Indeks
 
Konkwista
 
GD0600 TE
 
English I
 
sartrenause

Odnośniki

[ Pobierz całość w formacie PDF ]

tacker knows the TLS software in use; otherwise the
of randomness broadcast to the attacker. One might guess
attacker has to try several of the attacks, increasing cost
that these extensions make P-256 less expensive to exploit
somewhat. See Section 6 for fingerprinting mechanisms.
in TLS by a factor of 65,536 (and make P-384 and P-521
The computer power required for attacking one
feasible to exploit), if they are actually implemented; our
Dual EC instance is very small by cryptanalytic standards:
analysis in Section 4.1 shows that one of these extensions
our optimized attacks (see Section 5) typically consume
is in fact implemented in BSAFE, although the actual
between $0.00001 and $1 of electricity, depending on the
effect on exploitability is more complicated. Neither of
TLS implementation being attacked. (The exception to
these extensions has been previously described in connec-
 typical is OpenSSL; see Sections 4.3 and 5.2.) However,
tion with Dual EC.
presumably the attacker s actual goal is to repeat the at-
One proposed extension, authored by Rescorla and
tack many times, especially in the dragnet-surveillance
Salter [20] in 2008, supports  extended random client
scenario. Our measurements allow straightforward extrap-
and server nonces. This extension is negotiable us-
olations of the computer resources required for large-scale
ing the normal ClientHello extension mechanism, and
attacks.
includes up to 216 - 1 bytes of data from a suitable
PRNG. The server replies with its own extended ran- 4 Exploiting Dual EC in implementations
dom that must be of the same length as the client s
To attack each of the implementations discussed below,
extended random. The document states that this ex-
the attacker follows three basic steps: (1) recover Dual EC
tension was requested by the United States Depart-
state from the session ID and/or server random fields in
ment of Defense with the claim that nonces  should
the TLS handshake; (2) compute the DHE or ECDHE
be at least twice as long as the security level (e.g.,
shared secret which enables computing the 48-byte  mas-
256-bit nonces for 128-bit security). The other ex-
ter secret from which all session keys are derived; and
tension,  Opaque PRF proposed by the same au-
optionally (3) recover the long-lived DSA or ECDSA
thors [19] in 2006, is nearly identical to  extended ran-
signing key used to sign the server s DHE or ECDHE
dom but does not require the data to be random. A
public key.
third proposed extension,  additional random by Hoff-
Step (1) is an application of the basic attack which com-
man [10] in 2010 is essentially the same as  extended
bines information exchanged in the handshake protocol
random.
messages to determine the correct Dual EC state from
None of the three proposed extensions was ever
candidate states. Step (2) requires generating the DHE
adopted as a standard by the IETF and the  Internet-
or ECDHE secret key by following the exact generation
Drafts describing them have all since expired.
process used by the TLS implementation. Like Step (2),
Attack goals. We assume that the adversary s goal is to
Step (3) duplicates the implementation s process for gen-
decrypt TLS packets to learn confidential material, or to
erating the nonce used in the signature of the public key.
steal long-lived secret keys. In the second case the secret
From the nonce, the signature, and the public key, it is
keys need not be generated with Dual EC. We consider
straightforward to recover the signing key.
both small-scale targeted attacks and larger-scale dragnet
It is important to note that when a server uses DSA
surveillance attacks across broad swaths of the Internet.
or ECDSA signatures, a single broken connection by a
passive adversary is sufficient to recover the long-lived
Attack resources. Most of the attacks that we analyze
signing key which is used to authenticate the server s
are purely passive, relying solely on interception of TLS
(EC)DHE public key. In contrast to RSA long-lived keys,
traffic sent through the network by the client and by the
recovering a server s (EC)DSA signing key does not en-
server. Usually seeing only one direction of TLS traffic is
able future passive eavesdropping; it does allow imper-
enough, and the attack can be mounted long after the fact
sonation of the server under active attack.
using recorded connections. Occasionally an active attack
is more powerful: for example, the range of µsecs in Sec-
4.1 RSA BSAFE
tion 4.3 becomes narrower if the attacker uses carefully
timed connections to pin down the server s clock.
Description. RSA s BSAFE family of libraries come in
The attacker is assumed to know the Dual EC back door four flavors: Share for Java, Share for C and C++, Micro
d with P = dQ. All of the attacks rely on the client or Edition Suite, and Crypto-J/SSL-J. We examined Share
server using Dual EC, but this is not an assumption; rather, for Java and Share for C and C++. Although the two ver-
5
sions share a somewhat similar API, the implementation pletely from the cached bytes, (n + 29)/30 · 30 bytes
details differ, leading to different attacks. are generated in a single call to Dual EC, even if most of
the n bytes will be taken from the cached bytes.
The BSAFE family of libraries contains a number of
options which can be configured at runtime. In order to Caching output bytes means that when a new TLS ses-
avoid a combinatorial explosion in the number of config- sion is started, an attacker who has not seen all prior
urations to test and attack, we focus our attention on the connections has no way of knowing if the first value gen-
default configurations and the most secure cipher suites erated by the server  the session id  begins with a full
that lead to the use of the P-256 curve in Dual EC and, output block or if it contains bytes cached from a previous
where applicable, ECDHE and ECDSA.2 call to Dual EC. However, due to the use of the requested
Both BSAFE libraries we examined support both pre- number of bytes rather than the number of remaining
bytes after pulling from the cache, the concatenation of
diction resistance whereby the generator is reseeded on [ Pobierz całość w formacie PDF ]
  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • brzydula.pev.pl
    		•
    Sitedesign by AltusUmbrae.