[ISN] 'Severe' OpenSSL vuln busts public key crypto

From: InfoSec News <alerts_at_private>
Date: Fri, 5 Mar 2010 02:43:52 -0600 (CST)

By Dan Goodin in San Francisco 
The Register
4th March 2010 

Computer scientists say they've discovered a "severe vulnerability" in 
the world's most widely used software encryption package that allows 
them to retrieve a machine's secret cryptographic key.

The bug in the OpenSSL cryptographic library is significant because the 
open-source package is used to protect sensitive data in countless 
applications and operating systems throughout the world. Although the 
attack technique is difficult to carry out, it could eventually be 
applied to a wide variety of devices, particularly media players and 
smartphones with anti-copying mechanisms.

"Wherever you need to verify the origin of a piece of software or a 
piece of information, those building blocks come in handy," said Karsten 
Nohl, an independent security researcher who in unrelated attacks has 
broken encryption in widely used smartcards and cordless phones. "The 
OpenSSL library provides much more than just SSL."

The scientists, from the University of Michigan's electrical engineering 
and computer science departments, said the bug is easily fixed by 
applying cryptographic "salt" to an underlying error-checking algorithm. 
The additional randomization would make the attack unfeasible.


Register now for HITBSecConf2010 - Dubai, the premier 
deep-knowledge network security event in the GCC, 
featuring keynote speakers John Viega and Matt Watchinski! 
Received on Fri Mar 05 2010 - 00:43:52 PST

This archive was generated by hypermail 2.2.0 : Fri Mar 05 2010 - 00:54:42 PST