94151 2003-03-14 19:41 /28 rader/ David Brumley <dbrumley@stanford.edu>
Importerad: 2003-03-14 19:41 av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3972>
Ärende: Vulnerability in OpenSSL
------------------------------------------------------------
Dan Boneh and I have been researching timing attacks against software
crypto libraries. Timing attacks are usually used to attack weak
computing devices such as smartcards. We've successfully developed
and mounted timing attacks against software crypto libraries running
on general purpose PC's.
We found that we can recover an RSA secret from OpenSSL using anywhere
from only 300,000 to 1.4 million queries. We demonstrated our attack
was pratical by successfully launching an attack against Apache +
mod_SSL and stunnel on the local network. Our results show that
timing attacks are practical against widely-deploy servers running on
the network.
To our knowledge, OpenSSL and derived crypto libraries are
vulnerable. Mozilla's NSS is not vulnerable, as it implements RSA
blinding. Crypto++ is not vulnerable in practice due to it's sliding
windows implementation (least to most significant..most to least is
vulnerable).
The results indicate that all crypto implementations should defend
against timing attacks.
This paper was submitted to Usenix security 03. The link to the paper
is here:
http://crypto.stanford.edu/~dabo/abstracts/ssl-timing.html
-David Brumley
(94151) /David Brumley <dbrumley@stanford.edu>/(Ombruten)
94253 2003-03-17 20:21 /8 rader/ Ben Laurie <ben@algroup.co.uk>
Importerad: 2003-03-17 20:21 av Brevbäraren
Extern mottagare: Bugtraq <BUGTRAQ@securityfocus.com>
Mottagare: Bugtraq (import) <4006>
Ärende: [ADVISORY] Timing Attack on OpenSSL
------------------------------------------------------------
I expect a release to follow shortly.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
(94253) /Ben Laurie <ben@algroup.co.uk>/------------
Bilaga (text/plain) i text 94254
Bilaga (text/plain) i text 94255
94254 2003-03-17 20:21 /27 rader/ Ben Laurie <ben@algroup.co.uk>
Bilagans filnamn: "ADVISORY.txt"
Importerad: 2003-03-17 20:21 av Brevbäraren
Extern mottagare: Bugtraq <BUGTRAQ@securityfocus.com>
Mottagare: Bugtraq (import) <4007>
Bilaga (text/plain) till text 94253
Ärende: Bilaga (ADVISORY.txt) till: [ADVISORY] Timing Attack on OpenSSL
------------------------------------------------------------
OpenSSL v0.9.7a and 0.9.6i vulnerability
----------------------------------------
Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been turned
on.
Typically, it will not have been, because it is not easily possible to
do so when using OpenSSL to provide SSL or TLS.
The enclosed patch switches blinding on by default. Applications that
wish to can remove the blinding with RSA_blinding_off(), but this is
not generally advised. It is also possible to disable it completely by
defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time.
The performance impact of blinding appears to be small (a few
percent).
This problem affects many applications using OpenSSL, in particular,
almost all SSL-enabled Apaches. You should rebuild and reinstall
OpenSSL, and all affected applications.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0147 to this issue.
We strongly advise upgrading OpenSSL in all cases, as a precaution.
(94254) /Ben Laurie <ben@algroup.co.uk>/------------
94255 2003-03-17 20:21 /78 rader/ Ben Laurie <ben@algroup.co.uk>
Bilagans filnamn: "openssl-sec3.patch"
Importerad: 2003-03-17 20:21 av Brevbäraren
Extern mottagare: Bugtraq <BUGTRAQ@securityfocus.com>
Mottagare: Bugtraq (import) <4008>
Bilaga (text/plain) till text 94253
Ärende: Bilaga (openssl-sec3.patch) till: [ADVISORY] Timing Attack on OpenSSL
------------------------------------------------------------
Index: crypto/rsa/rsa_eay.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v
retrieving revision 1.28.2.3
diff -u -r1.28.2.3 rsa_eay.c
--- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46
-0000 1.28.2.3
+++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 -0000
@@ -195,6 +195,25 @@
return(r);
}
+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+ {
+ int ret = 1;
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ /* Check again inside the lock - the macro's check is racey */
+ if(rsa->blinding == NULL)
+ ret = RSA_blinding_on(rsa, ctx);
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ return ret;
+ }
+
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+ do { \
+ if(((rsa)->flags & RSA_FLAG_BLINDING) && \
+ ((rsa)->blinding == NULL) && \
+ !rsa_eay_blinding(rsa, ctx)) \
+ err_instr \
+ } while(0)
+
/* signing */
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
unsigned char *to, RSA *rsa, int padding)
@@ -239,8 +258,8 @@
goto err;
}
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding ==
NULL))
- RSA_blinding_on(rsa,ctx);
+ BLINDING_HELPER(rsa, ctx, goto err;);
+
if (rsa->flags & RSA_FLAG_BLINDING)
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
@@ -318,8 +337,8 @@
goto err;
}
- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding ==
NULL))
- RSA_blinding_on(rsa,ctx);
+ BLINDING_HELPER(rsa, ctx, goto err;);
+
if (rsa->flags & RSA_FLAG_BLINDING)
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;
Index: crypto/rsa/rsa_lib.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v
retrieving revision 1.30.2.2
diff -u -r1.30.2.2 rsa_lib.c
--- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46
-0000 1.30.2.2
+++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 -0000
@@ -72,7 +72,13 @@
RSA *RSA_new(void)
{
- return(RSA_new_method(NULL));
+ RSA *r=RSA_new_method(NULL);
+
+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
+ r->flags|=RSA_FLAG_BLINDING;
+#endif
+
+ return r;
}
void RSA_set_default_method(const RSA_METHOD *meth)
(94255) /Ben Laurie <ben@algroup.co.uk>/--(Ombruten)