Securityasp

asp.net网页制作  时间:2021-02-10  阅读:()
BarMitzvahAttackBreakingSSLwitha13-yearoldRC4WeaknessAbstractRC4isthemostpopularstreamcipherintheworld.
Infact,asofMarch2015,RC4isestimatedtoprotectasmuchas30%ofSSLtraffic,likelyamountingtobillionsofTLSconnectionseveryday.
Yetitsuffersacritical–andlongknown–weaknessknownastheInvarianceWeakness.
InthispaperwewillrevisittheInvarianceWeakness–a13-yearoldvulnerabilityofRC4thatisbasedonhugeclassesofRC4weakkeys,whichwasfirstpublishedintheFMSpaperin2001.
WewillshowhowthisvulnerabilitycanbeusedtomountpartialplaintextrecoveryattacksonSSL-protecteddata,whenRC4isthecipherofchoice,forrecoveringtheLSBsofasmanyas100bytesfromtheencryptedstream.
AsopposedtoBEAST,POODLE,CRIMEandotherattacksonSSLthatwerepublishedinrecentyears,includingtheRoyalHollowayAttackontheusageofRC4,anewattackbasedupontheInvarianceWeaknessdoesnotrelyonaggregationofsmallfragmentsofplaintextinformation,butona"hit",arareeventthatcausesasignificantleakagetooccur.
WeshowhowthisuniquecharacteristiccanbeusedtoattackSSLinnewscenarios,includingthefirstpracticalattackonSSLthatdoesnotrequireanactiveMan-in-the-Middle.
Furthermore,thenewattackisnotlimitedtorecoveryoftemporalsessiontokens,butcanbeusedtostealpartsofpermanentsecretdatasuchasaccountcredentialsandcreditcardnumberswhendeliveredoverHTTPS.
Anothervariantoftheattackrecoversasignificantpartofasecretwithsmallbutnon-negligibleprobability,evenifthatwastransmittedonlyonceovertheSSLconnection.
ThispaperwilldescribetheInvarianceWeaknessindetail,explainitsimpacts,andrecommendsomemitigatingactions.
IntroductionTLSTheProtocolTLSisthemostwidelyusedsecurecommunicationsprotocolontheInternettoday.
StartinglifeasSSL,theprotocolwasadoptedbytheIETFandspecifiedasanRFCstandardunderthenameofTLS1.
0[1].
IthassinceevolvedthroughTLS1.
1[2]tothecurrentversionTLS1.
2[3].
TLS1.
3is,asofMarch2015,indraft[4].
VariousotherRFCsdefineadditionalTLScryptographicalgorithmsandextensions.
SSLiscurrentlyusedforsecuringawidevarietyofapplication-leveltraffic:Itserves,forexample,asthebasisoftheHTTPSprotocolforencryptedwebbrowsing,itisusedinconjunctionwithIMAPorSMTPtocryptographicallyprotectemailtraffic,anditisapopulartooltosecurecommunicationwithembeddedsystems,mobiledevices,andinpaymentsystems.
SSLstrivestofulfilltwomajorgoals:1)allowtwopartiestoauthenticateeachother,and2)securethecommunicationbetweenthetwo.
InmanySSLdeployments,particularsecurewebbrowsing,theauthenticationisone-way,meaningthatonlytheclient(browser)authenticatestheserver(webapplication),butnotviceversa.
SSLsessionsconsistoftwophases:IntheSSLHandshakingProtocoltheclientauthenticatestheserver,theserver(optionally)authenticatestheclientandbothestablishcryptographicsessionkeys,readytoprotectthecommunication.
IntheRecordProtocolthepartiesusetheestablishedsessionkeysandsymmetrickeycryptographytoencrypt(e.
g.
,usingAESblockcipherorRC4streamcipher)andauthenticate(e.
g.
,usingHMACalgorithms)tobuildasecurechannelforapplication-layerdata.
ThepartiescanchoosebetweenmanydifferentauthenticationandencryptionalgorithmsfortheRecordProtocol,essentiallydividedintothefollowingclasses:BlockCipher(CBCmodeofoperation)+HMACStreamCipher(RC4)+HMACAuthenticated-Encryptionusingblockcipher(GCM/CCMmodeofoperation)SSLProtocolWeaknessesInthelastcoupleofyearsseveralsignificantvulnerabilitieshavebeendiscoveredintheSSLprotocol,particularlyinthemostcommonlyusedvariants,AES-CBCandRC4.
