1

I'm trying to intercept a SSLv3 connection between a PlayStation 3 client and an authentication server of and outdated game to reverse engineer its protocol.

I already tried to set up a simple MITM attack and copied every value from the original certificate. However, the client immediately drops the connection. I'm assuming the binary compares more than just the common fields. But it doesn't seem to validate the certificate to a CA because the PS3 does not contain the used CA (probably a custom one by the publisher) as it seems. If I open a connection via PS3's browser it throws a cert-error.

I created a broken certificate by running openssl genrsa -3 -out fake.key 512 to match the original server's cert first and replacing my public key with the public key of the original cert. Obviously this won't work because the public/private-pair is broken, nevertheless I generated the cert and signed the original cert with my private key. This resulted in a certificate with identical public keys I could use for my proxy server (PS3 -> my_fake_server -> official server).

The interesting part is that the client didn't drop the connection with this faked cert. I could see in Wireshark that it continues with the handshake (because it seems to "just" compare the public key and the common fields) and fails because of the broken pair. However, this is not the client dropping the connection but the OpenSSL implementation failing with bad_record_mac which could indicate that the server is using a non-matching pair [1], which in fact is true.

But this makes me wonder if I could counter this error and successfully intercept the connection if I could generate a pair that is valid but contains the same public key? Could that work? How likely is it to force a collision on a 512 bit key? Are there other options I could use to succeed?

me123
  • 23
  • 3
  • 4
    Does this answer your question? [What are the odds of an RSA private key collision?](https://security.stackexchange.com/questions/70693/what-are-the-odds-of-an-rsa-private-key-collision) – nobody Aug 08 '20 at 14:30
  • 1
    Actually I'm not looking for a private key collision but for two private keys (where one is the original and the other is mine) that share the same public key. [More related to this.](https://crypto.stackexchange.com/questions/2516/can-two-different-pairs-of-rsa-key-have-the-same-modulus) – me123 Aug 08 '20 at 14:44
  • 3
    How do you know the game uses public key pinning? It could be als leaf certificate pinning by an included cert or by a hash or root ca pinning or the root CA certificate has just be included in the game. – Robert Aug 08 '20 at 19:12
  • 1
    I don't really know, it's just a guess. But I really appreciate your comment to have more keywords to investigate, thanks! – me123 Aug 08 '20 at 19:28

1 Answers1

2

Actually I'm not looking for a private key collision but for two private keys (where one is the original and the other is mine) that share the same public key.

For RSA, every private key corresponds to exactly one public key, so this is not possible. For more information, see these questions:

Of course, TLS is specifically designed to be hard to MitM. There are usually a couple of options to intercept it anyways:

  • Modify the client. Change the binary, use Frida or a debugger to change the certificate validation logic.
  • Install a custom CA certificate as trusted. Create a CA certificate and configure the OS to trust this certificate.
Sjoerd
  • 28,897
  • 12
  • 76
  • 102
  • Unfortunately, the PS3 is hard to inject CAs if you want to use official firmware, which is necessary if you want to go online. There is a patch for the PC version though that helps a lot, because all games of the franchise use the same protocol as it seems, but PS3 authentication seems to be different and I'm having a hard time to debug it. – me123 Aug 08 '20 at 19:31