95166 2003-03-21 21:19 /132 rader/ Brian Hatch <bugtraq@ifokr.org>
Importerad: 2003-03-21 21:19 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4105>
Ärende: Stunnel: RSA timing attacks / key discovery
------------------------------------------------------------
Release Date: 2003-Mar-21
Package: stunnel
Versions: Stunnel 3.x x <= 22
Stunnel 4.x x <= 04
Problem type: Key discovery / Information Leakage
Exploit script: None publicly available
Severity: High
Network-accessible: yes
Network-accessible: yes
Discovery: D. Boneh, D. Brumley
Writeup: Brian Hatch <bri@stunnel.org>
Summary: SSL sessions where RSA blinding is not in effect
are vulnerable to timing attacks which could
allow a cracker to discover your private RSA key.
Description:
Stunnel is an SSL wrapper able to act as an SSL client or server,
enabling non-SSL aware applications and servers to utilize SSL
encryption.
Dan Boneh and David Brumley have successfully implemented an RSA
timing attack against OpenSSL-enabled SSL software, including
Stunnel. Their writeup is available at
http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
Impact:
If you use an RSA key for an SSL server, a determined cracker could
eventually determine your key. This could be used to impersonate
your server via a man-in-the-middle attack, or to decrypt all SSL
connections between client and server that can be sniffed/etc from
the cracker's location.
Mitigating factors:
The timing attack works best under situations where there is
little or no network lag, such as over a localhost connection. If
the attacking host is more distant that network packets have a
larger range of turnaround times may make the attack less
successful. However a very slow CPU on the Stunnel server (which
would process the RSA number crunching more slowly) may counteract
the network lag.
The number of connections an attacking host must make to discover
the key is rather large, enough that you may well notice the
increase in your CPU usage, number of available sockets, or volume
of log messages spewing through your system.
Solution:
* Recompile OpenSSL using the patch[1] they have supplied and then
recompile Stunnel.
or
* Apply the patch for Stunnel 3.x available at
http://www.stunnel.org/patches/desc/blinding-3.x_bri.html
or the patch for Stunnel 4.x available at
http://www.stunnel.org/patches/desc/blinding-4.x_bri.html
and recompile Stunnel.
I expect Stunnel 4.05 and 3.23 will be released which incorporate
these or similar patches.
For more information about Stunnel, consult the folowing pages:
http://stunnel.mirt.net/ # Official Stunnel home page
http://www.stunnel.org/ # Stunnel.org: FAQ/Distribution/Patches/Etc
Discovery:
The code to successfully perform an RSA timing attack against
Stunnel was created by David Brumley and Dan Boneh. Here is the
original email they sent to the Stunnel mailing list on 13-Mar-2003.
--------------------------------------------------------------------
To: stunnel-users@mirt.net
Date: 13 Mar 2003 16:09:17 -0800
From: David Brumley <dbrumley@stanford.edu>
Subject: Timing attack against stunnel/OpenSSL
Dan Boneh and I have been researching timing attacks against
software crypto libraries. Timing attacks are usually used to
attack weak computing devices such as smartcards. We've
successfully developed and mounted timing attacks against software
crypto libraries running on general purpose PC's.
We found that we can recover an RSA secret from OpenSSL using
anywhere from only 300,000 to 1.4 million queries. We demonstrated
our attack was pratical by successfully launching an attack against
Apache + mod_SSL and stunnel on the local network. Our results
show that timing attacks are practical against widely-deploy
servers running on the network.
While OpenSSL definitely does provide for blinding, mod_SSL doesn't
appear to use it. One reason is it appears difficult to enable
blinding from the SSL API.
This paper was submitted to Usenix security 03. The link to the
paper is here:
http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
We notified CERT about a month ago re: this attack, so it's
possible you heard about this from them already.
flames > /dev/null. Feel free to write with any questions.
Cheers,
-David Brumley
--------------------------------------------------------------------
--
Brian Hatch Quantum Mechanics:
Systems and The dreams stuff
Security Engineer is made of.
www.hackinglinuxexposed.com
Every message PGP signed
(95166) /Brian Hatch <bugtraq@ifokr.org>/-(Ombruten)
Bilaga (application/pgp-signature) i text 95167
95167 2003-03-21 21:19 /8 rader/ Brian Hatch <bugtraq@ifokr.org>
Importerad: 2003-03-21 21:19 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <4106>
Bilaga (text/plain) till text 95166
Ärende: Bilaga till: Stunnel: RSA timing attacks / key discovery
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+e2gYidaA3abfMooRAqp7AJ9ofuuZz0svU0cYs5Y4Y+zCmIkT4QCfd/nA
wwj0Rq0XlJ1OnDCL9M9DgoA=
=fLya
-----END PGP SIGNATURE-----
(95167) /Brian Hatch <bugtraq@ifokr.org>/-----------