DROWN Flaw Illustrates Dangers of Intentionally Weak Crypto

The massive DROWN vulnerability resurrects fears over lingering export-grade cryptography

Calls for encryption backdoors that date back to the 1990s are coming back to haunt the industry 20 years later with DROWN, security experts say. The flaw that researchers found with DROWN center around the fact that during the so called Crypto Wars of the 1990s President Bill Clinton’s administration insisted that US government have a way to break the encryption that was exported outside of the United States.

The debate over cryptography then was just as raw as it is today with the battle between Apple and the FBI. Strong encryption protects communications from prying eyes, say privacy advocates. And the use of backdoors or weak encryption runs the risk of being exploited by bad guys, security experts says. On the other hand, leaving the government without the ability circumvent encryption to track down criminals makes us less secure, it says.

Fast forward to Tuesday’s revelation of the DROWN vulnerability that leaves 11 million HTTPS websites at risk to attacks that decrypt TLS and SSL traffic. The vulnerability exploits the transport layer security protocol by exploiting a fatal flaw tied to SSLv2 handshakes used to decrypt TLS sessions. The attack exploits a feature in SSLv2 that relates to the use of export-grade cryptography.

“When they created SSLv2 they created a special version. They intentionally weakened it,” said Ivan Ristic, director of engineering at Qualys, and an SSL expert. That version, Ristic said, was intentionally weak so the US government could break the encryption, if need be.

That has security experts, concerned over the FBI’s demand for a backdoor to Apple’s iPhone encryption, arguing that encryption that can be cracked always has bad unintended consequences.

“When you weaken security, it comes to bite you,” Ristic says. “Apple doesn’t want to make the same mistake,” he said.

Matt Green, a cryptographer and professor at Johns Hopkins University, believes the attacks on SSLv2 offer a priceless lesson in encryption. In a reaction to the DROWN vulnerability Green wrote in a blog post:

“The most truly awful bits stem from the fact that the SSLv2 designers were forced to ruin their own protocol. This was the result of needing to satisfy the U.S. government’s misguided attempt to control the export of cryptography. Rather than using only secure encryption, the designers were forced to build in a series of “export-grade ciphersuites” that offered abysmal 40-bit session keys and other nonsense.”

Vulnerabilities Logjam and FREAK also rely on export-grade ciphersuites, Green points out.

Chris Eng, VP of research at Veracode, points out DROWN is the most recent, but far from the only example of intentionally crippled encryption (or backdoors) that have come back to haunt security professionals.

“In the security industry there are a number of examples,” Eng said. “That’s happened over and over again. The most recent is the Juniper backdoor and Dual EC DRBG. These (backdoors) were meant to be secrets that maybe only the maintenance staff or only a few knew about. But once that secret gets out then the good guys know it and the bad guys know it. It then takes a lot of effort to go back and patch the long tail of deployed products.”

In December, Juniper Networks released a patch that removed what many called a backdoor that allowed for passive decryption of VPN traffic moving through Juniper’s appliances. The Dual EC DRBG random number generator was another backdoor discovered and removed by NIST that the random numbers could be predicted.

In the case of DROWN, the vulnerability depended on weak encryption tied to export-grade ciphersuites, said Sebastian Schinzel, professor at Münster University of Applied Sciences, Germany and one of the researchers that discovered the DROWN vulnerability.

He explained to Threatpost, the DROWN attack is able to decrypt TLS sessions running on SSLv2 servers. “The ciphersuites on SSLv2 were designed to be insecure and protected by 40-bit. Today, we use 128-bit session keys which would take forever and a day to break,” Schinzel said.

In the DROWN report Schinzel co-authored he writes, “Our results illustrate, like FREAK and Logjam, the continued harm that a legacy of deliberately weakened export-grade cryptography inflicts on the security of modern systems, even decades after the regulations influencing the original design were lifted.”

To Eng, the Apple case is more a legal slippery slope than a technical one, but with the same high stakes. He said, if you allow this to happen with an Apple device now, then what’s next? “Does that set precedent for the FBI to make the same request for a 1,000 more devices or the camera to be turned on. Will it ask others companies to dial back encryption?”

Green says the lines separating legal and technical are blurry. “Attacks like DROWN illustrate the cost of having old, vulnerable protocols on the Internet. And they show the terrible cost that we’re still paying for export cryptography systems that introduced deliberate vulnerabilities in encryption so that intelligence agencies could pursue a small short-term advantage — at the cost of long-term security,” he wrote.

Green concludes: “Given that we’re currently in the midst of a very important discussion about the balance of short- and long-term security, let’s hope that we won’t make the same mistake again.”

Suggested articles