TheAES-CBCvarianthasseensignificantcryptanalysis(paddingoracleattacks[5],BEAST[6],Lucky13[7],TIME[16],andPOODLE[15]).
Andin2013AlFardanet-alpublishedananalysis[8]oftheRC4mode,whichshowedhowtomountanattackthatrecoversdatatransmittedoveraSSL/RC4connection.
TheattackwasbasedonsomeofthemanyknowweaknessesofRC4,inparticularthesignificantstatisticalbiasesinitsfirstoutputbytes,andtheweakerstatisticalbiasesintheRC4keystream.
ImplementationWeaknessesInrecentyearsSSLimplementationshavereceivedsignificantattentionandscrutinyfromsecurityresearchers,andthishasresultedinsteadydiscoveryofnewvulnerabilities(andpatching,withorwithoutdisclosure).
In2014severaldozenvulnerabilitieswerediscoveredintheOpenSSLlibrary(themostpopularimplementationofSSL),HeartbleedbeingthemostsevereoneinthatitallowsanattackertodumpmemorysegmentsfromtheSSLserver,inmanycasesexposingsecretkeyinformation.
Vulnerabilitiesinseveralotherimplementationswerepublishedaswell(e.
g.
,CVE-2014-6321inMicrosoftSChannel).
OnRC4TheStreamCipherThe4-lineStreamCipherRivestCipher4(RC4)isoneofthesimplestcryptographicalgorithms,implementingapseudo-randomgeneratorthatisusedtoimplementastreamcipher.
TheinternalstateofRC4includesapermutationSof[0,1,.
.
,255]andtwoindicesiandjinthispermutation.
Inthekeyschedulingphase(KSA)anL-bytelongRC4key(forLvaryingbetween5and256)isusedtoconstructtheinitialstatepermutationS0.
Intheencryptionphase,RC4PRGA,whichisinitializedwiththeresultantS0isusedtogenerateastreamofpseudo-randombytes,denotedasthekeystream.
LikemostoftheStreamCiphers,thesepseudo-randombytesareXOR-edwiththeplaintextbytestogeneratetheciphertextbytes.
ThebuildingblocksofRC4aredescribedbelow.
KSA(K)PRGA(S0)j=0S=[0,1,2,…,255]fori=0.
.
255j=(j+S[i]+K[imodeL])S[i]S[j]Alloperationsaredonemod256i,j=0,0S=S0whilebytesareneeded:i=i+1j=j+S[i]S[i]S[j]EmitS[S[i]+S[j]]Knownforitssimplicityandforitsrespectedauthor,RC4gainedconsiderablepopularity.
Andgivenitsimpressiveperformance,beingabletoencryptanddecryptalmosttwotimesfasterthanAES,formanyyearsitwasconsideredtobethedefaultstreamcipher.
SecurityofRC4RC4isnotasecurecipher.
Backinthe90s,whenRC4wasatradesecretofRSAanditsdetailswhereknownbutnotformallyapproved,RC4wasbelievedtobesecure.
However,inthefollowingdecade,RC4hadundergonesignificantscrutinybycryptographyexperts,whichshowedstatisticalbiasesinthepseudo-randomstreamthatallowanattackertodistinguishRC4fromrandom([9],[10])andtopredictitsallegedlypseudo-randombitswithhighprobability([10]).
WhilethisstatisticalanalysisrequiresmanymillionsofRC4keystreambytes,tworesearchesin2001ontheinitializationofRC4hadswitchedthefocusofRC4analysistoitspoorinitializationmechanisms.
Thefirst[11]hadshownthatthesecondbyteofRC4hashugestatisticalbias,havingtwicetheexpectedprobabilitytobezero.
Thesecond[12],laterknownastheFMSresearch,hadcompletelybrokenRC4inthewayitwasusedintheWEPprotocol.
TheseresultshadinitiatedawaveofresearcheffortsandanalysisresultsonRC4initialization,awavewhoseendisyettobeseen.
Correlationbetweenkeybytesandstatebytes(e.
g.
,[13]),correlationbetweenkeybytesandfirstoutputbytes(e.
g.
,[12]),andbetweenkeybytesandfurtheroutputbytes([14]),significantstatisticalbiasesinthefirst256outputbytes[17],andmanyotherresults.
Interestingly,theseriesofsuccessfulattacksdidn'thaveasignificantimpactonthepopularityofRC4,andinfactduringthewaveofCBCattacksonSSLin2012,someexpertsrecommendedswitchingtoRC4.
TheInvarianceWeaknessTheFMSresearch[12]detailstwosignificantRC4weaknesses.
TheIVweakness,resultinginapracticalkeyrecoveryattackandcompletebreakofRC4intheWEPprotocol,receivedmostoftheattention,leavingtheotherweakness-denotedinthepaperastheInvarianceWeakness-intheshadowsfor13years.
TheInvarianceWeakness,isanL-shapekeypatterninRC4keys,whichonceitexistsinanRC4key,preservespartofthestatepermutationintactthroughouttheinitializationprocess.
Thisintactpartincludestheleastsignificantbitsofthepermutation,whenprocessedbythePRGAalgorithm,determinestheleastsignificantbitsoftheallegedlypseudo-randomoutputstreamalongalongprefixofthestream.
Thesepatterns,andadetailedexplanationofhowtheyarepreserved,aredescribedindetailin[12]and[13].
ThesebiasedstreambytesareXOR-edwiththeplaintextbytes,resultinginsignificantleakageofplaintextbytesfromtheciphertextbytes.
ThesepatternsoccurfordifferentnumberofLSBs,asingleLSB,2LSBs,3LSBsto7LSBs,resultingwithdifferentclassesofweakRC4keys.
Duetothestructureoftheseclasses,eachclasscontainsthesucceedingclassesandthusthefirstclassisthelargest,denotedbelowastheMainClass.
Theportionofq-classforL-bytekeys(whichistheprobabilityofarandomkeytobeintheclass)is2-(qL+(9-q)).
For16-bytekeytheportionoftheMainClass(1-class)is2-24(1in16million)andtheportionof2-classis2-39(veryrare).
Thesenumbersareshowninthefollowingtable.
#LSBsApplicabilityClassProbability(8-bytekey)ClassProbability(16-bytekey)1Keyswithevennumberofbytes2-162-242Keyswithnumberofbytesthatisamultipleof42-232-393Keyswithnumberofbytesthatisamultipleof82-302-544Keyswithnumberofbytesthatisamultipleof162-372-69Whenakeyfromaq-classisused,thefollowingthingshappen:TheinitializationphaseofRC4failstomixthestatewithkeymaterialproperly,andpreservestheKleastsignificantbitsofitsinternalstateAsaresult,theinitialstateofRC4hasfixednon-mixedqLSBsqleastsignificantbitsofthefirst30-50bytesstreambytescomplywithadeterministicpatternwithsignificantprobabilityqleastsignificantbitsofthefirst30-50plaintextbytesareexposedwithsignificantprobabilityTheprobabilityoftheqLSBstocomplywiththepatterndropswiththestream.
ThisprobabilityisdemonstratedinthefollowingdiagramsforasingleLSB,2LSBsand3LSBs.
Figure1:SingleLSB(advantageover0.
5)Figure2:2LSBs(advantageover0.
25)Figure3:3LSBs(advantageover0.
125)Thereasonforthedecreasingprobabilityisthestatepatterngetting"ruined"withthestreamgenerationandafter50bytesemittedbyRC4PRGA,thepatternfadesout.
However,subsequentanalysisweranonRC4streamswhenusingweakkeysshowedadifferencepatternbetweenstreamLSBs,whichislesssensitivetothis"ruining"effect,andmanagestosurviveforasmanyas100bytesofthekeystream.
ThesurvivalprobabilityofdifferencepatternsisdemonstratedinthefollowingdiagramsforasingleLSB,2LSBsand3LSBs,withreferencetothevaluepatterns(thediffpatternisinredandthevaluepatternremainsinblue).
Figure4:SingleLSB(diffpattern;advantageover0.
5)Figure5:2LSBs(diffpattern;advantageover0.
25)Figure6:3LSBs(diffpattern;advantageover0.
125)ApplicationsoftheInvarianceWeaknessTheInvarianceWeaknessofRC4hasseveralcryptanalyticapplications,describedindetailin[12]and[13],includingstatisticalbiasesintheRC4pseudo-randomstreamthatallowanattackertodistinguishRC4streamsfromrandomnessandenhancementoftradeoffattacksonRC4.
AnotherapplicationoftheInvarianceWeakness,whichweuseforourattack,istheleakageofplaintextdataintotheciphertextwhenq-classkeysareused.
Theauthorsof[8]hadtranslatedstatisticalbiasesinthekeystreamintoplaintextleakageattacks.
Wefollow[8]anduseourstatisticalbiastorecoverplaintextinformation.
TheInvarianceWeaknessbiasesarenotasstrongasthebiasesusedin[8].
However,thesebiaseshaveuniquecharacteristics,ononehandoccurringrarely,butontheotherhandeffectivein100keystreambyteswithextremelyhighprobability,openingthedoortoplaintextleakageattacksinseveralcircumstancesthatwerebelievedtobecompletelysecure.
UsingtheInvarianceWeaknesstoAttackSSLSSLUsageofRC4SSLRecordProtocolusesRC4forencryptioninmanySSLciphersuites.
IntheHandshakingprotocol,RC4encryptionkeysaregeneratedforupstreamanddownstreamcommunication.
IntheRecordprotocol,theupstreamkeyisusedforencryptionofclient-to-servercommunication,whereasthedownstreamkeyisusedforencryptionofserver-to-clientcommunication.
Itisimportanttonotethattheencryptionsarestatefull,usingthefirstkeystreambytesforencryptingthefirstmessage,thesucceedingkeystreambytesforencryptingthenextmessage,etc.
GiventhattheInvarianceweaknessisexpressedonlyinthefirst100bytesofthekeystream,itcanbeusedonlyforthefirst100bytesoftheprotectedupstreamtrafficandthefirst100bytesoftheprotecteddownstreamtraffic.
GiventhatthefirstencryptedmessageineachdirectionistheSSLHandshakeFinishedmessage(36-bytesintypicalusageofSSL),about64bytesofsecretplaintextdataareleftfortheattack.
Thisflowisdepictedinthefollowingdiagram.
Thefirst36bytesoftheupstreamkeystreamareusedforencryptingtheFinishedmessage.
Thenextbytesareusedtoencrypttheactualapplicationdata.
TheAttackScenarioOurattacksarebasedonthefollowingscenario:theattackersniffsalargenumberofSSLconnectionsencryptedwithRC4,waitingfora"hit";thatisthearrivalofaweakkey.
Onceaweakkeyarrives,theattackerpredictstheLSBsofthekeystreambytes,andusesthesetoextracttheLSBsoftheplaintextbytesfromtheciphertextwithsignificantadvantage.
Inordertofulfillthisscenario,theattackerneedstodeterminewhichSSLsessionsaretheonesinwhichweakkeyswereused.
ForthisisolationtheattackercanusethefactthatthefirstencryptedbytesincludetheSSL"Finished"messageandHTTPrequest,bothhavingpredictableinformation.
Thus,whenaweakkeyisused,theplaintextpatternsareXOR-edwithkeystreampatterns,generatingciphertextpatternsvisibletotheattacker.
[7],[8]andotherpreviousattacksonSSL,usetinystatisticalbiasestoaggregatetinypiecesofplaintextinformation.
Inordertomakethisaggregationpossible,thetargetobjectmustbeencryptedmanytimes,withthesamekeyin[7andwithdifferentkeysinabroadcastscenarioin[8].
Asopposedtotheseattacks,ourattackscenario,whenaweakkeyarrives,getsatonceasignificantamountofdataonthetargetobject,providingimmediatepartialplaintextrecovery.
Ontheotherhand,thispartialplaintextrecoverycannotbeextendedintofullplaintextrecoverybycontinuingtheattackandlisteningtomoresessions.
WhatcanyoudowithLSBsTheabovescenarioallowstheattackertorecovertheleastsignificantbitsofuptoahundredsecretbytes.
Whenthetargetobjectisasessioncookie,theattackerreducestheeffectivesizeofthecookie,allowingaccelerationofbruteforceattackonthesessioncookieforthesakeofSessionHijacking.
Forexample,learningtheLSBsofASPsessioncookies,whichcontain16charactersof5-bitentropyeach,reduces16bitsofthecookieentropyandthuscanbeusedforfasterbruteforceattackonthesessioncookievalue.
ForPHPsessioncookiesthisaccelerationcanincreasetouptoafactorof232.
Whenthetargetobjectisann-characterpassword,anattackerpossessingthepasswordLSBscanaccelerateadictionaryattackwithafactorof2n,reducingthesecurityofan8-charpasswordbyafactorof256.
Furthermore,anattackerwhorunsabruteforceattackonaloginAPI,canscanadatabaseofknownpopularpasswords,extractthepasswordsthatcomplywiththeLSBpatternandtryonlythese,reducingthenumberofattemptsbyafactorof2n.
Werananexperimentonadatabaseofmostcommonlyusedpasswords,wherewegrouppasswordsaccordingtotheirleastsignificantbits.
ForasingleLSBthemostcommon1000passwordsweregroupedinto252sets,leavingthebruteforceattackeranaverageofonly4attempts,belowthebarrierformostbruteforceprotectionpolicies.
Theestimationforthenumberofwebaccountsthatareprotectedwithoneofthetop1000mostcommonly-usedpasswordsvariesbetween10-15percent,settingthestageforanattackthatusestheInvarianceWeaknesstoextracttheLSBsofthepasswordinhopethattheuserisoneofthecareless10%.
Weusedapasswordspopularityanalysisfrom[18]toestimatethenumberofbruteforceattemptsanattackerneedstomakeoncehehastheLSBsofapasswordknowntobeinthetop100,1000and10,000(wetookthenumbersfrom[18]asis).
PortionofwebaccountsNumberofLSBgroupsBruteforceworstcase(#Attempts)Bruteforceaveragecase(#Attempts)Top1004.
4%6861.
5Top100013.
2%252244Top10,00030%55720118Theentropyofa16-digitcreditcardnumberisusuallyconsideredtobe5digits,sincethefirst6digitsarenon-secret,thelast4digitsarefreelyexposedonreceiptsandforvalidationpurposes,andthereisa1-bytechecksum(Luhnalgorithm).
AnattackerpossessingtheLSBsofacreditcardnumber,reducesthesearchdomainfrom100,000intoonly1500.
These1500candidatenumberscanbetestedbymakingattemptsforsmallamountpaymentsinretailwebapplicationstofindthevalidoneafter750attemptsonaverage.
Thusthereductioninthecreditcardentropyfrom100,000potentialnumbersinto1500potentialnumbersissignificant,andincreasesthepracticalityofattacks.
AMan-in-the-MiddleAttackThefirstattackwedescriberesemblestheRC4attackfrom[8],withtheattackerusingalargenumberofencryptionsofsecretdata,e.
g.
,asessioncookie,inordertorecoverpartsofthiscookie.
OnewaytoobtainthislargenumberofencryptionsisthroughtheBEASTscenario,whereJavaScriptmalwareisdownloadedfromanattacker-controlledwebsiteandrunsinthevictim'sbrowser,repeatedlysendingHTTPSrequeststothevictimwebserver.
Sessioncookiesareautomaticallyincludedineachoftheserequestsinapredictablelocation,andcanthusbetargetedintheattack.
Theattacker,whoneedsnewSSLconnectionsfornewRC4keystreamprefixes,canenforceterminationoftheSSLsessionafterthetargetencryptedcookieissent;thebrowserwillautomaticallyestablishanewSSLsessionwhenthenextHTTPSrequestissent.
Theattackin[8]recoversthesessioncookiewithprobabilityof50%after226sessions.
Ourattackisexpectedtohaveahit–1-classkeybeingused–every224connections.
Sincesuchahitistranslatedtolongkeystreampatternwithprobabilityof1%-5%,severaldozenhitsarerequiredtocompleteasuccessfulpartialplaintextrecovery.
Forthesakeofsimplicity,intherestofthediscussionweuseasinglenumberof1billionasthenumberofattemptsrequiredtomounttheattack,reflectingthenumberofencryptionstheattackerisexpectedtoseeuntilbeingabletorecoverthedata.
AsopposedtotheBEASTattack,thecurrentattackdoesnotrequirethatthesamekeyisusedinallencryptions,butfollows[8]inrequiringthatthekeybechangedbetweenencryptions.
Moreover,asopposedtotheattackin[8],whichishighlysensitivetosituationswhereinthesessioncookieexpiresorthebrowserisclosedbytheuser(inwhichcasetheattackhastobeginfromthestart),ourattackiscompletelyinsensitivetothesecases.
Whenaweakkeyisused,thelearntinformationisonthesessioncookiefromthatparticularrequest,regardlessofanythingthathappenedbeforethehit,andanythingthatwillhappenafterthehit.
ANon-TargetedPassiveAttackThenatureoftheInvarianceWeakness,allowingtheattackertolearnsignificantplaintextdatafromasinglehit(thatisasinglemessagethatwasencryptedwithaweakkey)opensthedoortonewattackscenarioswhichwerenotpossibleinanyofthepreviousattacks.
Thenextattackwe'lldescribeisapassivevariantoftheaforementionedattack.
Init,theattackereavesdropsontheinboundtraffictoapopularretailorfinancialwebapplication,aimingtostealcreditcardnumberinfo(asimilarattackworksonpasswords).
Theattackerisrequiredtowait1billionconnectionsforaweakkeyusageevent,thiseventbeingvisiblethroughfixedorstructureddatainthisapplication,propagatingthroughthekeystreampatternsintotheciphertext.
TheattackerthenusestheInvarianceWeaknesstopredictkeystreamLSBs,andusesthesetocalculateplaintextLSBsfromciphertextLSBs.
Itisimportanttonotethatthecompromisedcreditcardnumberorpasswordisofarandomvictim,withtheattackernothavinganycontroloveritsidentity.
AccordingtoFacebookuserstatistics,thenumberofdailyactiveusersinFacebookiscloseto1billion.
Thenumberoftimeseachoftheseusersexecutesalogin,eithervisitingFacebookseveraltimes,orpressingaLikebuttoninanotherapplication,canberoughlyestimatedas4.
ThusapassiveeavesdroppersniffingonFacebookinboundlineswaitingforhits,willsee256weakkeysonthedaily4billionlogins,4ofwhichareexpectedtogeneratealongstreampatternandexposethepasswordLSBs.
LuckilyFacebookhadrecentlyremovedRC4fromitslistofSSLsupportedciphers.
GroupAttacksIntheBEAST-likevarianttheattackerisrequiredtogenerate1billionconnectionsfromthevictim'sbrowser.
Ontheotherhand,inthepassivevarianttheattackerneedstosniffon1billionconnectionstothesamewebapplication.
Inanothervariantoftheattack,combiningthetwo,theattackerobtainsthese1billionconnectionsactivelyfromagroupofvictimusers.
TheattackerneedstogetGroupMan-in-the-Middlesetup,beingamaninthemiddleforagroupofusers.
Sincethemostnaturalmethodsofestablishingman-in-the-middleareDNSpoisoningandmakingusersconnecttoamalicioushotspot(eitherofwhichwillestablishtheattackerasMan-in-the-Middleforagroupofusers),thisGroupMan-in-the-Middlesituationispractical.
TheattackerthenrunstheBEAST-likeattackwitheachofthepotentialvictims,terminatingtheirconnectionsimmediatelyafterthesessioncookiebeingsent,untiloneofthemgetsasuccessfulhit,aweakkeythatpropagatessuccessfullyintoalongpattern.
Thiseventisexpectedtooccurafteratotalnumberof1billionSSLconnectionsfromallusersaltogether.
Thisattackscenarioisunique,andstemsfromtheuniquenatureofthisattack,witheveryhitleakingalargequantityofsecretinformation.
One-TimeEncryptionFromtheperspectiveofavictim,theseverityofanattackisproportionaltothedamageoftheattackandtoitslikelihood.
ConsiderauserwhousesSSLtoprotecthismostprecioussecret,andsendsitonlyonceoverSSL.
Interestingly,thisone-timeoperationhasariskofonein64milliontogetaweakRC4keyandoneinabilliontoleakpartsofhisprecioussecret.
