sfs8 pt1

Ian Miller ukcrypto at chiark.greenend.org.uk
Mon, 6 Oct 2008 22:14:08 +0100 

At 14:03 +0100 4/10/08, Peter Fairbrother wrote:
>That's if the server chooses a DHE option. For real security all non-DHE
>options should be eliminated from both servers and browsers.

Agreed.  It should be note that the MitM attack is very easy to mount and
does not really require the attacker to be in-the-middle.  All that is
required is:-
1 - The ability to read the traffic (and if the attacker cannot do that
there is no need of encryption at all)
2 - The ability to inject a single forged packet into the network so it is
routed to the appropriate machine.  If the host is a publically accessible
web-server then no plausible attacker won't have the access.

The technique is to produce a forged packet with a modified list of offered
cypher options.  Provided the packet is the same length as the genuine one
and has the right ack, syn, port numbers etc. and arrives before the
genuine one, it will be accepted as the real one.  The genuine one when it
arrives is then discarded by the IP-stack as a duplicate.  In this way the
attacker can select any mutually acceptable cypher option.
[I haven't actually tried this, but it should work.]

In fact, it may be worse than that.  A lazy implementation of cypher
selection in a browser may use the configured set of ciphers merely to
construct the set of options that will be offered to the server, and then
assume without checking that option selected by the server was one of
these.  If so the attacker can select any option accept to server and
_implemented_ in the browser.  It would be interesting to check all the
common browsers against a suitably modified SSL server to see how they
respond.

One approach to the inadequacy of browsers set-up is to implement this
attack yourself to force the connection into the secure mode of your
choice.  You also need to monitor the server's reply to make sure it worked
(i.e. that no-one else is doing the same trick), and raise an alarm if it
didn't.   This is quite a neat option as it should work with all browsers.

Ian

--
32 Stockwell St, Cambridge, CB1 3ND
Tel:  +44 1223 511943	            Mobile: +44 777 5536663
Fax:  +44 870 0514333	 (e-mail preferred to Fax)