Press Release, Prague, 18.3.2003
Prague, March 18, 2003. The leading Czech cryptologists Vlastimil Klíma
and Tomáš Rosa, both working for ICZ a. s., and a colleague of theirs
Ondřej Pokorný have revealed and immediately suggested a solution to a
major security bug in the encrypted Internet communication.
The weakness identified by the cryptologists makes it possible to attack the SSL/TLS (Secure Sockets Layer and Transport Layer Security) protocols used as a cryptographic protection of a majority of electronic transactions, such as on-line purchases and e-banking, and, in some cases, a secured transmission of e-mails as well.
An attack on these protocols, as described by the team of Czech cryptologists, can break through the protection completely and decrypt protected communication. This means for clients using applications relying on SSL/TLS protocols that an attacker is able to retrieve their credit card numbers, sensitive information about their bank accounts and misuse confidential data from their e-mails.
Client and provider security
In every transmission of information protected by the SSL/TLS protocols, there is just one subject referred to as "server" (typically a service provider, such as an e-shop, an e-bank, or a server with a email box) and just one subject referred to as "client" (typically a buyer, an owner of a bank account, or a receiver of incoming e-mails).
The aim of the attack is to decrypt the encrypted communication between the client and the server. The attack is based on what is referred to as "side channels" (a new trend in cryptanalysis) through which the attacker gets access to sensitive information from the service provider (the server) without any participation of the user (the client). The sensitive information is received step by step on the background of standard connections between the attacker and the server. This method is based on mathematic algorithms. This is why it is not the users who should adopt any measures aimed at increasing the level of protection. Urgent attention should thus be paid by the administrators of those servers on which the error may occur. Cryptologists from ICZ found out that out of a randomly selected sample of several hundreds of Internet servers using the protocols concerned, as many as two thirds were vulnerable to the attack.
To eliminate the error by the service providers' applying a security patch, the Czech cryptologists have suggested several countermeasures in their report which are fully compatible with the applications currently used by the clients. This is why the clients will not encounter any difficulties related to the shift to a safer version of the SSL/TLS protocols.
Since this security bug concerns the most widely used protocols protecting the transmission of information via the Internet, the identification of the error and in particular the preparation of a detailed methodology on how to remove the error is another significant Czech contribution to the Internet security.
For further details see the cryptologic research report at http://eprint.iacr.org/2003/052/ or at ICZ web site at http://www.i.cz.
What exactly does an attacker do?
Typically, the attacker's primary target is to decrypt intercepted confidential communications between the client and the server. This is why we have chosen the following example to demonstrate the importance of the attack discovery.
In the first step, the attacker intercepts and stores encrypted communication between the client and the server. Due to the variety of environments in which information is transmitted via the Internet, including air transmission, interception of any communication is generally considered maybe not too easy for an amateur but definitely possible for an experienced attacker.
In the second step, the attacker compiles his own requests based on the intercepted encrypted transaction using a mathematic algorithm. Just like an "ordinary" client, he sends these requests to the server on which the transaction concerned occurred. The server responds to every such request, providing the attacker with "side information". By putting together a great many pieces of such side information, the hacker receives enough data to be able to compute the value of the main symmetrical key of the connection called a premaster secret. Then he/she simply decrypts the intercepted communication.
How difficult is an attack?
Except for the interception of an encrypted transaction, an attack like this places no special requirements on the attacker's computers or any other devices and equipment used. An intruder can easily accomplish this using a standard office computer with a fast and stable Internet connection. So it is only the time spent on the second step that makes the attack somewhat difficult. The amount of time spent depends on the number of requests that an attacker must send and receive responses to.
A typical Internet server using a 1024-bit RSA key will succumb to the attack after less than 13.34 million requests in half the cases. The processing speed equalled to 67.7 requests per second in our testing environment. This means that every second attack would finish within 55 hours. However, there was one attack in our tests that only lasted 14 hours and 23 minutes.
In practice, an attacker will be more likely to spread this load both in time and in space to minimize the risk of being revealed. The only thing that an attacker needs is to receive the necessary number of responses from the server, and so his attack does not need to take place continually or from a single location.
In practice, the attack could be launched over various arbitrarily long time intervals spread over an arbitrarily long period from any number of computers. The only limiting factor is the server that has to respond to the requests received from all the computers involved. Spread over a long period of time, the attack may take considerably more time, but again, due to the current validity period of credit cards, a hacker can wait for the decryption of a credit card number even for months.
Practical vulnerability and countermeasures
With respect to the purpose of the attacks, any vulnerability of the servers, if identified, must be considered a relatively serious security threat. On the other hand, it is not necessary to get into panic whenever an electronic transaction takes place because an administrator of the attacked server with the necessary experience and tools should be able to identify an attack like this and stop it by blocking the direction from which the attack is coming.
In case of a sophisticated distributed attack, it is advisable to cancel the current RSA key of the server and generate a new one. This will prevent the attacker from finishing his/her attack. It should, however, be pointed out that the risk of a successful attack is very high for poorly administered servers. Therefore, increased attention should be paid to the administration of servers until the necessary security patches are available.
The countermeasures described above are administrative and technical and should be efficient enough until the countermeasures suggested by cryptologists are adopted. These are very easy to apply and highly efficient. They are described in the technical report prepared by the authors and consist in updating the server software.
Press Release, Prague, 21.3.2003
Open SSL Group, which produces the most frequently used software for the
implementation of SSL/TLS protocols, has released a patch to fix a weakness
that allowed a successful attack on the most frequently used method of
encrypting communications on the Internet.
The hole was discovered several days ago by leading Czech cryptologists Vlastimil Klíma and Tomáš Rosa, both working for ICZ a. s., and a colleague of theirs Ondřej Pokorný, who also suggested a protection method.
A successful hacker attack on servers with this weakness would compromise data security, on-line purchases, electronic banking, and in certain cases secured e-mail transmissions. The cryptologists say that programming this type of attack poses no great problem to experienced hackers and roughly two thirds of SSL/TLS servers on the Internet have this weakness.
Administrators of SSL/TLS servers can now download this publicly accessible patch to security programs, which will stop hackers from exploiting the weakness. Patches have also been released for the OpenBSD and FreeBSD operating systems, which are freely available as Linux, but are more security-oriented.
Administrators of banking, commercial and other SSL/TLS servers unable to use the patches (those using different software, for example) should first familiarize themselves with the countermeasures recommended by the cryptologists or follow the administrative and technical instructions available at the Internet addresses below.
First press release with technical annex: http://www.i.cz/onas/tisk14.html
OpenSSL homepage: http://www.openssl.org/news/secadv_20030319.txt
OpenSSL patch: http://www.openssl.org/source/repos.html
OpenBSD homepage: http://www.openbsd.org/
OpenBSD patch: http://www.openbsd.org/kpr
FreeBSD homepage: http://www.freebsd.org/
FreeBSD patch: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-03:06.openssl.asc
Research report: http://eprint.iacr.org/2003/052/
Czech Press Agenture ČTK , March 23
Czech television ČT1, News, April 21, 19:15,
Radio Praha ČRo 7, March 23
Hospodářské noviny, 24.3., str. 23,
České noviny, 22.4.,
Právo, 22.4., str.3,
25.3. David Wagner, cryptologist, University of California Berkeley:
......But then, the recent Klima-Pokorny-Rosa paper shows how even just a tiny crack can lead to subtle, totally unexpected attacks. Who would have thought that SSL's version rollback check (two bytes in the input to the modular exponentiation) could enable such a devastating attack? Not me. ......