An international team of researchers has uncovered an attack that can compromise encrypted network traffic in a matter of hours.
The Drown (Decrypting RSA with Obsolete and Weakened Encryption) attack successfully decrypts TLS (transport layer security) sessions by exploiting a vulnerability in the older SSL v2 protocol that exposes private RSA keys. Once again, old cryptography is breaking the security of all online communications.
Drown is different from other attacks against TLS in that it doesn't need servers to be using the older version; the attack will succeed as long as the targeted system supports SSL v2. The cross-protocol attack (CVE-2016-0800) could lead to decryption of any encrypted session using SSL/TLS protocols as long as the server supports SSL v2 and uses RSA key exchange, the researchers said in their technical paper.
By making repeated SSL v2 connection requests, researchers uncovered bits of information about the server's private RSA key. After enough requests, researchers were able to obtain the private key to decode the TLS sessions. The attack scope widens if the organization reuses that private RSA key across servers, even if different certificates are used.
SSL v2, released in 1995 and retired less than a year later due to crippling weaknesses, is old enough that it is unlikely anyone is still using this version. Browsers and email clients don't support SSL v2, but many servers and networking devices do. If a computer specifically requested to establish a SSL v2 session, those servers would switch to the vulnerable protocol instead of using the default, and more secure, TLS.
"For many years, the argument for not disabling SSL v2 was that there was no harm because no browsers used it anyway," said Ivan Ristic, director of engineering at Qualys.
Drown illustrates the folly of that thinking, since obsolete cryptography can be dangerous even if it isn't actively being used. All administrators need to immediately disable SSL v2 on all their servers.
The attack is made worse by two additional implementation vulnerabilities in OpenSSL, prompting the project team to release versions 1.0.2g and 1.0.1s to address the issues.
The issue with OpenSSL
OpenSSL versions 1.0.2, 1.0.1l, 1.0.0q, 0.9.8ze, and earlier have a vulnerability that makes it easier to run a cheaper and more efficient version of Drown (CVE 2016-0703 and CVE 2016-0704). In the general attack scenario, the attacker targeting a vulnerable server would need to observe 1,000 TLS handshakes, initiate 40,000 SSLv2 connections, and perform 250 offline work to decrypt a 2048-bit RSA TLS cipher-text. On systems running vulnerable versions of OpenSSL, the attacker can obtain a key for one out of 260 TLS connections after running about 17,000 probe connections. The computation takes less than a minute on a fast PC.
Sign up for CIO Asia eNewsletters.