A recently announced security flaw, dubbed FREAK (Factoring RSA Export Keys) has significant implications for Android and Apple devices that connect to other websites via HTTPS and offers an object lesson in why deliberately weakening cryptographic standards to allow for backdoors or other forms of protection is such an emphatically bad idea. <\/p>\n
To understand the problem, we need to cover a bit of history. Back in the early 1990s, the US government treated cryptography as a matter of national security. This resulted in a split system, in which the US used one level of cryptography for domestic software, but internationally distributed programs might set a different encryption level for programs that would be deployed overseas. Netscape, for example, was distributed in both a 128-bit and a 40-bit version. <\/p>\n
This left cryptography standards developers stuck between a rock and a hard place. Any software suite or implementation standard had to be able to support both a strong version of a standard and a weak version, with the NSA or other governmental agency demanding the weak version be available to ensure national security. If you follow security even at the most tangential level, youre undoubtedly aware that government and industry bodies periodically adopt stronger security standards as cracking methods become more sophisticated and computers become more powerful. Old computer ciphers that wouldve taken decades or centuries to decode when they debuted can now be cracked in minutes, in some cases. <\/p>\n
The government eventually lifted most of these requirements, thus allowing foreign connections to be secured by the same methods that domestic software used. Unfortunately, SSL was defined during the time period when these restrictions existed. The largest key US companies were allowed to distribute outside the US was a 512-bit RSA key. For reference, the Komodia software we covered extensively over the past few weeks used 1024-bit keys and was broken in hours; current best practice is to use 2048-bit keys. <\/p>\n
Matthew Green, a cryptographer and researcher at Johns Hopkins University, summarizes the problem as follows: <\/p>\n
It turns out that some modern TLS clients including Apples SecureTransport and OpenSSL have a bug in them. This bug causes them to accept RSA export-grade keys even when the client didnt ask for export-grade RSA. The impact of this bug can be quite nasty: It admits a man in the middle attack whereby an active attacker can force down the quality of a connection, provided that the client is vulnerable and the server supports export RSA. <\/p>\n
Now, none of this would be a problem if export-RSA had actually been phased out on schedule. Remember, were talking about a security standard based on requirements that were lifted decades ago; Netscape was developing SSL before some of you were born. (Yes, thats depressing). <\/p>\n
Unfortunately, scans show that the export-RSA standard is apparently still supported by up to 36.7% of the sites serving browser-trusted certifications, including Content Distribution Networks (CDNs) like Akamai. Affected websites include NSA.gov, Whitehouse.gov, irs.gov, and tips.FBI.gov, but government sites are far from the only sites affected a full list of the affected Top 10,000 sites is available here. Crack the 512-bit key, and youve got a perfect man-in-the-middle scenario. <\/p>\n
The NSAs RSA encryption can be broken and data changed with this method <\/p>\n
It turns out, it costs about $104 worth of Amazon EC2 server time to break a 512-bit RSA key, which makes this kind of flaw eminently practical for certain types of targeted attacks. Apple is expected to patch the problem by next week, but Android users are, in Greens words, screwed. Firefox is reportedly protected for both OS X and Android, so concerned users should consider using that browser (Google is patching Chrome for Mac to make it immune as well). <\/p>\n
<\/p>\n