[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Lucent Researcher Cracks PKCS#1, SSL

To: [email protected], [email protected]
Subject: Lucent Researcher Cracks PKCS#1, SSL
From: Bill Stewart <[email protected]>
Date: Fri, 26 Jun 1998 18:13:43 -0700
Sender: [email protected]
http://www.rsa.com/rsalabs/pkcs1/
http://www.zdnet.com/zdnn/stories/zdnn_display/0,3440,332372,00.html



Lucent researcher cracks encryption code

By Margaret Kane, ZDNet

An encryption researcher has discovered a software flaw that could allow 
a hacker to break the software codes used for electronic commerce.

The problem protocols use the Public Key Cryptography Standard #1, 
including the Secure Sockets Layer, or SSL standard. RSA Data Security 
Inc., which defined the standard, said that the vulnerability does not
apply to PKCS #1-based secure messaging protocols, such as Secure 
Electronic Transactions and Secure Multipurpose Internet Mail Extension 
because they are not susceptible to -- and already implement --
mechanisms preventing this potential vulnerability. But at a Web site 
using SSL, a hacker could break the code by sending millions of messages 
to the target server and observing the server's response.

That information could be used to decode an intercepted session, said 
Daniel Bleichenbacher, a researcher at Lucent Technologies Inc.'s 
(Nasdaq:LU) Bell Labs. 

A slew of software companies announced today that they are working on a 
patch for the problem, and will post it on their Web sites. RSA, a 
division of Security Dynamics 
Technologies, (Nasdaq:SDTI) said it is working with IBM (Nasdaq:IBM), 
Microsoft Corp.(Nasdaq:MSFT), Netscape 
Communications Corp. (Nasdaq:NSCP), Open Market Inc. (Nasdaq:OMKT), and 
others on the problem. 

RSA is also working with the CERT Coordination Center on the problem, 
which has posted a technical advisory about the situation. 

Reuters contributed to this story. 


++++++++++++++++++ Extracted From Another web page there m+++++++++++++
http://www.zdnet.com/zdnn/stories/zdnn_display/0,3440,332372,00.html

SSL flaw could expose encrypted data

A researcher at Lucent Technologies Inc.&#039;s Bell Laboratories has discovered a vulnerability in the SSL encryption commonly used in electronic commerce transactions.</B></P>

<P>The flaw, which has been exposed only in a laboratory setting, would allow a hacker to capture encrypted data in a session between a browser and server.</P>

<P>The vulnerability is hardly a fatal flaw in SSL (Secure Sockets Layer). Rather, it&#039;s a hole that a savvy Web site administrator should be able to spot before a hacker can do any damage.



"The good news here is that you still have to be pretty smart to break it," said Julie Ferguson, chief technology officer of ClearCommerce Corp., in Austin, Texas.</P>

<P>The researcher, Daniel Bleichenbacher, who works in the secure systems research department of Bell Labs, in Murray Hill, N.J., found a way for a hacker to derive the session key used in a transaction by feeding off the error messages created by a server.</P>

<P>First, the hacker must prepare roughly 1 million messages to send against the server to capture the information. Bleichenbacher said he created an algorithm that analyzes those messages and derives the session key--which is randomly generated for each transaction by a combination of public and private keys at the Web site and the consumer&#039;s browser. Still, a competent site administrator should notice that his Web site has suddenly received a barrage of bad messages.</P>

<P>"It should be very easy to see that an attack is taking place," Bleichenbacher said. The hacker would also have to capture a session at some point on the line, likely at an Internet service provider, not knowing whether there is information within it that is worth stealing.</P>

<P>Because a session key is randomly generated for each session, it&#039;s possible for a hacker to capture information only about that individual session, said officials at RSA Data Security Inc., which developed SSL in conjunction with Netscape Communications Corp.</P>

The flaw, technically found in the standard called the Public Key Cryptography System #1, does not apply to encryption algorithms themselves but rather to the way packets are placed into encrypted envelopes. PKCS#1 is due to be upgraded next month, and the latest revision will account for the newly found vulnerability, said Scott Schnell, vice president of marketing at RSA, in Redwood City, Calif.

<P> The implications are perhaps most serious for home banking, because a hacker using this flaw could capture a user&#039;s banking information.</P>

<P>Although there are no known real-world attacks taking advantage of this SSL flaw, software vendors promise to have patches that mask the error messages. Netscape, in Mountain View, Calif., already has one available on its Web site for several applications, including Netscape Enterprise Server, Netscape Proxy Server and the company&#039;s messaging servers.</P>

<P>Microsoft Corp. also has created a fix that masks the error messages that a hacker would rely upon. Officials of the Redmond, Wash., company said they have worked with Netscape to ensure that their respective fixes do not create interoperability problems.</P>

<P>Both companies said they have already alerted major customers about the problem and provided them with fixes.</P>



				Thanks! 
					Bill
Bill Stewart, [email protected]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639
Prev by Date: ?
Next by Date: BeyondPress 4.0 from Extensis
Prev by thread: ?
Next by thread: BeyondPress 4.0 from Extensis
Index(es):
- Date
- Thread