'Severe' OpenSSL vuln busts public key crypto Computer scientists say they've discovered a "severe vulnerability" in the world's most widely used software encryption package that allows them to retrieve a machine's secret cryptographic key. The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in …
It is a software problem. The implementation of the algorithm leaks information about it's internal state if you inject a bit error, or stop the processing at a particular point.
It's a well known attack, it was done 10years ago against IBM crypto chips using radiation induced errors.
There are a bunch of well known security programming tricks to stop this, and the similar power load analysis attacks.
After reading this, I tried to induce my Sky box to divulge it's porn channels for free by modulating the power supply with my Arc welder. It seems Sky, in their wisdom, anticipated this attack and have built in a protection mechanism where the box shuts down permanently after emitting a modest amount of smoke.
It would probably be better if the Reg resisted publishing these types of stories until the 1st April.
SSL is no longer fit for purpose and needs to be replaced. Modern application aware firewalls perform an SSL Decrypt (a man-in-middle attack) in order to identify the traffic and then can block the connection. Unless you check the SSL certificate, or the CA signed SSL certificate on the firewall expires (causing your browser to issue a warning) you are not going to notice.
Check your site's SSL certificate just in case.
You are sadly misinformed, I witnessed a PA-500 (Palo Alto) firewall do this in virtual wire mode. This firewall is two generations ahead of Checkpoint and probably one generation ahead of Fortinet.
It is very success at SSL decrypt and in fact can identify banking sites and not decrypt the traffic (as part of the security policy).
ROTFLMAO
I love it... a dire warning to those who seek to lock content (HD Video and Audio) to prevent it from being copied... not a warning to the world at large...(those of us doing our banking and buying things on eBay).
"Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and smartphones with anti-copying mechanisms."
Difficult to carry out? Could eventually be applied? Thanks but no-thanks for the heads up on how to crack blue-ray.
How precisely to you have to produce 'transient' events in a power supply to finally squeeze out a few crumbs ? Can this be done consistently for 100 hours without destroying the device?
And then you still need to use an HPC cluster to tease the encryption key together?
Seriously?
I would think that this would just encourage hardware vendors to ship devices with more robust power supplies, that shouldn't be too difficult .. problem solved.
I thought the strength of FOSS was the "many eyes" looking at these issues, therefore when one of those "many eyes" finds something, what does the FOSS community do ?
They complain and argue against it, and attack the messenger. I thought the "model" of FOSS was supposed to promote and support testing and experimenting with the code?
Assume you have a large group of people working on breaking into a system, mabey something like the chinese government. With huge resources, people "on the inside" and massive support and technical resources.
Now also consider, the further development of this type of exploit, (bug).
You know programmically control you're CPU and RAM voltages, you can also remotely control the CPU load, and progababy even the internal cooling system including CPU fan.
So it's quite possible for future development and work on this bug would make it exploit REMOTELY exploitable.
Also with "inside" workers, (say a chinese IT worker working in google chine, on a night watch).
Would be able to access the machine, and with the availability of super computers get the key's he wants. Mabey without detection.
a Cluster of 81 P4's, what would a couple of fully configured quit CPU, quad Core i7's and 4 TESLA cards do it in. Probably not that long. with a desktop supercomputer or two.
So this exploit/bug is critical, and it's not that big a step to refine it as a remote exploit, it might be as easy as watching the CPU load, and taking advantage of the expected known CPU temp.
Or varying the CPU and RAM voltages (as overclockers do all the time), making it a remote exploit. (not to mention the 'insider job' possibility).
It's is a fault (bug) in OpenSSL, there should be NO WAY for fragments of the Key to be released in clear text due to hardware operational issues.
It's about time FOSS start to take security more seriously, and cease beign so cavalear with the assumption that 'all it just dandy in FOSS'. It's not........
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
