-----BEGIN PGP SIGNED MESSAGE----- ====================================================================== Vulnerability Note VU#997481 [DRAFT] ====================================================================== ***** NOT FOR PUBLIC DISTRIBUTION ***** VU#997481 - Cryptographic libraries and applications do not adequately defend against timing attacks OVERVIEW Cryptographic libraries and applications do not provide adequate defense against timing attacks on RSA private keys. Such attacks have been shown to be practical remotely using widely-available hardware. DESCRIPTION David Brumley and Dan Boneh, researchers at Stanford University, have written a paper that demonstrates practical attacks that can be used to extract private keys from vulnerable RSA decryption applications. Using statistical techniques and carefully measuring the amount of time required to complete an RSA decryption operation on known cyphertext, an attacker can recover one of the factors (q) of the RSA key. With the public key and the factor q, the attacker can compute the private key. Similar types of timing attacks are discussed in CERT Advisory CA-1998-07, a paper by Daniel Bleichenbacher et al., and a paper by Paul Kocher. The paper documents a set of experiments using widely-available hardware to attack a simplified model of an SSL/TLS-enabled web server. The researchers were able to extract a 1024-bit RSA private key from the model RSA decryption server in approximately two hours. The attack requires ~350,000 samples, which to a web server may appear as network connections and failed attempts to set up SSL/TLS sessions. The experiments were conducted on a high-speed, closed network that does not accurately reflect the network conditions found on the Internet. The attacks could, however, be feasible on a network with a low variance in latency such as a LAN, corporate/campus network, or Internet2/Abilene. The attacks could also be feasible against production SSL-enabled web servers. The paper also notes that inter-process attacks against Virtual Machines (VM) running on the same physical computer could yield RSA secrets held by a trusted VM, violating the TCPA/Palladium security model. The paper discusses a defense called "RSA blinding" that introduces an additional random component to the decryption process and makes timing information unusable to attackers. It appears that many cryptographic libraries and applications that may use those libraries either do not implement RSA blinding or do not make use of it when it is available in the underlying libraries. RSA blinding does incur a moderate performance penalty. Although the OpenSSL library does implement RSA blinding, many applications that use OpenSSL, including Apache mod_ssl, do not use this feature, and are therefore vulnerable to timing attacks. IMPACT A remote attacker could derive private RSA keys. It is important to note that the attacks described in this paper appear to be practical under certain conditions. In the case of remote attacks against SSL/TLS-enabled web servers, variance in network latency must be sufficiently low (> 1ms), and the load on the server must be accounted for by the attacker. A server may be vulnerable during a period of low activity. In the case of local inter-process attacks against a VM, or, all the necessary conditions exist. Any applications that perform RSA private key operations (decryption, signing) may be vulnerable: SSL/TLS-enabled network services, IPsec, Secure Shell (SSH), and smart cards are some examples of such applications. SOLUTION Upgrade or Patch Upgrade or apply a patch as specified by your vendor. The preferred defense is to use RSA blinding, however other methods such as quantizing can be used to reduce or eliminate the information disclosed by timing. These defenses do incur performance penalties - 2-10% in the case of RSA blinding. In order to use RSA blinding to defend against these types of timing attacks, it is necessary for the underlying cryptographic library to support RSA blinding and for the application to make use of it. Use larger RSA keys At the present (February 2003), the attacks are practical against 1024-bit RSA keys. Monitor RSA decryption applications Monitor RSA key exchange applications for signs of attack. In the case of an attack against SSL/TLS web applications, logs may show a relatively high number of network connections and failed attempts to establish SSL/TLS sessions. Authenticate clients In the case of sensitive web applications, require clients to use strong authentication (X.509 client certificates). While this will not prevent attacks, it will limit and identify the possible sources of attacks. REFERENCES http://ietf.org/rfc/rfc2246.txt CREDIT This vulnerability is documented in a research paper written by David Brumley and Dan Boneh of Stanford University. This document was written by Art Manion. ***** NOT FOR PUBLIC DISTRIBUTION ***** ====================================================================== -----BEGIN PGP SIGNATURE----- Version: Hush 2.2 (Java) Note: This signature can be verified at https://www.hushtools.com/verify wl4EARECAB4FAj50WGUXHGhhY2s0bGlmZUBodXNobWFpbC5jb20ACgkQgSjHzuae7+p0 bACfbnfawyUT4OfDlbXKNYQhQdWsZqYAniqUM4F1Eo/bkQ6pU6vktTMM8FSr =Apm5 -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get FREE encrypted email: https://www.hushmail.com/?l=2 Big $$$ to be made with the HushMail Affiliate Program: https://www.hushmail.com/about.php?subloc=affiliate&l=427 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sat Mar 15 2003 - 23:40:43 PST