Itistruethatoneinabillionisatinyfraction,butstill,itisnotanegligiblefraction.
TheimplicationisthedisturbingfactthateverywebuserisclearlyriskinghisdataeverysingletimehesendsitoveranRC4/SSLconnection.
ConclusionandRecommendationsInthispaperwedemonstratedhowtheInvarianceWeaknesscanbeusedtomountnewattacksonSSLwhenusingRC4.
Weimprovedthesizeoftheprefixforwhichplaintextinfoleaksinto100bytes.
Weshowedhowthe"ResetInsensitivity"oftheInvarianceWeaknesssetsthestagefornewattackscenarios,includingthefirstpassiveattackonSSL.
ThesecurityofRC4hasbeenquestionableformanyyears,inparticularitsinitializationmechanisms.
However,onlyinrecentyearshasthisunderstandingbeguntranslatingintoacalltoretireRC4.
Inthisresearchwefollow[8]andshowthattheimpactofthemanyknownvulnerabilitiesonsystemsusingRC4isclearlyunderestimated.
Whilewaitingforabroad-brushretirementofRC4,specificpartiesshouldconsiderthefollowingactionstoprotectthemselvesfromitsweaknesses:WebapplicationadministratorsshouldstronglyconsiderdisablingRC4itintheirapplications'TLSconfigurations.
Webusers(particularlypowerusers)areencouragedtodisableRC4itintheirbrowser'sTLSconfiguration.
BrowservendorswoulddowelltoconsiderremovingRC4fromtheirTLScipherlists.
OrganizationsleveragingImpervaSecureSpheretoprotecttheirbusiness-criticalwebapplicationsanddata,andwhereinSecureSphereissettohandleTLSconnectionsonbehalfoftheapplications,canconfigureSecureSpheretostopusingtheweakciphersandworkonlywithrobustciphers.
References1.
T.
DierksandC.
Allen.
TheTLSProtocolVersion1.
0.
RFC2246,InternetEngineeringTaskForce,Jan.
1999.
URLhttp://www.
rfc-editor.
org/rfc/rfc2246.
txt.
2.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
1.
RFC4346,InternetEngineeringTaskForce,Apr.
2006.
URLhttp://www.
rfc-editor.
org/rfc/rfc4346.
txt.
3.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
2.
RFC5246,InternetEngineeringTaskForce,Aug.
2008.
URLhttp://www.
rfc-editor.
org/rfc/rfc5246.
txt.
4.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
3,http://tools.
ietf.
org/html/draft-ietf-tls-tls13-045.
B.
Canvel,A.
Hiltgen,S.
Vaudenay,andM.
Vuagnoux.
PasswordinterceptioninaSSL/TLSchannel.
AdvancesinCryptology-CRYPTO2003,pages583–599,2003.
6.
T.
DuongandJ.
Rizzo.
HerecometheNinjas.
2011.
http://www.
hit.
bme.
hu/~buttyan/courses/EIT-SEC/abib/04-TLS/BEAST.
pdf7.
N.
AlFardanandK.
G.
Paterson.
Lucky13:BreakingtheTLSandDTLSrecordprotocols.
InIEEESymposiumonSecurityandPrivacy,2013.
URLhttp://www.
isg.
rhul.
ac.
uk/tls/Lucky13.
html.
8.
NadhemJ.
AlFardan,DanielJ.
Bernstein,KennethG.
Paterson,BertramPoettering,JacobC.
N.
Schuldt.
OntheSecurityofRC4inTLSandWPA,USENIXSecuritySymposium20139.
S.
R.
FluhrerandD.
McGrew.
StatisticalanalysisoftheallegedRC4keystreamgenerator.
InB.
Schneier,editor,FSE,volume1978ofLectureNotesinComputerScience,pages19–30.
Springer,2000.
10.
I.
Mantin.
PredictinganddistinguishingattacksonRC4keystreamgenerator.
InR.
Cramer,editor,EUROCRYPT,volume3494ofLectureNotesinComputerScience,pages491–506.
Springer,2005.
11.
I.
MantinandA.
Shamir.
ApracticalattackonbroadcastRC4.
InM.
Matsui,editor,FSE,volume2355ofLectureNotesinComputerScience,pages152–164.
Springer,2001.
