Any TLS server key compromises?
Anne & Lynn Wheeler
lynn at garlic.com
Mon Aug 16 15:54:45 EDT 2004
At 02:34 PM 8/12/2004, Marc Branchaud wrote:
>I've been wondering, has a TLS server (or client, for that matter) key
>ever actually been compromised? I don't think I've ever heard of one.
>I'm thinking of two possible avenues for compromise, and ignoring insider
>attacks. One is through defects in the protocol itself or its
>implementation. The other would be through a compromise of the server
>host (e.g. a buffer overflow in Apache) that allows the attacker to copy
>the TLS server's private key from the file system.
>It seems to me that in-the-wild attacks on the protocol or its
>implementation are unheard of.
>OTOH, we hear about server break-ins all the time. However, one never
>hears about these break-ins leading to a compromise of the server's key.
>Perhaps the server's private key isn't a really useful target? Although
>posession of the key makes it easy to spoof a secure server, actually
>doing that spoofing requires a secondary attack, like phishing or an
>active attack on the Internet, to redirect a user to the false server.
>So have there ever been any actual TLS private key compromises (through
>any non-insider attack)?
>If TLS private keys aren't attractive enough a target for them to be
>compromised even when the opportunity presents itself (as I'm assuming it
>has), then to what extent do these keys really need to be protected?
One of the issues is some prior implication that at least some of the
SSL/TLS port knocking was helping identify sites that might be indicative
of something to protect. Lets say somebody finds some really juicy
financial targets using the technique.
So the server is penetrated and the attacker is presented with two files
.... one with the private key .... and one with a million financial
transactions ... which are would they be more likely to take?
I would assert that the million financial transactions file .... yield
possibly couple hundred thousand accounts numbers that could then be used
directly in fraudulent transactions. The SSL/TLS private key just says that
you have to put in some evesdropper in on the server's SSL/TLS sessions,
decrypt the traffic and decide what it means. While it may be of some
academic interest ... it would seem that letting the server keep on doing
all that work for you ... and just harvesting the results ..... represents
a lot bigger return for effort.
Part of the issue is that the threat model for server file exploit is
frequently the same for the real data "at rest" and the private key file
(which is just protecting the real data while in transit) ... the actual,
real data can represent a lot higher immediate fraud potential. So lets say
the attacker does take
both files for the fun of it .... but likely won't get around to any
SSL/TLS evesdropping attacks until exhausting all the other financial fraud
possibilities (from already having a huge number of account numbers). Even
if they eventually exhaust any current crop of fraudulently harvested
account numbers ... they will likely try the same attack on another server
... before they possibly decide that SSL/TSL evesdropping attacks are worth
It is possible, the SSL/TSL private key file might be more attractive
target in non-financial sector circles (evesdropping for the sake of
evesdropping .... possibly for other than direct financial incentive).
You would probably start hearing about the client keylogger exploits
including any client private key file .... if client keys started being
used for any significant purposes .... aka current client keylogger
exploits are able to authenticate directly just from the pin/password key
capture. any change to private key operations would mean that the client
keylogger attacks would also need the private key file (with the
pin/password capture then being used to decrypt the private key file in
order to use the private key for authentication).
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography