http://www.c2.net/products/stronghold/support/PKCS1.php Background Last week, RSA Data Security notified C2Net Software of a potential vulnerability that affects the SSL protocol. C2Net Software has developed a pre-emptive patch which is implemented in the latest version of Stronghold 2.3. This document is intended to address questions C2Net customers may have about the implications of that discovery to their own site. Technical information This vulnerability involves a chosen ciphertext attack discovered by researcher Daniel Bleichenbacher at Bell Labs against interactive key establishment protocols that use PKCS1, such as SSL. This can result in the compromise of the session key used for a particular session after repeatedly sending approximately one million carefully constructed messages and observing the server's response. Please see our press release and advisory for additional details. RSA Labs brought this attack to our attention and their site contains a more technical overview. CERT will also issue a bulletin, as will a number of other web server vendors. What does it mean? There is potential for a sophisticated user to be able to decrypt a recorded session's session key and use that to obtain the data transmitted during that session if they have access to a server they can use to send approximately one million carefully selected messages to your server and see what errors it reports. Note that this attack has to be repeated approximately a million times for each and every session that an attacker wishes to compromise, because the server's private key remains uncompromised as a result of this attack. How can I tell if I'm being attacked? For each of the approximately 1 million or so messages necessary to attack a single session, the following 3 lines will be logged in your ssl/error_log file: 1575:error:0407006B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02:rsa_pk1.c:207 1575:error:04064072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:rsa_eay.c:330 1575:error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt:s3_srvr.c:1259 NOTE that this equates to about 300MB for an attack on a single session. Although running out of space on the partition your log files are written to could definitely be an indication, we suggest keeping an eye out for any usual growth in the size of this file. What can I do to protect myself? This vulnerability has only been reported in a research environment and there have not been reports of sites experiencing this attack outside of that. However, the publication of this type of vulnerability may enable sophisticated users to implement it. Customers are urged to upgrade as a precaution to the latest version of Stronghold 2.3, which supports this fix as of build 2010 for customers in the US/Canada, build 2051 for customers elsewhere. You can determine which version you are running from the output of httpsd -v. What other vendors/products are affected? All major vendors have announced that they are working on patched versions of their web servers products to combat this potential vulnerability. This vulnerability is not limited to web servers. Products using SSL to do secure tunneling, for example, may also be affected. Sites with other information: http://www.rsa.com/rsalabs/ http://www.ssleay.org/announce/pkcs1.html http://www.microsoft.com/security/bulletins/ms98-002.htm http://www.openmarket.com/security/ http://help.netscape.com/products/server/ssldiscovery/ http://www.consensus.com/ssl-rsa.html ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/README.PKCS1
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:59:45 PDT