A new severe vulnerability in various SSL clients has come to light, once again, inducing another Internet-scale vulnerability.
The new flaw dubbed, FREAK, allows an attacker to force clients to downgrade to weakened ciphers and break their encrypted communications via a man-in-the-middle attack.
Researchers recently revealed that some SSL clients, including OpenSSL, will accept weak RSA keys, commonly known as export-grade keys, without having requested them. Export-grade refers to 512-bit RSA keys, the key strength approved by the United States Government for export overseas, because U.S. policy forbids the export of devices containing “strong encryption” out of the country. That was over 10 years ago and it was thought that most servers or clients had abandon such weak ciphers long ago.
“The export-grade RSA ciphers are the remains of a 1980s-vintage effort to weaken cryptography so that intelligence agencies would be able to monitor. This was done badly. So badly, that while the policies were ultimately scrapped, they’re still hurting us today,” cryptographer Matthew Green of Johns Hopkins University said in a blog post explaining the FREAK vulnerability and its ramifications.
“The 512-bit export grade encryption was a compromise between dumb and dumber. In theory it was designed to ensure that the NSA would have the ability to ‘access’ communications, while allegedly providing crypto that was still ‘good enough’ for commercial use. Or if you prefer modern terms, think of it as the original ‘golden master key’.”
The vulnerability affects a wide array of clients, most popular of those is Apple’s Safari browser, as well as Android’s stock browser. Chrome and Internet Explorer were not vulnerable.
Researchers from Microsoft Research, and the French National Institute for Research in Computer Science and Control, said they found that when given a server that supported export-grade ciphers and a client that accepts the weak keys, attackers with a man-in-the-middle position could force a client to downgrade to weak keys. They could then factor the keys, and were able to do so in roughly seven and a half hours with the help of an Amazon EC2 server. Due to the resource-intensive ways of RSA key generation, servers will generate one and re-use it continually.
Green outlines how the man-in-the-middle attack could be performed to abuse the FREAK vulnerability:
- In the client’s Hello message, it asks for a standard ‘RSA’ ciphersuite.
- The MITM attacker changes this message to ask for ‘export RSA’.
- The server responds with a 512-bit export RSA key, signed with its long-term key.
- The client accepts this weak key due to the OpenSSL/SecureTransport bug.
- The attacker factors the RSA modulus to recover the corresponding RSA decryption key.
- When the client encrypts the ‘pre-master secret’ to the server, the attacker can now decrypt it to recover the TLS ‘master secret’.
- From here on out, the attacker sees plaintext and can inject anything it wants.
“What this means is that you can obtain that RSA key once, factor it, and break every session you can get your ‘man in the middle’ mitts on until the server goes down. And that’s the ballgame,” Green wrote in the paper concluding his research.
The number of vulnerable servers is alarming, researchers at the University of Michigan found that about 36.7 percent of browser-trusted sites are in fact vulnerable to the FREAK SSL security flaw. Experts say the attack may not be an immediate danger.
“In practice, I don’t think this is a terribly big issue, but only because you have to have many “ducks in a row”: 1) find a vulnerable server that offers export cipher suites; 2) it should reuse a key for a long time; 3) break key; 4) find vulnerable client; 5) attack via MITM (easy to do on a local network or wifi; not so easy otherwise),” Ivan Ristic of Qualys said in a blog post.
As Green pointed out, objects on the Internet can often be worse than they initially appear.
“No matter how bad you think the Internet is, it can always surprise you. The surprise in this case is that export-grade RSA is by no means as extinct as we thought it was,” he wrote.
A number of client vendors are rolling out patches for the FREAK SSL security flaw now.