A Bell Labs researcher has found a serious vulnerability in the data-scrambling algorithm underlying the encryption that secures online transactions in both Netscape and Microsoft servers.
The attack breaks the Public Key Cryptography Standard #1 (PKCS1), which underlies the Secure Sockets Layer (SSL) used in many Web security products to protect sensitive information in transactions, such as credit card data. It was proven in a laboratory setting several months ago by Daniel Bleichenbacher, a computer scientist at the Secure Systems Research of Bell Labs -- the research and development arm of Lucent Technologies. The problem only affects servers, and not browsers.
The attack has not been used maliciously on the Internet against a commercial Web server, and most vendors have already released patches. Most, if not all, of the major commerce Web sites have already installed patches to fix the problem, according to an executive at RSA Data Security, which owns the algorithm in question.
The crack works when an attacker sends more than one million messages to a target server running SSL. As each attempt is rejected with an error message, an algorithm is applied to the results, revealing information about a particular interaction between a customer and a Web site.
"It attacks a class of protocols that use interactive key setup", said Scott Schnell, vice president of marketing for RSA. Schnell said that RSA had been working closely with Bleichenbacher for several months to come up with countermeasures.
"This provides a mechanism for a hacker to send a million messages to a server, and interpret very slight variations in the error messages that come back", Schnell said. "It is those variations that provide a hacker with clues to discover the session key for a particular encrypted session between a browser and a Web sever."
Schnell said that the vulnerability depended on the attacker having access to either the server, or the individual conducting a transaction with that server. Such a move would require a "sniffer" program to capture the transaction.
"It can't be some random guy anywhere on the Interest", Schnell said. "I can record the bits, then modify those bits subtly, using a technique called an adaptivity cyphertext attack. I fire [a million of] them at the server and the error messages can provide clues [to the details of the session]", he said.
Though the attack only requires Pentium-level processing power, there have been no reported public incidents. And none are expected, as a Web server administrator would easily have been able to detect a million attempts on a server.
"The first lesson is that the protocols have to be changed", said Bleichenbacher. "I still think that the PKCS1 and SSL are good products, and the attack is not that serious."
Bleichenbacher said that consumers shouldn't be concerned about the safety of their credit card or banking transactions, and that his research only strengthened what was already a very secure scheme.
"You are really going in the direction where the protocols will become really strong", he said.
"Netscape (NCSP) takes all security issues very seriously", said Netscape spokeswoman Andrea Cook, "and that's why, even though this problem was only theoretical and the subject of research, we have been working day and night since we were notified of the issue last week, to build patches to our server."
"We have delivered a patch and it is downloadable from our Web site", Cook said. "Over the past few days, we have been proactively notifiying our customers and most of them have already rolled out [the fix]. We have been working together with other industry vendors cooperatively to make sure that everyone has a patch."
"RSA notified us as soon as they found out about the problem", said Johnathan Perera, lead product manager for Microsoft Windows NT. "The first thing we did was test it in our labs and begin a fix. Specifically, it impacts the S channel -- the file that lives on the server that handles the encryption", he said, adding that the problem is specific to Windows NT with the Internet Information Server (IIS).
Perera said that Microsoft (MSFT) has contacted its customers and has posted a patch to its security Web site.
C2Net Software said they developed a preemptive patch for their Stronghold secure Web server last weekend, after hearing from RSA on Friday. They received the patch from their cryptography team, which is based in Australia.
"The patch was easy enough to implement", said C2Net spokesman Srini Kumar. "The new version of the product is already there and we are doing the best we can to make sure everyone knows about it", he said.
A representative for Lotus Development Corporation said that the company was still evaluating the possible impact on its Domino Web server, which uses the SSL encryption scheme. Steve Hopley of Lotus said that Domino customers would be notified if a patch is required.
IBM (IBM) is also evaluating the threat, though a representative said the company had only been notified of the issue 24 hours ago. "We are not entirely certain if it is an issue, we are still evaluating and assessing what could be affected", said spokesman Jay Cadmus. He estimated that about 25 IBM products use the SSL scheme.