[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RSA and Others work on SSL Fix
FYI
RSA DATA SECURITY WORKS WITH INTERNET SOFTWARE VENDORS TO RESPON
6/26/98 7:19
to Potential
Security Attack on Secure Web Communications
SAN MATEO, Calif., June 26 /PRNewswire/ -- RSA Data Security, Inc.
today
announced it is working with a group of leading Internet software vendors
on
pre-emptive countermeasures to thwart a newly-discovered potential attack
against secure Web communications. This vulnerability is currently the
subject of research and has not been reported by any users.
These countermeasures enhance the security of popular Internet server
software products based on the Secure Sockets Layer (SSL) protocol. The
countermeasures are, or will be, available from respective vendors' Web
sites,
and include configuration guidelines, software updates where applicable and
additional information. Currently available vendor information may be
found
at the following sites:
* C2Net Software, Inc.
http://www.c2.net
* Consensus Development Corporation
http://www.consensus.com/ssl-rsa.html
* IBM Corporation
http://www.ibm.com/security
* Lotus Development Corporation
http://www.lotus.com/security
* Microsoft Corporation
http://www.microsoft.com/security
* Netscape Communications Corporation
http://help.netscape.com/products/server/ssldiscovery/index.html
* Open Market, Inc.
http://www.openmarket.com/security
* RSA Data Security, Inc.
http://www.rsa.com/rsalabs/
RSA will also maintain an updated list of all vendors' countermeasure
site
links at its site. In addition, RSA has been working closely with the CERT
Coordination Center on this problem. CERT has made a technical advisory on
this vulnerability available at http://www.cert.org.
These countermeasures address a potential vulnerability discovered by
cryptographer Daniel Bleichenbacher of the Secure Systems Research
Department
of Bell Labs, the research and development arm of Lucent Technologies.
Bleichenbacher identified a cryptanalytic vulnerability that could
potentially
be used to discover the key for a particular encrypted session through a
process of repeatedly sending on the order of one million carefully
constructed messages to a target server and observing the server's
response.
Due to the large number of messages needed, the potential attack is
detectable
by network administrators. Additional information is available on the Bell
Labs Web site at http://www.bell-labs.com.
The vulnerability affects interactive key establishment protocols that
use
the Public Key Cryptography Standard (PKCS) #1, including SSL. The PKCS
series of standards are defined by RSA Laboratories, reviewed by industry
and
have been adopted by many major vendors of information systems and
incorporated in national and international standards. The vulnerability
does
not apply to PKCS #1-based secure messaging protocols, such as Secure
Electronic Transactions (SET) and Secure Multipurpose Internet Mail
Extension
(S/MIME) because they are not susceptible to, or already implement
mechanisms
preventing this potential vulnerability.
A technical overview of the attack and recommended countermeasures for
installed SSL-based server software are available now on the RSA Labs Web
site
at http://www.rsa.com/rsalabs/.
Software developers interested in testing their products for this
potential vulnerability should visit RSA's site at http://www.rsa.com where
they can find diagnostic instructions and prescriptive information for
updating their applications. In July, RSA plans to provide developers
using
the company's BSAFE security suite with free software enhancements designed
to
eliminate this threat.
RSA Laboratories plans to release for comment a draft PKCS #1 v2 in
July
following a revision process that began early in the year.
RSA Data Security, Inc.
RSA Data Security, Inc., a wholly owned subsidiary of Security Dynamics
Technologies, Inc. (Nasdaq: SDTI), is a leading supplier of software
components that secure electronic data, with more than 300 million copies
of
RSA encryption and authentication technologies installed worldwide. RSA
technologies are part of existing and proposed standards for the Internet
and
World Wide Web, ISO, ITU-T, ANSI, IEEE, and business, financial and
electronic
commerce networks around the globe. RSA develops and markets platform-
independent security components and related developer kits and provides
comprehensive cryptographic consulting services. RSA can be reached at
http://www.rsa.com.
All products and companies mentioned herein may be trademarks or
registered trademarks of their respective holdings and are hereby
recognized.
SOURCE RSA Data Security, Inc.
-0- 06/26/98
/CONTACT: Patrick Corman, Corman Communications, 650-326-9648,
[email protected]/
/Web site: http://www.rsa.com/
(SDTI)
CO: RSA Data Security, Inc.
ST: California
IN: CPR
SU:
-0- (PRN) Jun/26/98 07:03
EOS (PRN) Jun/26/98 07:04 86
-0- (PRN) Jun/26/ 98 7:19