New FREAK Attack Threatens Many SSL Clients
For the nth time in the last couple of years, security experts are warning about a new Internet-scale vulnerability, this time in some popular SSL clients. The flaw allows an attacker to force clients to downgrade to weakened ciphers and break their supposedly encrypted communications through a man-in-the-middle attack.
Researchers recently discovered that some SSL clients, including OpenSSL, will accept weak RSA keysâknown as export-grade keysâwithout asking for those keys. Export-grade refers to 512-bit RSA keys, the key strength that was approved by the United States government for export overseas. This was an artifact from decades ago and it was thought that most servers and clients had long ago abandoned such weak ciphers.
âThe export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, theyâre still hurting us today,â cryptographer Matthew Green of Johns Hopkins University wrote in a blog post explaining the vulnerability and its consequences.
âThe 512-bit export grade encryption was a compromise between dumb and dumber. In theory it was designed to ensure that the NSA would have the ability to âaccessâ communications, while allegedly providing crypto that was still âgood enoughâ for commercial use. Or if you prefer modern terms, think of it as the original âgolden master keyâ.â
[adsense size='1']
The vulnerability affects a variety of clients, most notably Appleâs Safari browser. The bug was discovered by a large group of researchers from Microsoft Research and the French National Institute for Research in Computer Science and Control, and they found that given a server that supports export-grade ciphers and a client that accepts those weak keys, an attacker with a man-in-the-middle position could force a client to downgrade to the weak keys. He could then take the key and factor it, which researchers were able to do in about seven and a half hours, using Amazon EC2. And because itâs resource-intensive to generate RSA keys, servers will generate one and re-use it indefinitely.
âWhat this means is that you can obtain that RSA key once, factor it, and break every session you can get your âman in the middleâ mitts on until the server goes down. And thatâs the ballgame,â Green said.
[adsense size='1']
The number of vulnerable servers is not insignificant. Researchers at the University of Michigan found that 36.7 percent of browser-trusted sites are vulnerable to this attack, which is being called FREAK, for factoring related attack on RSA keys. But experts say that, in practice, the attack may not be much of an imminent danger.
âIn practice, I donât think this is a terribly big issue, but only because you have to have many âducks in a rowâ: 1) find a vulnerable server that offers export cipher suites; 2) it should reuse a key for a long time; 3) break key; 4) find vulnerable client; 5) attack via MITM (easy to do on a local network or wifi; not so easy otherwise),â said Ivan Ristic of Qualys.
But, as Green points out, objects on the Internet are often worse than they appear.
âNo matter how bad you think the Internet is, it can always surprise you. The surprise in this case is that export-grade RSA is by no means as extinct as we thought it was,â he said.
Gloss