[openssl-users] openssl impact on CVE-2015-2808

[Sandeep Umesh]

Hello Users,

Just want to understand the impact of openssl for RC4 Bar mitzvah attack.

Please correct me if my understanding is wrong, basically this attack is
triggered based on the design of RC4.
openssl is one of the implementers of RC4 algo.
I am not sure if there will be any design change or openssl will try to
disable RC4 support...
But, Is disabling RC4 algo usage in the applications which are using
openssl a better approach? Thanks

Regards
Sandeep___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl impact on CVE-2015-2808

[Michael Wojcik]

Bar Mitzvah is an improvement on existing attacks against RC4. It's a credible 
exposure under some threat models. Primarily it's an issue for sites with a lot 
of RC4 conversations, since it depends on the use of weak keys, which are a 
large subset of all RC4 keys. When a conversation (randomly) chooses a weak 
key, some information is leaked to the attacker, who can then try to 
brute-force parts of the conversation. Typically that will be something like a 
session ID - generally only useful for the lifetime of the session - or a 
commonly-used user password. (The Bar Mitzvah paper describes how it can be 
used to improve brute-force attacks on user passwords that are passed in 
RC4-encrypted data.)

So: If your systems participate in a lot of RC4 conversations, and your threat 
model includes passive attackers gaining sufficient information to make 
brute-forcing small pieces of data feasible, then Bar Mitzvah is a problem.

We can't tell you whether it's something you need to be concerned about. That 
depends on YOUR threat model. If you don't know what your threat model is, then 
you can't make informed security decisions.

The attack applies to all implementations of RC4, and its use by any SSL/TLS 
implementation. OpenSSL can't fix the problem. A future release of OpenSSL may 
remove RC4 suites from the default list (indeed, it's probably all but 
inevitable), so applications won't use it unless they enable it. For now, it's 
enabled by default.

Michael Wojcik
Technology Specialist, Micro Focus


From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of 
Sandeep Umesh
Sent: Monday, April 06, 2015 14:20
To: OpenSSL User Support ML
Subject: [openssl-users] openssl impact on CVE-2015-2808


Just want to understand the impact of openssl for RC4 Bar mitzvah attack.

Please correct me if my understanding is wrong, basically this attack is 
triggered based on the design of RC4.
openssl is one of the implementers of RC4 algo.
I am not sure if there will be any design change or openssl will try to disable 
RC4 support...
But, Is disabling RC4 algo usage in the applications which are using openssl a 
better approach? Thanks


This message has been scanned for malware by Websense. www.websense.com
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] openssl impact on CVE-2015-2808

[Jeffrey Walton]

 Please correct me if my understanding is wrong, basically this attack is
 triggered based on the design of RC4.
 openssl is one of the implementers of RC4 algo.
There are biases in the stream created by RC4. In theory, and
adversary could use the biases to as a launchpad to recover plain text
(but I seem to recall it needs a lot of cipher text). RC4 has been
wounded again, but it has not been broken.

 I am not sure if there will be any design change or openssl will try to
 disable RC4 support...
Probably not. Just add !RC4 to you cipher suite list to remove it if
you don't want it. For example, HIGH:!ADH:!RC4:!MD5.

 But, Is disabling RC4 algo usage in the applications which are using openssl
 a better approach? Thanks
In TLS 1.2, you have the AES/GCM cipher suites. You also have the
upcoming ChaCha20/Poly1305 cipher suites. (ChaCha20/Poly1305  is
predicated on the TLS Working Group choosing to adopt them, see
https://www.ietf.org/mail-archive/web/tls/current/msg15722.html).

In TLS 1.1 and below, you only have block ciphers if you remove RC4.
You'll have to make due with AES/CBC (or another block cipher).

Jeff
___
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users