Bernstein has discovered cracks in TLS and SSL when they’re combined with another encryption scheme known as RC4. The system invented in 1987 is one of the most popular and most widely recommended mechanisms for protecting traffic on banking, email, and other private sites.
Kenny Paterson, a professor at Royal Holloway, University of London who worked with Bernstein said it was known that RC4 is weak in all kinds of ways. But until now no one has been able to put it all together to break TLS. RC4, invented by legendary cryptographer Ron Rivest for the security firm RSA, uses a key value to generate a stream of seemingly random numbers that can be combined with bits in a message to scramble them in ways that only someone with access to the same key value can unscramble.
Its weakness is that the stream of random numbers isn’t as random as it looks. If you feed the same message through the encryption scheme again and again, the cryptographers could find enough non-random “biases” occur in the scrambled data. While it does take a gigantic number of identical messages the attack in its current form takes close to 32 hours to perform. It is still worthwhile in some cases.
The creator of Secure Socket Layer (SSL) technology has warned that the system remains as insecure as it was last month when hackers managed to break its security.
A number of SSL certificates were stolen by hackers in September, allowing them to pose as nearly any internet company and helping them break into the Gmail accounts of around 300,000 people, according to the BBC.
Dr Taher Elgamal, the creator of the widely used security protocol, said that little has been done to bump up SSL security since the attacks, which means “it could happen again”.
He said that the problem was less an issue of technology and more to do with people, particularly in terms of how many SSL certificate authorities are out there. “There’s way too many of them,” he said. “Nobody asked the question of what to do if a certificate authority turns out to be bad.”
The system, which was developed by Elgamal when he was working at Netscape and subsequently adopted by the Internet Engineering Task Force (IETF) as Transport Layer Security (TLS), employs agencies to hand out unique digital certificates, which identify that a web site really belongs to a certain company or organization.
This has proven to be one of the strongest methods of defense against hackers until last month when certificates were stolen from Dutch security firm Diginotar.
Despite the flaws, Elgamal does not think that a new system is needed, but that updates to SSL should repair the security holes created recently. He said that adding TLS updates in modern web browsers could help defend against another attack.
In crypto parlance the method used by security researchers Juliano Rizzo and Thai Duong is known as a block-wise chosen-plaintext attack and has been known for years.
Post-2006 versions of the TLS protocol, like TLS 1.1 or 1.2 are not vulnerable to it, but this is of little importance because most web browsers and software continue to use TLS 1.0 or the older SSL protocol.
The two researchers plan to demonstrate their practical attack, dubbed BEAST for Browser Exploit Against SSL/TLS, this Friday at the ekoparty security conference in Buenos Aires.
“It is worth noting that the vulnerability that BEAST exploits has been presented since the very first version of SSL. Most people in the crypto and security community have concluded that it is non-exploitable, that’s why it has been largely ignored for many years,” Duong explained, according to Threatpost.
BEAST requires attackers to gain a man-in-the-middle position. Most of the time this means that they need to be on the same network as their targets so they can intercept browser requests.
BEAST has two components. One contains code that must be loaded into the victim’s web browser and the second one captures and decrypts HTTPS session cookies. The researchers claim that they can decrypt any secure session cookie in five minutes on average.
“While other attacks focus on the authenticity property of SSL, BEAST attacks the confidentiality of the protocol. As far as we know, BEAST implements the first attack that actually decrypts HTTPS requests,” Duong said.
He added that fixing the problem requires an overhaul of the entire protocol and noted that their work with browser and SSL vendors since May failed to produce a fix that is fully compatible with all existing applications.
Regardless of the workaround, some developers will need to change their web sites and applications, as switching everyone to a more secure version of the protocol can’t happen overnight.
Last year, Juliano Rizzo and Thai Duong devised a padding oracle attack against ASP.NET applications that earned them a Pwnie award for the best server-side exploit.
“We’re looking at some very serious issues [about trust on the Web] and it doesn’t help matters when Apple is dragging its feet,” said Paul Henry, a security and forensics analyst with Arizona-based Lumension.
Unlike Microsoft, which updated Windows Tuesday to block all SSL (secure socket layer) certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same.
DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website’s identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.
Because almost all the people who were routed to a site secured with one of the stolen certificates were from Iran, many experts suspect that the DigiNotar hack was sponsored or encouraged by the Iranian government, which could use them to spy on its citizens.
Microsoft isn’t the only software maker to block all DigiNotar certificates: Google, Mozilla and Opera have also issued new versions of their browsers — Chrome, Firefox and Opera — to completely, or in Opera’s case, partially prevent users from reaching websites secured with a DigiNotar certificate.
Users of Safari on Mac OS X, however, remain at risk to possible “man-in-the-middle” attacks based on the fraudulently obtained certificates.
Because Safari relies on the underlying operating system to tell it which certificates have been revoked or banned entirely, Apple must update Mac OS X. The Windows edition of Safari, which has a negligible share of the browser market, taps Windows’ certificate list: That version is safe to use once Microsoft’s Tuesday patch is applied.
Henry admitted he wasn’t surprised by the fact that Apple was odd-man out.
“No, I’m not, not after it took them a month to respond to the Comodo issue,” Henry said, referring to a smaller-scale hack of another certificate authority last March.
The proposed class action, filed in a Seattle federal court on Wednesday, states Microsoft intentionally designed camera software on the Windows Phone 7 operating system to ignore customer requests that they not be tracked.
A Microsoft representative could not immediately be reached for comment.
The lawsuit comes after concerns surfaced earlier this year that Apple’s iPhones collected location data and stored it for up to a year, even when location software was supposedly turned off. Apple issued a patch to fix the problem.
However, the revelation prompted renewed scrutiny of the nexus between location and privacy. At a hearing in May, U.S. lawmakers accused the tech industry of exploiting location data for marketing purposes — a potentially multibillion-dollar industry — without getting proper consent from millions of Americans.
The lawsuit against Microsoft cites a letter the company sent to Congress, in which Microsoft said it only collects geolocation data with the express consent of the user.
“Microsoft’s representations to Congress were false,” the lawsuit says.
The litigation, brought on behalf of a Windows Phone 7 user, claims Microsoft transmits data — including approximate latitude and longitude coordinates of the user’s device — while the camera application is activated. It seeks an injunction and punitive damages, among other remedies.