About SSL/TLS the latest vulnerability the“ordination ceremony”preliminary report-vulnerability warning-the black bar safety net

ID MYHACK58:62201560624
Type myhack58
Reporter NSTRT
Modified 2015-04-01T00:00:00


A, vulnerability analysis The event causes 2 0 1 5 year 3 month 2 6 day, foreign data security company Imperva researcher Itsik Mantin at BLACK HAT ASIA 2 0 1 5 published papers the default settings for SSL when using RC4 elaborates the use of the presence of the 1 3 years of RC4 vulnerability-the invariance of the weak key, the Weakness in the Key Scheduling Algorithm of RC4,the FMS published in 2 0 0 1 years for the attack and named as the“ordination ceremony”attack of Bar Mitzvah Attack in. Until 2 0 1 5 year 3 month, there are about 3 0% of the network communication is controlled by the RC4 to be protected. By“ordination ceremony”attack, the attacker may be in a particular environment just by sniffing the visit listen you can restore using RC4 to protect the encrypted information in plain text, leading to account, password, credit card information and other important sensitive information exposed, and may be through an intermediary, Man-in-the-middle for session hijacking. Attack method and pattern An attacker sniffing the visit to listen to a lot of the SSL link, you can determine the first encrypted message contains the SSL finished message, and the HTTP request is predictable information. And then wait for an invariance of the weak key link to come, when you get to a weak key links when you can extract the LBS. When a weak key is used, the plaintext and the key will be XOR, the attacker can see the generated ciphertext mode. The attacker is also conducting DNS poisoning, all the links link to a malicious host, the host man in the middle attacks can be effectively carried out a large number of users sniffing visits to listen to and session hijacking. Vulnerability principles and details According to the default settings SSL when using RC4 in set forth, the vulnerability causes the main that the invariance of the weak keys are RC4 key in an L-shaped pattern, once it exists in the RC4 key, the entire initialization process of holding the state transition integrity. This complete portion comprises a replacement process in the least significant bit, by the RPGA algorithm processing time, determines the pseudo-random output stream of the least significant bit. These deviations of bytes from the stream and the plaintext through the exclusive or, the resulting ciphertext will reveal the important plain text information. ! The state transition from the default settings SSL when using RC4 of This mode occurs in the LSBs, a single LSB, 2 LSBs, etc. different numbers of times, resulting in different types of RC4 weak keys. ! If a q-class q refers to the LSB of the digital key is used, then will occur the following problems: RC4 initialization statement cannot be correctly fitted state, and key information, and to store the K most significant bits of the stored internal status; RC4 initial state has a fixed non-hybrid q LSB; and The first plaintext byte stream 3 0-5 0-Byte q most significant bits comply with a significant probability to determine the mode; The first plaintext byte stream 3 0-5 0-Byte q most significant bits have a significant probability of exposure. SSL in a multi-encryption kit using RC4 for encryption. Holding the bracelet section of the generated RC4 key used to encrypt uplink data and downlink data streams. The uplink Data Stream is used to encrypt client– server data stream, a downlink data stream used to encrypt the server – client data stream. The encryption is stateful, using the first key stream to encrypt the first byte of information after the key stream encrypted under a message want to in CBC mode. Since string encryption destroys most significant bit of certainty, so the invariance of the weak key can only be used in protected first 1 0 0 bytes. SSL handshake end of the message is for each direction upstream and downstream of the first encrypted message, and the end of the message is fixed using a 3 6 bytes, so there is 6 4 bytes left for the attacker to use. ! Second, thesecurity testing Online detection: the server test: https://www.ssllabs.com/ssltest/index.html ! Browser test: https://www.ssllabs.com/ssltest/viewMyClient.html ! Local testing: for server, in thelinux serverinstall openssl) ! $ openssl s_client-connectyinxiang. com:4 4 3-cipher RC4 ! If you can view the certificate information, so is there risk of vulnerability if the display sslv3 alerthandshake failure, showing a modified server does not have this vulnerability. Third, the patch approach Server For NGINX patches Modify the nginx configuration file in the ssl_ciphers items ssl_ciphers"ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA: EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:! aNULL:! eNULL:! EXPORT:! DES:! MD5:! PSK:! RC4"; ssl_prefer_server_ciphers on; Re-loaded: $sudo /etc/init. the d/nginx reload For apache repair Open the configuration file $ sudo vi /etc/httpd/conf. d/ssl. conf To modify the configuration SSLCipherSuite HIGH:MEDIUM:! aNULL:! MD5;! RC4

[1] [2] next