[Cryptography] FREAK attack

Jerry Leichter leichter at lrw.com
Wed Mar 4 18:19:32 EST 2015

On Mar 4, 2015, at 4:13 PM, Tom Mitchell <mitch at niftyegg.com> wrote:
> Latest attack on SSL, affecting some huge percentage of both servers and clients:  https://freakattack.com/
> More than anything MITM services at Starbucks, hotels, Lenovo Laptop s*&@$
> should be squashed at all levels (moral and legal).
For some reason people seem to be concentrating on the MITM aspect.  Just to make clear what happens:  This is a MITM attack *against the initial protocol negotiation*.  This is necessarily done in the clear, as by its nature it occurs before the peers have decided how they'll encrypt.  The attacker takes one of the messages and replaces it to say "I want to use RSA_Export".  The recipient - and this is the bug - says "Oh, OK, I can do that" - even though it never offered to use RSA_Export.  (In effect, when you think you're configuring *allowed* ciphers, what you're really doing is configuring *offered* ciphers.  But a bad peer - or someone in the middle playing with the negotiation - can cause your SSL implementation to use one of your "not allowed" ciphers.)

In the specific attack, the two ends "agree" on RSA_Export - RSA with 512-bit keys.  These are readily attackable today - a couple of hours and $100 on AWS.  That's bad enough, but it turns out that some common server implementations "save CPU" by re-using the RSA base for long periods of time.  Factor and many sessions are open to you.

                                                        -- Jerry

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150304/27f47e88/attachment.html>

More information about the cryptography mailing list