In https://bugzilla.mozilla.org/show_bug.cgi?id=472975 georgi said in comment 
12:

offtopic question:

afaict when doing a ssl connection, the server *doesn't sign* anything with his
private key (in most cases). though the server needs it for finding the session
secret.

are attacks with symmetric ciphers studied like:
the server gives a valid cert trying to impersonate something. he doesn't have
the private key but tries to ``break'' the symmetric ciphers - advertising null
cipher, very short key length of the cipher?

i tried something like this but firefox didn't accept null ciphers and gave
error.

is it possible the server to make symmetric keylength say 8 bits and the client
to accept it (afaict some ciphers allow variable keylength)?
I'm moving this to dev-tech-crypto mailing list, since it doesn't belong in the 
bug, but I did want to make sure georgi gets the answer.

First the short answer: 1) breaking one of the weak symmetric encryption keys (there are a couple) will not allow you to use a certificate that you don't have the private key for.
  2) you can only force a weak symmetric cipher if the client allows it. IIRC 
we have turned off weak ciphers in the newest versions of firefox by default 
(though you can turn them back on again if you want).

-----------------------------

Long answer:

There are several symmetric keys involved in an SSL connection. They are:

1) The pre-master secret - this is a 48 byte (384 bit) key negotiated between 
the client and server for RSA ciphers that means the client picks it and sends 
it to the server encrypted with the server's public key. Knowledge of this key 
will essentially give you the ability to spoof either or both sides of the SSL 
connection. It will also allow you make more connections to either the client 
or the server until either of them decide that they need to do a full handshake 
(this usually happens if one side has forgotten the master secret, or the 
lifetime of the master secret has expired -- usually 24 hours in SSL3/TLS).

2) Master secret - this is also a 48 byte (384 bit) key which is derived from 
the pre-master secret. Unless the Hashing functions are completely broken (and 
in this respect neither MD-5 nor SHA-1 have shown any weaknesses), you cannot 
get to the pre-master secret from the master secret, however from an attacker 
point of view, it doesn't matter. Getting the Master secret is sufficient to 
control the connection in the same way as getting the pre-master secret.

3) Session keys. There are 4 session keys used in a single ssl connection. 
These keys are generated from the master secret and two public random numbers, 
one provided by the client and one provided by the server. Since both provide 
random numbers, it's not possible for one side to force the same session keys 
in a second connection. This means as long as the prf is strong, you cannot use 
the breaking of one of these session keys to either 1) break the master secret, 
2) extend the knowledge to a future session, or 3) break the rest of the keys. 
The 4 session keys are:
        3a) Server write macing key - 16-20 bytes (or 128-160 bits) depending 
on MD5 or SHA-1 macing
     Breaking this key is required in order to complete an SSL connection from 
the server side.
        3b) Client write macing key - 16-20 bytes (or 128-160 bits) depending 
on MD5 or SHA-1 macing
     Breaking this key is required in order to complete the SSL connection from 
the client side.
        3c) Server write key - 0 - 32 bytes (or 0 - 256 bits) depending on the 
symmetric algorithm.
     Breaking this key is required in order to read the server's data.
        3d) Client write key - 0 - 32 bytes (or 0 - 256 bits) depending on the 
symmetric algorithm.


So if your goal is to use someone else's certificate, you will need to either 
1) break the pre-master secret, 2) break the master secret, or 3) break both 
the server write macing key and the server write key. Even if you  you can 
force a client to choose weak or NULL ciphers, you still have to break the 
macing key.

To compound this, the client only generates data using it's own write and write 
macing keys. It knows the servers keys, but only validates data. At the end of 
the initial handshake the server has no information with which to attack it's 
own write keys, it can only know it it's guess is correct by asking the client. 
The client only gives the server one shot and it fails the connection. This 
means, in order to implement your attack you must either break the pre-master 
secret* (basically attacking RSA), or the master secret (basically attacking 
one of the client keys, and then attacking the derive function to get the 
master secret).

Finally, as mentioned above, as encryption supported generally in the internet 
gets stronger, clients drop support for weaker ciphers. You have already 
noticed FF does not support null ciphers by default. The same is true of 'weak' 
ciphers like the old export ciphers.

Hope this helps, the complexity of the SSL protocol is because it protects 
against so many different kinds of attacks, including this one.


bob

*There was an attack against the pre-master secret discovered by 
Blechenbaucher, which required using the real server as an oracle, giving it 
several slightly modified versions of a real encrypted pre-master secret and 
noting the differences in the types of errors it returned. Modern SSL servers 
do not provide this kind of detailed knowledge, much to the chagrin of may SSL 
implementers trying to debug their code. Unfortunately such lack of response is 
necessary for the security of the system as a whole.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to