[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RSA Material on PKCS#1 Crack



The attack: ftp://ftp.rsa.com/pub/pdfs/bulletn7.pdf
	4-page PDF file.  There's also a Postscript version available.
	The paper is by Bleichenbacher of Lucent and
	Burt Kaliski and Jessica Staddon of RSA Labs.
OEM Countermeasures: http://www.rsa.com/rsalabs/pkcs1/oem_counter.html
	(below)
Countermeasures for Users of Servers: http://www.rsa.com/rsalabs/pkcs1/countermeasures.html
	(below - it's pointers to vendor home pages, pleasantly including C2.
	Apparently they've done a good job coordinating it...)
Q&A : http://www.rsa.com/rsalabs/pkcs1/qa.html


======         RSA to Provide OEM Customers
               with Guidelines and Technology to
               Thwart Potential Web Server
               Security Attack

               OAEP Formatting Adds Important Security to
               Vulnerable Applications

               June 26, 1998 -- RSA Data Security, Inc. today
               announced guidelines to assist its OEM customers in
               both assessing their products� vulnerability to a newly
               discovered potential security attack, and to identify
               pre-emptive countermeasures to thwart such an attack. 
               The guidelines are designed to help developers
               understand the nature and mechanism of the threat,
               pose a series of technical questions to identify
               vulnerable constructs in the developer�s software
               design, and provide a set of countermeasures from
               which to choose based on the developer�s needs. 
               These guidelines are available online at
               http://www.rsa.com/rsalabs/.

               The potential threat affects server products that employ
               an interactive key establishment protocol in conjunction
               with the PKCS #1 standard for digital envelopes,
               including SSL-based servers.  SET (Secure Electronic
               Transaction) and other secure messaging protocols,
               such as S/MIME (Secure Multipurpose Internet Mail
               Extension), are not susceptible to or already implement
               mechanisms preventing this potential attack. 

               Recent research by cryptographer Daniel
               Bleichenbacher of the Bell Labs Secure Systems
               Research Department, the research and development
               arm of Lucent Technologies, indicate that the above
               combination is potentially vulnerable to a class of attack
               known as Adaptive Chosen Ciphertext Attacks.  The
               potential attack noted by Mr. Bleichenbacher relies on
               sending a target server on the order of a million carefully
               constructed messages and observing variations in the
               server�s response.  As such, the attack is both
               detectable and can be prevented with countermeasures.

               For some developers, the most effective countermeasure
               is incorporation of the Optimal Asymmetric Encryption
               Padding (OAEP) technology, a method of formatting an
               encrypted message so that attackers cannot learn
               information about the contents through repeated
               probing.  OAEP is designed to thwart a variety of
               attacks, including the Adaptive Chosen Ciphertext
               Attack.

               For other developers, the most effective countermeasure
               will be preventing an assailant from gaining information
               from messages returned from their server.  RSA�s
               guidelines provide design information for developers to
               use in implementing this form of countermeasure as well.

               RSA Laboratories, the research arm of RSA, plans to
               include OAEP in the next version of  PKCS #1, a widely
               used cryptography standard, that will be available as a
               draft for comment in July.  PKCS #1 is used in SSL and
               other popular security mechanisms to provide
               confidentiality for exchange of symmetric encryption
               keys (digital envelopes), as well as to construct digital
               signatures.  

               OAEP has already been integrated into RSA�s newest
               release of BSAFE� 4.0, the company�s flagship
               cryptographic security development suite which began
               shipping this month.  RSA intends to make available
               OAEP updates conforming to the new PKCS #1
               specification for its BSAFE 3.0 and 4.0 products in July,
               and to incorporate OAEP in an upcoming version of
               JSAFE�, RSA�s security engine for Java�.  RSA
               recommends that developers target these upcoming
               OAEP updates for inclusion in their products.  Check
               this site for more information on OAEP updates in the
               coming weeks.  

               RSA�s Website will also host links to vendors� sites
               where countermeasures are made available as a service
               to both OEMs and end customers.  See RSA�s related
               announcement on this subject.  Currently, the following
               vendor information Website links are available: 

                    C2Net Software, Inc. http://www.c2.net 
                    Consensus Development Corporation
                    http://www.consensus.com/ssl-rsa.html 
                    IBM Corporation http://www.ibm.com/security 
                    Lotus Development Corporation
                    http://www.lotus.com/security 
                    Microsoft Corporation
                    http://www.microsoft.com/security 
                    Netscape Communications Corporation
                    http://www.netscape.com 
                    Open Market, Inc.
                    http://www.openmarket.com/security/ 
                    RSA Data Security, Inc.
                    http://www.rsa.com/rsalabs 

                

               An RSA Labs technical paper discussing this
               vulnerability, as well as additional information, is
               available on RSA�s Website,
               http://www.rsa.com/rsalabs.


============ SSL Countermeasures

These countermeasures enhance the security of popular Internet servers 
and  software products based on the Secure Sockets Layer (SSL) protocol.  
The countermeasures are available from respective vendors' Web sites, 
and include configuration guidelines, software updates where applicable 
and additional information.  
Currently available vendor information may be found at the following sites:
                Aventail Corporation
                                            http://www.aventail.com/  
                C2Net Software, Inc. 
                                            http://www.c2.net/
                Consensus Development Corporation
                                            http://www.consensus.com/
                Lotus Development Corporation
                                            http://www.lotus.com/security
                IBM Corporation
                                            http://www.ibm.com/security/
                Microsoft Corporation
                                            http://www.microsoft.com/security/
                Netscape Communications Corporation
                                            http://help.netscape.com/products/server/ssldisc overy/index.html
                Open Market, Inc. 
                                            http://www.openmarket.com/security/
                RSA Data Security, Inc.
                                            http://www.rsa.com/rsalabs/


				Thanks! 
					Bill
Bill Stewart, [email protected]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639