[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RSA Material on PKCS#1 Crack
The attack: ftp://ftp.rsa.com/pub/pdfs/bulletn7.pdf
4-page PDF file. There's also a Postscript version available.
The paper is by Bleichenbacher of Lucent and
Burt Kaliski and Jessica Staddon of RSA Labs.
OEM Countermeasures: http://www.rsa.com/rsalabs/pkcs1/oem_counter.html
(below)
Countermeasures for Users of Servers: http://www.rsa.com/rsalabs/pkcs1/countermeasures.html
(below - it's pointers to vendor home pages, pleasantly including C2.
Apparently they've done a good job coordinating it...)
Q&A : http://www.rsa.com/rsalabs/pkcs1/qa.html
====== RSA to Provide OEM Customers
with Guidelines and Technology to
Thwart Potential Web Server
Security Attack
OAEP Formatting Adds Important Security to
Vulnerable Applications
June 26, 1998 -- RSA Data Security, Inc. today
announced guidelines to assist its OEM customers in
both assessing their products� vulnerability to a newly
discovered potential security attack, and to identify
pre-emptive countermeasures to thwart such an attack.
The guidelines are designed to help developers
understand the nature and mechanism of the threat,
pose a series of technical questions to identify
vulnerable constructs in the developer�s software
design, and provide a set of countermeasures from
which to choose based on the developer�s needs.
These guidelines are available online at
http://www.rsa.com/rsalabs/.
The potential threat affects server products that employ
an interactive key establishment protocol in conjunction
with the PKCS #1 standard for digital envelopes,
including SSL-based servers. SET (Secure Electronic
Transaction) and other secure messaging protocols,
such as S/MIME (Secure Multipurpose Internet Mail
Extension), are not susceptible to or already implement
mechanisms preventing this potential attack.
Recent research by cryptographer Daniel
Bleichenbacher of the Bell Labs Secure Systems
Research Department, the research and development
arm of Lucent Technologies, indicate that the above
combination is potentially vulnerable to a class of attack
known as Adaptive Chosen Ciphertext Attacks. The
potential attack noted by Mr. Bleichenbacher relies on
sending a target server on the order of a million carefully
constructed messages and observing variations in the
server�s response. As such, the attack is both
detectable and can be prevented with countermeasures.
For some developers, the most effective countermeasure
is incorporation of the Optimal Asymmetric Encryption
Padding (OAEP) technology, a method of formatting an
encrypted message so that attackers cannot learn
information about the contents through repeated
probing. OAEP is designed to thwart a variety of
attacks, including the Adaptive Chosen Ciphertext
Attack.
For other developers, the most effective countermeasure
will be preventing an assailant from gaining information
from messages returned from their server. RSA�s
guidelines provide design information for developers to
use in implementing this form of countermeasure as well.
RSA Laboratories, the research arm of RSA, plans to
include OAEP in the next version of PKCS #1, a widely
used cryptography standard, that will be available as a
draft for comment in July. PKCS #1 is used in SSL and
other popular security mechanisms to provide
confidentiality for exchange of symmetric encryption
keys (digital envelopes), as well as to construct digital
signatures.
OAEP has already been integrated into RSA�s newest
release of BSAFE� 4.0, the company�s flagship
cryptographic security development suite which began
shipping this month. RSA intends to make available
OAEP updates conforming to the new PKCS #1
specification for its BSAFE 3.0 and 4.0 products in July,
and to incorporate OAEP in an upcoming version of
JSAFE�, RSA�s security engine for Java�. RSA
recommends that developers target these upcoming
OAEP updates for inclusion in their products. Check
this site for more information on OAEP updates in the
coming weeks.
RSA�s Website will also host links to vendors� sites
where countermeasures are made available as a service
to both OEMs and end customers. See RSA�s related
announcement on this subject. Currently, the following
vendor information Website links are available:
C2Net Software, Inc. http://www.c2.net
Consensus Development Corporation
http://www.consensus.com/ssl-rsa.html
IBM Corporation http://www.ibm.com/security
Lotus Development Corporation
http://www.lotus.com/security
Microsoft Corporation
http://www.microsoft.com/security
Netscape Communications Corporation
http://www.netscape.com
Open Market, Inc.
http://www.openmarket.com/security/
RSA Data Security, Inc.
http://www.rsa.com/rsalabs
An RSA Labs technical paper discussing this
vulnerability, as well as additional information, is
available on RSA�s Website,
http://www.rsa.com/rsalabs.
============ SSL Countermeasures
These countermeasures enhance the security of popular Internet servers
and software products based on the Secure Sockets Layer (SSL) protocol.
The countermeasures are available from respective vendors' Web sites,
and include configuration guidelines, software updates where applicable
and additional information.
Currently available vendor information may be found at the following sites:
Aventail Corporation
http://www.aventail.com/
C2Net Software, Inc.
http://www.c2.net/
Consensus Development Corporation
http://www.consensus.com/
Lotus Development Corporation
http://www.lotus.com/security
IBM Corporation
http://www.ibm.com/security/
Microsoft Corporation
http://www.microsoft.com/security/
Netscape Communications Corporation
http://help.netscape.com/products/server/ssldisc overy/index.html
Open Market, Inc.
http://www.openmarket.com/security/
RSA Data Security, Inc.
http://www.rsa.com/rsalabs/
Thanks!
Bill
Bill Stewart, [email protected]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639