HTTPS-protected sites leak private key data due to critical flaw
Wed 9 Sep 2015
HTTPS sites are at risk of disclosing private key details due to a critical flaw in network equipment, a Red Hat security specialist has discovered.
The expert, Florian Weimer, reported last week [PDF] that system hardware from numerous vendors does not effectively execute cryptographic standards. A vulnerability which exposes key information, allowing hackers to mimic HTTPS-protected websites using the defective hardware.
Weimer’s nine-month study surveyed billions of HTTPS sessions from a range of global IP addresses, and was able to successfully access leaked data for 272 keys. As the survey only scanned a small percentage of transport layer security (TLS) protocol exchanges, many other keys and manufacturers are expected to be affected.
Vulnerable devices included products from Citrix, Hillstone Networks, ZyXEL, Alteon/Nortel, QNO Technology, Fortinet, Viprinet and BEJY.
The bug is caused by insecure use of the RSA public key cryptosystem, used by HTTPS sites and applications to exchange keys with their users. A memo published by researcher Arjen Lenstra in 1996 warned of a problem with an optimisation based on the ‘Chinese Remainder Theorem’ (CRT) which occasionally enables faults when processing RSA signatures. These errors cause HTTPS-protected websites using forward secrecy (FS) to spill data, which could be used by attackers to access the site’s private key via side-channel attacks.
Therefore, someone monitoring the connection between a visitor and a web page who witnesses the fault is able to impersonate the website. Following the publication of Lenstra’s paper, most computer engineers took note of the caution and implemented measures to counter the flaws, but some HTTPS software, including libgcrypt, PolarSSL and GNUTLS, still lacks the necessary protections.
‘This report shows that it is still possible to use Lenstra’s attack to recover RSA private keys, almost two decades after the attack has been described first, and that fault-based side-channel attacks can be relevant even in scenarios where the attacker does not have physical access to the device,’ wrote Weimer in last week’s paper. ‘The net effect is that a passive observer with visibility into global internet traffic is likely able to recover quite a few RSA keys in a completely non-attributable fashion,’ he added.
Weimer concluded that implementing verified RSA-CRT signing operation, such as those already deployed by NSS and OpenSSL, is a reasonable short-term hardening option. He suggested that in the longer term TLS should switch to a non-deterministic signature scheme.
‘However, none of these measures will help those operators who have been using unchecked RSA-CRT implementations for years, and are now wondering if their RSA private keys have already leaked.’