sony do?
They Fucked it up
Warning Math
Getting the Random Number
random_output1=(random_number1∗G)signature1=(random_output1∗private_key)+message1)/random_number1
random\_output_1 = (random\_number_1 * G)
\newline
signature_1 = (random\_output_1 * private\_key) + message_1) / random\_number_1
random_output2=(random_number2∗G)=random_output1signature2=((random_output2∗private_key)+message2)/random_number2
random\_output_2 = (random\_number_2 * G) = random\_output_1
\newline
signature_2 = ((random\_output_2 * private\_key) + message_2) /random\_number_2
signature1−signature2=random_number(random_output1∗singing_key)+message1−random_number(random_output2∗singing_key)+message2
\begin{aligned}
signature_1 - signature_2 &= \dfrac{(random\_output_1 * singing\_key) + message_1}{random\_number} - \\
& \dfrac{(random\_output_2 * singing\_key) + message_2}{random\_number}
\end{aligned}
=random_number(random_output1∗signing_key)−(random_output2∗singing_key)+message1−message2=random_numbermessage1−message2
\begin{aligned}
&= \dfrac{(random\_output_1 * signing\_key) - (random\_output_2 * singing\_key) + message_1 - message_2}{random\_number} \\
& =\dfrac{ message_1 - message_2}{random\_number}
\end{aligned}
random_number=signature1−signature2message1−message2
\begin{aligned}
random\_number &= \dfrac{message_1 - message_2}{signature_1 - signature_2}
\end{aligned}
Getting Sony Signing Key
signing_key=random_output1random_number∗signature1−message1=random_output1message1∗signature2−message2∗signature1=random_output1signature1∗signature1−signature2message1−message2−message1=random_output11−signature2message1−message2−message1=random_output11−signature2message1−message2−1−signature2message1−message1∗signature2)=random_output1−signature2message1∗signature2−message2
\begin{aligned}
signing\_key &= \dfrac{random\_number * signature_1 - message_1}{random\_output_1} \\
& = \dfrac{message_1 * signature_2 - message_2 * signature_1}{random\_output_1} \\
& = \dfrac{signature_1 * \dfrac{message_1 - message_2}{signature_1 - signature_2} - message_1}{random\_output_1} \\
& = \dfrac{\dfrac{message_1 - message_2}{1 - signature_2} - message_1}{random\_output_1} \\
& = \dfrac{\dfrac{message_1 - message_2}{1 - signature_2} - \dfrac{message_1 - message_1 * signature_2)}{1 - signature_2}}{random\_output_1} \\
& = \dfrac{ message_1 * signature_2 - message_2}{random\_output_1 - signature_2} \\
\end{aligned}
signing_key=random_output1−signature2message1∗signature2−message2
\begin{aligned}
signing\_key &= \dfrac{ message_1 * signature_2 - message_2}{random\_output_1 - signature_2} \\
\end{aligned}
No notes on this slide.
The many failures of the PS3 Encryption