Swiss Researchers Find A Hole In SSL
Vin McLellan
vin at theworld.com
Thu Feb 20 23:35:40 EST 2003
Slashdot has posted an update and an informative note from Paul Kocher.
_Vin
------------------
<http://slashdot.org/articles/03/02/20/1956229.shtml?tid=93&tid=172>
Posted by timothy on Thursday February 20, @03:13PM
from the there's-holes-in-everything-over-there dept.
in4mation writes "The folks at LASEC have found a flaw in the SSL protocol.
Quoting Professor Serge Vaudenay from a BBC article the security problem is
in 'the SSL protocol itself and not in how we use it or how we implement
it.' Apparently the flow only affects webmail and not banking or credit
card payments and took less than an hour (160 attempts) to crack."
Update: 02/20 20:52 GMT by T:
Kurt Seifried writes to say that this is almost exactly wrong: "The flaw is
in IMPLEMENTATION, NOT THE PROTOCOL. Due to the way error checks are
handled an attacker can find out which error condition occurred by
measuring the response. The solution is trivial, a path that forces OpenSSL
to do the second check even if the first one fails, thus denying the remote
attacker any information as to which exact error condition occurred." He
includes a link to the security advisory at openssl.org. Update: 02/20
21:49 GMT by T: Read on below for some more information from SSL 3.0
designer Paul Kocher.
----------------------
Kocher, President & Chief Scientist of Cryptography Research, Inc., writes:
The referenced paper (http://lasecwww.epfl.ch/memo_ssl.shtml) describes how
timing variations in SSL/TLS implementations can be used in certain
situations to slowly gather information about encrypted data. If the
certain conditions are met, the attacker can decrypt some information from
the message (e.g., a password). Strictly speaking, the fact that
implementations reveal sensitive information in timing channels is an
implementation issue, not a flaw in the underlying cryptographic protocol.
This doesn't make the issue unimportant, however, and timing attacks are
big deal for implementers because they are easy to introduce, notoriously
tricky to detect, and often difficult to eliminate.
Answers to general questions:
1. Is it still okay to send my credit card number over SSL? Yes. This
attack is not applicable to web shopping and there are much easier ways
that fraudsters steal credit card information (e.g., breaking into
merchants' web sites -- a problem that SSL can't solve). In any case, the
bank is generally responsible if someone steals your card info.
2. Is the paper "real" or another bogus "I broke SSL" claim? The paper is
legit. The Slashdot announcement suggests that SSL itself is broken,
however, which is a bit misleading.
2. Is this a practical attack to exploit? Cryptographers need to be
paranoid about unexpected situations. As a result, attacks can be important
even if they are not practical to exploit under real- world conditions. The
attack described in this paper is similar; while there are quite a few
preconditions for mounting the attack, this does not make the research
unimportant or mean that people should ignore the work. Specific
requirements to mount the attack include:
* The session has to use CBC mode. The vast majority of SSL
connections use RC4, for which the attack is not applicable. Because of the
algorithm negotiation used in SSL/TLS is secured in the initial handshake,
man-in-the- middle attackers should not be able affect the outcome of the
algorithm selection process.
* The attacker has to act as an active man-in-the-middle attacker.
Passive eavesdropping is not sufficient.
* The server's SSL implementation has to be vulnerable (see #3 below).
The protocol also has to be oblivious to repeated failures.
* The target protocol also has to have some very specific
characteristics that allow the adversary to form the right kinds of
messages. For most uses of SSL (e.g., normal web browsing), this type of
attack does not generally apply.
3. Can affected implementations be fixed? Yes. OpenSSL has been updated
(http://www.openssl.org/news/secadv_20030219.txt). For more information,
also see http://www.openssl.org/~bodo/tls-cbc.txt. I don't know what other
vendors/projects are doing.
4. Is this an issue for the client or the server? Normally, this would only
be an issue for the "server" (i.e., the party that receives the connection
request), since normal SSL clients don't automatically large numbers of
connections.
A couple of final comments:
I'm constantly amazed by the number of ways that it's possible to screw up
security. Overall, SSL 3.0 seems to have aged well, but I wish I'd done a
better job of handling errors in the design. In particular, error handling
was involved in both of the attacks against SSL that I consider
non-obvious, notably Bleichenbacher's attack and CBC-padding attacks such
as this one. While these types of attacks weren't known when I was
designing SSL 3.0, I generally wish I'd provided less information in error
messages.
Finally, I also want to give thanks everyone who has helped to study SSL's
security, contributed to implementations, and helped shepherd it through
the standards processes."
"Cryptography is like literacy in the Dark Ages. Infinitely potent, for
good and ill... yet basically an intellectual construct, an idea, which by
its nature will resist efforts to restrict it to bureaucrats and others who
deem only themselves worthy of such Privilege."
_ A Thinking Man's Creed for Crypto _vbm.
* Vin McLellan + The Privacy Guild + <vin at theworld.com> *
22 Beacon St., Chelsea, MA 02150-2672 USA
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list