The cryptographic underpinnings of the Internet are beginning to show some serious wear, and the outlook for better days ahead is not particularly rosy. In just the last week there has been news of major new attacks on perhaps the two most widely used encryption technologies: SSL and AES. We’ve heard talk of cracks in both protocols before, but this time, even the most conservative observers are worried.
At Black Hat last week there were two separate talks on essentially the same research, performed independently by the team of Dan Kaminsky and Len Sassaman, and Moxie Marlinspike. Both researchers have found a new method for attacking the SSL protocol that enables them to get a valid wildcard SSL certificate for a domain that they don’t control. That means that an attacker would have the ability to monitor supposedly secret SSL communications using a man-in-the-middle attack.
To an attacker, this is the Holy Grail. The user thinks his SSL session is secret and visible only to the site he’s communicating with, and all the while an attacker is silently monitoring the entire session. The brilliant part of what Marlinspike and Kaminsky and Sassaman discovered is that it simply tricks uses a null character in the URL of the site when applying for an SSL certificate. Browsers ignore those null characters and think that they’re communicating with the legitimate site.
The warnings thrown by browsers such as Firefox and Internet Explorer would not be triggered in this kind of scenario. And, Marlinspike earlier this year at the Black Hat DC conference demontsrated a separate technique for stripping the SSL protection out of HTTPS connections and spoofing the favicons that let users know they’re at Bankofamerica.com or Amazon.com. The trickery that he and Kaminsky showed off last week is even more impressive, and just as potentially damaging.
Add these new techniques to the work presented last winter by a group of researchers that was able to create its own certificate authority, and you have a heap of trouble for SSL.
While much of the attention of the security community was focused on Las Vegas last week, there was another major result in the crypto world, this time against AES. Designed as a replacement for DES, AES is the standard encryption algorithm and has been considered quite resistant to attack. Until, that is, a group of cryptogrpahers began circulating a paper describing a new attack that reduces the amount of time needed to recover a 256-bit AES key to a level that is practical and within reach of current technology.
Though attacks against encryption protocols and algorithms often are publicized when they’re still i the theoretical stage, there is nothing at all theoretical about this attack. In a blog post on the paper, which isn’t yet public, Bruce Schneier called the new technique a “huge result” and said it was proof that attacks always get better, not worse.
This is hardly good news for the millions of users who depend on the Web every day to conduct financial transactions, send sensitive information and run their businesses. Especially in the case of the SSL attacks, there is little to no chance that hackers haven’t already discovered the same techniques, even before they were talked about publicly. But that doesn’t mean it’s time to hide your money under the mattress and cut the wire on your Internet connection, either.
Experts are working on a fix for the SSL problem, and certificates sold by some of the larger vendors, including VeriSign, apparently aren’t vulnerable to the attack. And the AES attack, while worrisome, works only against a limited set of AES keys. There have always been problems with SSL, especially on the implementation side, and as long as there’s a lot of money to be made, people will spend a lot of time and resources trying to crack encryption algorithms. But, given the major advances made in just the last few months, it looks like things are accelerating at a furious pace.