Viktor's description agrees with Matthew Green's explanation.[1] The FREAK attack can work against non-patched OpenSSL clients even if they disable export-grade ciphers; in fact, that's precisely the problem.
The attack works like this: 1. Client sends ClientHello with a suite list that includes strong RSA suites. 2. MITM modifies ClientHello to request export-grade RSA. 3. If the server supports export-grade RSA, it replies with a 512-bit RSA key. 4. The client incorrectly accepts the short RSA key, even though it didn't ask for one. That's the bug. 5. Attacker factors the 512-bit RSA key. This relies on the second problem described by the FREAK authors: many servers (eg Apache) just generate one 512-bit RSA key pair at startup, and don't create a new one for each export-grade request, because it's expensive. So if you factor it once, you're good to break a whole bunch of sessions. If you always control both ends of the conversation, and can disable the export suites on both, then you shouldn't be vulnerable. If you have to talk to third-party servers, though, you don't know which ones might be vulnerable. FREAK testing has revealed that an awful lot still support the export suites. [1] http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html ________________________________________ From: openssl-users [openssl-users-boun...@openssl.org] on behalf of Viktor Dukhovni [openssl-us...@dukhovni.org] Sent: Tuesday, March 10, 2015 06:53 To: openssl-users@openssl.org Subject: Re: [openssl-users] How to disable all EXPORT Ciphers? On Tue, Mar 10, 2015 at 08:44:57AM +0000, Christian Georg wrote: > I understand that the downgrading of the ciphersuites is a bug in the > library that should be patched. Doing this can however be dificult when > talking about mobile apps that use OS Libraries. From my understanding > the bug only works within the limit of chipersuites permitted by both the > client and the server. That understanding is I believe wrong. Only the server needs to support EXPORT ciphers. The client just needs a vulnerable library. > Therefore my asumption is if the server side does only offer strong ciphers > I do not have to worry too much about the ability to exploit the FREAK > vulnerability e.g. in android clients. Yes, if the server disables EXPORT ciphers the clients are safe with *that* server, but will remain vulnerable with other servers. The clients do need to be patched. -- Viktor. _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users This message has been scanned for malware by Websense. www.websense.com _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