12.
S.
R.
Fluhrer,I.
Mantin,andA.
Shamir.
WeaknessesinthekeyschedulingalgorithmofRC4.
InS.
VaudenayandA.
M.
Youssef,editors,SelectedAreasinCryptography,volume2259ofLectureNotesinComputerScience,pages1–24.
Springer,2001.
13.
I.
Mantin.
AnalysisofthestreamcipherRC4.
MasterThesis,theWeizmannInstituteofScience.
14.
I.
Mantin.
APracticalAttackontheFixedRC4intheWEPMode.
InAdvancesinCryptology-ASIACRYPT200515.
ThisPOODLEBites:ExploitingtheSSL3.
0Fallback.
GoogleSecurityAdvisoryhttps://www.
openssl.
org/~bodo/ssl-poodle.
pdf16.
APerfectCRIMEOnlyTIMEWillOnlyTIMEWillTell.
TalBe'ery,AmichaiShulman.
https://media.
blackhat.
com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.
pdf17.
S.
SenGupta,S.
Maitra,G.
Paul,andS.
Sarkar.
(Non-)randomsequencesfrom(non-)randompermutations–analysisofRC4streamcipher.
JournalofCryptology,pages1–42,2012.
18.
10,000TopPasswords.
https://xato.
net/passwords/more-top-worst-passwords/#.
VPiyH_ysVew

云俄罗斯VPSJusthost俄罗斯VPS云服务器justg:JustHost、RuVDS、JustG等俄罗斯vps主机

俄罗斯vps云服务器商家推荐!俄罗斯VPS,也叫毛子主机(毛子vps),因为俄罗斯离中国大陆比较近,所以俄罗斯VPS的延迟会比较低,国内用户也不少,例如新西伯利亚机房和莫斯科机房都是比较热门的俄罗斯机房。这里为大家整理推荐一些好用的俄罗斯VPS云服务器,这里主要推荐这三家:justhost、ruvds、justg等俄罗斯vps主机,方便大家对比购买适合自己的俄罗斯VPS。一、俄罗斯VPS介绍俄罗斯...

DiyVM:499元/月香港沙田服务器,L5630*2/16G内存/120G SSD硬盘/5M CN2线路

DiyVM是一家成立于2009年的国人主机商,提供的产品包括VPS主机、独立服务器租用等,产品数据中心包括中国香港、日本大阪和美国洛杉矶等,其中VPS主机基于XEN架构,支持异地备份与自定义镜像,VPS和独立服务器均可提供内网IP功能。商家VPS主机均2GB内存起步,三个地区机房可选,使用优惠码后每月69元起;独立服务器开设在香港沙田电信机房,CN2线路,自动化开通上架,最低499元/月起。下面以...

香港服务器租用多少钱一个月?影响香港服务器租用价格因素

香港服务器租用多少钱一个月?香港服务器受到很多朋友的青睐,其中免备案成为其特色之一。很多用户想了解香港云服务器价格多少钱,也有同行询问香港服务器的租赁价格,一些实际用户想要了解香港服务器的市场。虽然价格是关注的焦点,但价格并不是香港服务器的全部选择。今天小编介绍了一些影响香港服务器租赁价格的因素,以及在香港租一个月的服务器要花多少钱。影响香港服务器租赁价格的因素:1.香港机房选择香港机房相当于选择...

asp.net网页制作为你推荐
企业cms目前最好用的企业cms是哪个?支付宝蜻蜓发布怎么取得支付宝蜻蜓二代的代理?"AcerMéxico.Listadeprecios-VigenteapartIrdel1deabrilde2011"360邮箱免费注册360账号-电子邮箱怎么填写?申请支付宝账户怎么申请支付宝的账号?补贴eset的是cuteftp小型汽车网上自主编号申请如何从网上自选车牌号徐州商标介绍徐州的一种产品缤纷网缤纷的意思是什么
郑州服务器租用 七牛优惠码 5折 vpsio 视频存储服务器 Hello图床 parseerror 镇江联通宽带 java空间 浙江独立 个人免费空间 183是联通还是移动 vip购优惠 国外免费asp空间 中国电信测速器 重庆电信服务器托管 监控服务器 德讯 金主 云销售系统 更多