Re: Is SSL safe? 2/3rds of randomly chosen servers are vulnerable

From: Arkanah Mohammad \\$peace be upon him\\$ Hamza bin Bombed (nah@nah.err.nah)
Date: 03/24/03

Next message: Brian Leger: "Re: Request : computer law info"
Previous message: Sean O'Connell: "Attacking the loopback interface from the network"
In reply to: Relayer Bin Geekin: "Re: Is SSL safe? 2/3rds of randomly chosen servers are vulnerable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Arkanah Mohammad \\\(peace be upon him\\\) Hamza bin Bombed" <nah@nah.err.nah>
Date: Mon, 24 Mar 2003 18:08:29 -0000

"Relayer Bin Geekin" <relayer@dreamtheater.zzn.com> wrote in message
news:INDfa.198883$eG2.27893@sccrnsc03...
> Lord Shaoladin Moustachey wrote:
> <snip>
>
> Ignore last post please. I was confusing SSL and SSH.

SSH uses SSL so SSH should be affected too, shouldn't it? I recently upgraded
to openssl-0.9.7a after my Mixmaster warned me that my version of OpenSSL
contained known vulnerabilities when I was compiling it. AFAIK Redhat don't
have an rpm for that version yet. OpenSSL's advice is to upgrade to the latest
version (openssl-0.9.7a) and apply this patch:

http://www.openssl.org/news/secadv_20030317.txt
OpenSSL Security Advisory [17 March 2003]

Timing-based attacks on RSA keys
================================

OpenSSL v0.9.7a and 0.9.6i vulnerability
----------------------------------------

Researchers have discovered a timing attack on RSA keys, to which
OpenSSL is generally vulnerable, unless RSA blinding has been turned
on.

Typically, it will not have been, because it is not easily possible to
do so when using OpenSSL to provide SSL or TLS.

The enclosed patch switches blinding on by default. Applications that
wish to can remove the blinding with RSA_blinding_off(), but this is
not generally advised. It is also possible to disable it completely by
defining OPENSSL_NO_FORCE_RSA_BLINDING at compile-time.

The performance impact of blinding appears to be small (a few
percent).

This problem affects many applications using OpenSSL, in particular,
almost all SSL-enabled Apaches. You should rebuild and reinstall
OpenSSL, and all affected applications.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the name CAN-2003-0147 to this issue.

We strongly advise upgrading OpenSSL in all cases, as a precaution.

Index: crypto/rsa/rsa_eay.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_eay.c,v
retrieving revision 1.28.2.3
diff -u -r1.28.2.3 rsa_eay.c
--- crypto/rsa/rsa_eay.c 30 Jan 2003 17:37:46 -0000 1.28.2.3
+++ crypto/rsa/rsa_eay.c 16 Mar 2003 10:34:13 -0000
@@ -195,6 +195,25 @@
return(r);
}

+static int rsa_eay_blinding(RSA *rsa, BN_CTX *ctx)
+ {
+ int ret = 1;
+ CRYPTO_w_lock(CRYPTO_LOCK_RSA);
+ /* Check again inside the lock - the macro's check is racey */
+ if(rsa->blinding == NULL)
+ ret = RSA_blinding_on(rsa, ctx);
+ CRYPTO_w_unlock(CRYPTO_LOCK_RSA);
+ return ret;
+ }
+
+#define BLINDING_HELPER(rsa, ctx, err_instr) \
+ do { \
+ if(((rsa)->flags & RSA_FLAG_BLINDING) && \
+ ((rsa)->blinding == NULL) && \
+ !rsa_eay_blinding(rsa, ctx)) \
+ err_instr \
+ } while(0)
+
/* signing */
static int RSA_eay_private_encrypt(int flen, const unsigned char *from,
              unsigned char *to, RSA *rsa, int padding)
@@ -239,8 +258,8 @@
                 goto err;
                 }

- if ((rsa->flags & RSA_FLAG_BLINDING) && (rsa->blinding == NULL))
- RSA_blinding_on(rsa,ctx);
+ BLINDING_HELPER(rsa, ctx, goto err;);
+
if (rsa->flags & RSA_FLAG_BLINDING)
if (!BN_BLINDING_convert(&f,rsa->blinding,ctx)) goto err;

@@ -318,8 +337,8 @@
goto err;
}

Index: crypto/rsa/rsa_lib.c
===================================================================
RCS file: /e/openssl/cvs/openssl/crypto/rsa/rsa_lib.c,v
retrieving revision 1.30.2.2
diff -u -r1.30.2.2 rsa_lib.c
--- crypto/rsa/rsa_lib.c 30 Jan 2003 17:37:46 -0000 1.30.2.2
+++ crypto/rsa/rsa_lib.c 16 Mar 2003 10:34:13 -0000
@@ -72,7 +72,13 @@

RSA *RSA_new(void)
{
- return(RSA_new_method(NULL));
+ RSA *r=RSA_new_method(NULL);
+
+#ifndef OPENSSL_NO_FORCE_RSA_BLINDING
+ r->flags|=RSA_FLAG_BLINDING;
+#endif
+
+ return r;
}

void RSA_set_default_method(const RSA_METHOD *meth)

Next message: Brian Leger: "Re: Request : computer law info"
Previous message: Sean O'Connell: "Attacking the loopback interface from the network"
In reply to: Relayer Bin Geekin: "Re: Is SSL safe? 2/3rds of randomly chosen servers are vulnerable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

OpenSSH Vanilla Install
... I have already applied the OpenBSD 3x 3.7.1 patch. ... already upgraded OpenSSL to 0.9.7c. ... The previous versions of SSL and SSH on my OpenBSD system were those ...
(SSH)
Re: I have no idea how create keys for postfix
... WP> keys for you. ... SSL, not SSH. ... >> I need create the keys with openssl for ssl autentication of my ...
(comp.security.ssh)
Re: SSH encryption
... Ben Harris wrote: ... >> If SSH runs over SSL, ... Then why does OpenSSH depend on OpenSSL. ... by OpenSSL, but not SSL itself? ...
(comp.security.ssh)
[Full-disclosure] OpenSSL SSL 2.0 Rollback (CAN-2005-2969)
... OpenSSL Security Advisory ... Potential SSL 2.0 Rollback ... Vulnerability ... SSL_OP_MSIE_SSLV2_RSA_PADDING option disables a verification step in ...
(Full-Disclosure)
Re: public-key ssh into VMS 7.3-1
... TCPIP V5.4 includes SSH. ... on a COMPAQ Professional Workstation XP1000 running OpenVMS V7.3-2 ... planning to use keys which were generated on a foreign/different ... I tried generating the keys on VMS with the "openssl" tool. ...
(comp.os.vms)