EFPL report warns of SSL security flaw

EFPL report warns of SSL security flaw

HTTPS security might not be as secure as previously though, according to a report by researchers at the EFPL.

A team of researchers at the École Polytechnique Fédérale de Lausanne (EPFL) has released a report which claims to have found tens of thousands of SSL certificates which provide effectively no security at all, thanks to inadequate random number generation algorithms.

According to the Electronic Frontier Foundation's analysis of the report, which used data from the EFF's SSL Observatory project, it's a serious problem. 'In all cases, a weak key would allow an eavesdropper on the network to learn confidential information, such as passwords or the content of messages, exchanged with a vulnerable server,' the EFF's Dan Auerbach and Peter Eckersley warn.

'Secondly, unless servers were configured to use perfect forward secrecy, sophisticated attackers could extract passwords and data from stored copies of previous encrypted sessions. Thirdly, attackers could use man-in-the-middle or server impersonation attacks to inject malicious data into encrypted sessions.'

The report, entitled Ron [Rivest] was wrong, Whit [Diffie] is right and authored by a team from the EPFL led by Arjen Lenstra, claims that around two out of every one thousand RSA public keys collected during the research 'offer no security.'

While a 99.8 per cent security rating may seem impressive, the RSA public key cryptography system is incredibly widespread. Developed in the 70s by Ron Rivest, Adi Shamir and Leonard Adleman - the R, S and A of RSA - it underpins the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) used by almost every secure website in the world. It's used by banks, online shops, digital distribution services and even voice-over-IP (VoIP) systems to protect credit card details, passwords and other personal data.

As a result, 99.8 per cent isn't good enough, the team argues. 'Our conclusion is that the validity of the assumption [that different random choices are made each time keys are generated] is questionable and that generating keys in the real world for "multiple-secrets" cryptosystems such as RSA is significantly riskier than for "single-secret" ones such as ElGamal or (EC)DSA which are based on Diffie-Hellman.'

The EFF claims that the conclusion is both valid and concerning. 'Given the seriousness of these problems, EFF will be working around the clock with the EPFL group to warn the operators of servers that are affected by this vulnerability, and encourage them to switch to new keys as soon as possible,' the group claimed.

'We are very alarmed by this development. In addition to notifying website operators, Certificate Authorities, and browser vendors, we also hope that the full set of RNG bugs that are causing these problems can be quickly found and patched. Ensuring a secure and robust public key infrastructure is vital to the security and privacy of individuals and organisations everywhere.'

The team's full report can be downloaded in PDF format for review.


Discuss in the forums Reply
r3loaded 15th February 2012, 15:53 Quote
Sounds like the CAs either weren't using the right RNG or using one that was dodgy. Ideally, they should use some sort of hardware-based generator (like the ones in Sandy Bridge CPUs), or even do something like hooking up an aerial tuned to receive cosmic background radiation to generate random numbers.
TheKrumpet 15th February 2012, 21:35 Quote
The problem is a computer is completely incapable of generating true random numbers. It doesn't have the reasoning to pick one out of thin air, so we have to use a number to seed it. And that almost always means it can be guessed.

@r3loaded: You can't tell them to use a RNG in a specific chip for a worldwide standard. Everyone would have to convert to Sandy Bridge for it to work, which isn't feasible. We therefore have to rely on something which is common to every computer, which limits the scope of what can be used somewhat.
thehippoz 15th February 2012, 22:49 Quote
well moxie wrote ssl sniff but stripping is pretty easy if the network allows man in the middle attacks.. most people don't even look to see if they are secure though

you can get the bank account numbers, all passwords you think are secure through ssl can be passed to the attacker in clear text by poisoning the arp and then stripping the encryption before it is sent to the victim.. now everything inputted by the victim comes back to the attacker in plain text- no need for any shenanigans

it's a very easy attack to pull off.. one of my favorites is spoofing though.. run a apache server and make sure errordocument 404 is forwarded to a page you wrote in httpd.conf.. then poison the arp and redirect all pages to your server.. monitoring is done the same way

the thing is.. you can stop man in the middle if you setup the network to prepare for this type of attack.. I've defeated it on my own home network and everyone else can too.. just in an age of plug and play- not to mention the recent attacks on wps, which made hacking long wpa/wpa2 passwords easy.. getting into a home lan isn't really that difficult anymore for practically anyone (but console gamers- they are a lost cause)

my 6970 does 95k/s in pyrit by itself.. that translates to a billion pass phrases in 3 hours without pre generated rainbow tables.. with custom code written to target specific types of routers.. there's a high percentage of breaking it.. even a script kiddie could do it with reaver nowdays too

just to show how simple it is to break into a wps enabled network.. I installed reaver 1.4 when I got back from michigan (been away for a couple months) and did this within an hour- after a few tweaks

that's less than 2 and a half hours to recover the psk.. the scary part is now that you have the pin, it doesn't matter if the guy changes his password.. you just use the pin to get the new pass whenever you want it :D

I don't really see how hackers get caught.. it's just loose lips and who you know I guess- I do it for a hobby here and like to write my own.. there are ways to protect yourself though- like separating your dhcp server from the gateway and running the wired part where you want rigs to be secure static.. there's plenty of advice on wireless security- just too many people who don't care

this I really don't see as that big of a problem.. maybe companies who don't use encryption to communicate on top of ssl

you probably have guys though sending company secrets through hotmail
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.

Discuss in the forums