I am not a cryptanalyst, so here is for what it's worth.
When an sslv2 connection is set up, a session key must be negotiated. This
negotiation is not encrypted (because there is no key yet). During this
negotiation the client sends a "client hello" packet, which contains a list
with the cipher suites the client knows. A man in the middle can intercept
and modify this list and remove strong cipher suites. The server can now
only pick a weak cipher and thus the encryption is much weaker as one would
expect. Servers often allow keys of 40 bits and sometimes even NULL ciphers.
In 2004 a typical home computer could break 40 bits keys in little under two
weeks (http://en.wikipedia.org/wiki/40-bit_encryption). A 2010 typical home
computer must be able to break it within a day.
The man in the middle can record the traffic and then break the weak
encryption later. This will still take quite some time, but it's feasible.
He can view the confidential data within a day.
sslv3 is not vulnerable for such a cipher degradation attack, because the
"client hello" packet has an integrity control.
Because sslv2 lacks the integrity control and a cipher degradation attack is
possible it can be weak, but not necessarily is weak. If a server supports
sslv2 with strong ciphers only (128 bits or more), I think the risk is low,
because a cipher degradation can not result in real weak ciphers (however,
this is an risk decision and not a fact).
I don't know about existing tools to perform the cipher degradation attack,
but they might exist. And after that you still need to decipher the
encrypted packets, which requires other software.
So for a successful attack one must be able to do all of the below:
- to do a man in the middle attack and sniff traffic
- intercept the client hello and execute a cipher degradation attack
- cipher suite negotiation must result in a weak cipher suite
- record all traffic
- decrypt it later
But again, I am not a cryptanalyst so perhaps this explanation is not
accurate.
Apart from the attack there is a solution which is fast and easy to
implement in Microsoft IIS as in Apache. It will take you a lot more time to
do a risk analysis to decide to skip this fix than it takes to actually do
it.
Cor
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Robin Wood
> Sent: zondag 4 juli 2010 13:53
> To: rapper crazy
> Cc: pen-test list
> Subject: Re: demoing sslv2 vulns
>
> On 4 July 2010 12:47, rapper crazy <rappercrazzy (at) gmail (dot) com [email concealed]> wrote:
> > Hello Robin,
> >
> > The exploitation of these vulnerabilities require industrial / govt
> level
> > infra support. The only way to attack these vulnerabilities are with
> > cryptanalytic attack.
> > Breaking these might not be possible for lone attacker but
> considering
> > corporate espionage, dumping the network (ssl-encrypted) traffic,
> these
> > dumps can later be brute force to recover the session key and then
> the whole
> > communication.
> >
> > Thanks
> > JT
> >
>
> So basically I tell them that for most situations they currently
> aren't really a threat but as cryptanalysis only gets better, never
> worse it is only a matter of time before they become a problem so it
> is better to get protected now before it is a problem rather than rush
> to upgrade once it does become a problem.
>
> Sound about right?
>
> Robin
>
> -----------------------------------------------------------------------
> -
> This list is sponsored by: Information Assurance Certification Review
> Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require
> a full practical examination in order to become certified.
>
> http://www.iacertification.org
> -----------------------------------------------------------------------
> -
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
I am not a cryptanalyst, so here is for what it's worth.
When an sslv2 connection is set up, a session key must be negotiated. This
negotiation is not encrypted (because there is no key yet). During this
negotiation the client sends a "client hello" packet, which contains a list
with the cipher suites the client knows. A man in the middle can intercept
and modify this list and remove strong cipher suites. The server can now
only pick a weak cipher and thus the encryption is much weaker as one would
expect. Servers often allow keys of 40 bits and sometimes even NULL ciphers.
In 2004 a typical home computer could break 40 bits keys in little under two
weeks (http://en.wikipedia.org/wiki/40-bit_encryption). A 2010 typical home
computer must be able to break it within a day.
The man in the middle can record the traffic and then break the weak
encryption later. This will still take quite some time, but it's feasible.
He can view the confidential data within a day.
sslv3 is not vulnerable for such a cipher degradation attack, because the
"client hello" packet has an integrity control.
Because sslv2 lacks the integrity control and a cipher degradation attack is
possible it can be weak, but not necessarily is weak. If a server supports
sslv2 with strong ciphers only (128 bits or more), I think the risk is low,
because a cipher degradation can not result in real weak ciphers (however,
this is an risk decision and not a fact).
I don't know about existing tools to perform the cipher degradation attack,
but they might exist. And after that you still need to decipher the
encrypted packets, which requires other software.
So for a successful attack one must be able to do all of the below:
- to do a man in the middle attack and sniff traffic
- intercept the client hello and execute a cipher degradation attack
- cipher suite negotiation must result in a weak cipher suite
- record all traffic
- decrypt it later
But again, I am not a cryptanalyst so perhaps this explanation is not
accurate.
Apart from the attack there is a solution which is fast and easy to
implement in Microsoft IIS as in Apache. It will take you a lot more time to
do a risk analysis to decide to skip this fix than it takes to actually do
it.
Cor
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed]
> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Robin Wood
> Sent: zondag 4 juli 2010 13:53
> To: rapper crazy
> Cc: pen-test list
> Subject: Re: demoing sslv2 vulns
>
> On 4 July 2010 12:47, rapper crazy <rappercrazzy (at) gmail (dot) com [email concealed]> wrote:
> > Hello Robin,
> >
> > The exploitation of these vulnerabilities require industrial / govt
> level
> > infra support. The only way to attack these vulnerabilities are with
> > cryptanalytic attack.
> > Breaking these might not be possible for lone attacker but
> considering
> > corporate espionage, dumping the network (ssl-encrypted) traffic,
> these
> > dumps can later be brute force to recover the session key and then
> the whole
> > communication.
> >
> > Thanks
> > JT
> >
>
> So basically I tell them that for most situations they currently
> aren't really a threat but as cryptanalysis only gets better, never
> worse it is only a matter of time before they become a problem so it
> is better to get protected now before it is a problem rather than rush
> to upgrade once it does become a problem.
>
> Sound about right?
>
> Robin
>
> -----------------------------------------------------------------------
> -
> This list is sponsored by: Information Assurance Certification Review
> Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require
> a full practical examination in order to become certified.
>
> http://www.iacertification.org
> -----------------------------------------------------------------------
> -
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]