Press release issued 29 February 2012A padlocked icon in a web-browser or a URL starting with https provides communication security over the Internet. The icon or URL indicates OpenSSL, a cryptography toolkit implementing the SSL protocol, or a similar system is being used. New research by a collaborative team has developed an attack that can circumvent the security OpenSSL should provide. The attack worked on a very specific version of the OpenSSL software, 0.9.8g, and only when a specific set of options were used.
Dr Dan Page, Senior Lecturer in Computer Science in the Department of Computer Science at the University of Bristol, and one of the collaborative team, will present a paper at the RSA® Conference in San Francisco today [Wednesday 29 February] about the EPSRC-funded research.
The attack worked by targeting a bug in the software. Carefully constructed messages were sent to the web-server, each of which triggered the bug and allowed part of a cryptographic key to be recovered. Using enough messages, the entire key could be recovered.
Dr Dan Page said: “Our work suggests an underlying problem. With software and hardware playing increasingly significant roles in our day-to-day life, how much can and should we trust them to be correct?
“The answer, in part at least, is a stronger emphasis on and investment in formal verification and correctness of open source software. Our research highlights the important role this topic will play for software engineers of the future.”
SSL is designed to provide two guarantees. Firstly, that a web-server accessed is the one expected, and, secondly, that subsequent communication between the user and the web-server cannot be read by anyone else.
Both guarantees are important for e-commerce websites that need to manage sensitive data such as credit card details in a secure, dependable way. However, both depend on the web-server keeping various cryptographic keys secret.
OpenSSL is embedded in many platforms, particularly those based on the Linux operating system. Some operating system vendors have started to release advisories that prompt the upgrade of older versions of OpenSSL. This acts to limit any implications of an attack.
Paper: Practical realisation and elimination of an ECC-related software bug attack?, B B Brumle, Aalto University, Finland; M Barbosa, Universidade do Minho, Portugal; D Page, University of Bristol, and F Vercauteren, Katholieke Universiteit Leuven, Belgium, Cryptology ePrint archive: report 2011/633.
Please contact email@example.com for further information.
The RSA® Conference 2012 is taking place until March 2 in San Francisco, USA. The conference is regarded as the best forum in the information security field, enabling attendees to keep abreast of new innovations and best practices and to learn about IT security’s most important issues.
The Cryptography and Information Security Group in the Department of Computer Science at the University of Bristol conducts research into public key cryptography; the underlying hard problems on which it is based and the hardware and software needed to implement secure systems.
The group has particular interest in techniques for efficient implementation of such systems on small computing devices and the verification that such implementations do what they say they do.
The Engineering and Physical Sciences Research Council (EPSRC) is the UK’s main agency for funding research in engineering and the physical sciences. The EPSRC invests around £800 million a year in research and postgraduate training, to help the nation handle the next generation of technological change. The areas covered range from information technology to structural engineering, and mathematics to materials science. This research forms the basis for future economic development in the UK and improvements for everyone’s health, lifestyle and culture. EPSRC also actively promotes public awareness of science and engineering. EPSRC works alongside other Research Councils with responsibility for other areas of research. The Research Councils work collectively on issues of common concern via Research Councils UK.
With software and hardware playing increasingly significant roles in our day-to-day life, how much can and should we trust them to be correct?