Attack of the week: FREAK (or ‘factoring the NSA for fun and profit’)
This article reprinted with permission from Matthew Green @ http://blog.cryptographyengineering.com/
|Cryptography used to be considered
This is the story of how a handful of cryptographers ‘hacked’ the NSA. It’s also a story of encryption backdoors, and why they never quite work out the way you want them to.
A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL (e.g., Android) clients and Apple TLS/SSL clients (e.g., Safari) that allow a ‘man in the middle attacker’ to downgrade connections from ‘strong’ RSA to ‘export-grade’ RSA. These attacks are real and exploitable against a shocking number of websites — including government websites. Patch soon and be careful.
What is SSL/TLS and what are ‘EXPORT cipher suites’ anyway?
clients to negotiate ‘strong’ ciphersuites with servers that supported them, while still providing compatibility to the broken foreign clients.
If EXPORT ciphers are known to be broken, what’s the news here?
- Most ‘modern’ clients (e.g., web browsers) won’t offer export grade ciphersuites as part of the negotiation process. In theory this means that even if the serversupports export-grade crypto, your session will use strong crypto.
- Almost no servers, it was believed, even offer export-grade ciphersuites anymore.
- Even if you do accidentally negotiate an export-grade RSA ciphersuite, a meaningful attack still requires the attacker to factor a 512-bit RSA key (or break a 40-bit symmetric cipher). This is doable, but it’s generally considered too onerous if you have to do it for every single connection.
The MITM attack works as follows:
- In the client’s Hello message, it asks for a standard ‘RSA’ ciphersuite.
- The MITM attacker changes this message to ask for ‘export RSA’.
- The server responds with a 512-bit export RSA key, signed with its long-term key.
- The client accepts this weak key due to the OpenSSL/SecureTransport bug.
- The attacker factors the RSA modulus to recover the corresponding RSA decryption key.
- When the client encrypts the ‘pre-master secret’ to the server, the attacker can now decrypt it to recover the TLS ‘master secret’.
- From here on out, the attacker sees plaintext and can inject anything it wants.
How common are export-enabled TLS servers?
Factoring an RSA key seems pretty expensive for breaking one session.
PoC or GTFO.
|This is what happens to EC2 spot pricing
when Nadia runs 75 ‘large’ instances
to factor a 512-bit key.
Just because someone says an implementation is vulnerable doesn’t mean it actually is. You should ask for proof.
|Attack images courtesy Karthik, Antoine INRIA.|
Some will point out that an MITM attack on the NSA is not really an ‘MITM attack on the NSA’ because NSA outsources its web presence to the Akamai CDN (see obligatory XKCD at right). These people may be right, but they also lack poetry in their souls.
Is it patched?
The most recent of OpenSSL does have a patch. This was announced (though not very loudly) in January of this year.
Apple is working on a patch.
Akamai and other CDNs are also rolling out a patch to solve these problems. Over the next two weeks we will hopefully see export ciphersuites extinguished from the Internet. In the mean time, try to be safe.
What does it all mean?
Encryption backdoors will always turn around and bite you in the ass. They are never worth it.
Special thanks to Karthik and Antoine for sharing this with me, Nadia for factoring, Ivan Ristic for interrupting his vacation to get us data, and the CADO-NFS team for the software that made this possible.