[VulnWatch] OpenSSL Private Key Disclosure
From: Chris Wysopal (weld@vulnwatch.org)
Date: 03/14/03
- Previous message: @stake Advisories: "[VulnWatch] Nokia SGSN (DX200 Based Network Element) SNMP issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 Mar 2003 05:05:37 +0000 (GMT) From: Chris Wysopal <weld@vulnwatch.org> To: vulnwatch@vulnwatch.org
Remote timing attacks are practical
Authors: D. Boneh and D. Brumley
Abstract:
Timing attacks are usually used to attack weak computing devices such as
smartcards. We show that timing attacks apply to general software systems.
Specifically, we devise a timing attack against OpenSSL. Our experiments
show that we can extract private keys from an OpenSSL-based web server
running on a machine in the local network. Our results demonstrate that
timing attacks against network servers are practical and therefore all
security systems should defend against them.
Reference:
Submitted to Usenix Security.
Full paper:
http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf
- Previous message: @stake Advisories: "[VulnWatch] Nokia SGSN (DX200 Based Network Element) SNMP issue"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
