[VulnWatch] OpenSSL Private Key Disclosure

From: Chris Wysopal (weld@vulnwatch.org)
Date: 03/14/03

  • Next message: dong-h0un U: "[VulnWatch] Kebi Academy 2001 Web Solution Directory Traversing Vulnerability."
    Date: Fri, 14 Mar 2003 05:05:37 +0000 (GMT)
    From: Chris Wysopal <weld@vulnwatch.org>
    To: vulnwatch@vulnwatch.org
    
    

    Remote timing attacks are practical

    Authors: D. Boneh and D. Brumley

    Abstract:
    Timing attacks are usually used to attack weak computing devices such as
    smartcards. We show that timing attacks apply to general software systems.
    Specifically, we devise a timing attack against OpenSSL. Our experiments
    show that we can extract private keys from an OpenSSL-based web server
    running on a machine in the local network. Our results demonstrate that
    timing attacks against network servers are practical and therefore all
    security systems should defend against them.

    Reference:
    Submitted to Usenix Security.

    Full paper:
    http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf


  • Next message: dong-h0un U: "[VulnWatch] Kebi Academy 2001 Web Solution Directory Traversing Vulnerability."