Securityasp

asp.net网页制作  时间:2021-02-10  阅读:()
BarMitzvahAttackBreakingSSLwitha13-yearoldRC4WeaknessAbstractRC4isthemostpopularstreamcipherintheworld.
Infact,asofMarch2015,RC4isestimatedtoprotectasmuchas30%ofSSLtraffic,likelyamountingtobillionsofTLSconnectionseveryday.
Yetitsuffersacritical–andlongknown–weaknessknownastheInvarianceWeakness.
InthispaperwewillrevisittheInvarianceWeakness–a13-yearoldvulnerabilityofRC4thatisbasedonhugeclassesofRC4weakkeys,whichwasfirstpublishedintheFMSpaperin2001.
WewillshowhowthisvulnerabilitycanbeusedtomountpartialplaintextrecoveryattacksonSSL-protecteddata,whenRC4isthecipherofchoice,forrecoveringtheLSBsofasmanyas100bytesfromtheencryptedstream.
AsopposedtoBEAST,POODLE,CRIMEandotherattacksonSSLthatwerepublishedinrecentyears,includingtheRoyalHollowayAttackontheusageofRC4,anewattackbasedupontheInvarianceWeaknessdoesnotrelyonaggregationofsmallfragmentsofplaintextinformation,butona"hit",arareeventthatcausesasignificantleakagetooccur.
WeshowhowthisuniquecharacteristiccanbeusedtoattackSSLinnewscenarios,includingthefirstpracticalattackonSSLthatdoesnotrequireanactiveMan-in-the-Middle.
Furthermore,thenewattackisnotlimitedtorecoveryoftemporalsessiontokens,butcanbeusedtostealpartsofpermanentsecretdatasuchasaccountcredentialsandcreditcardnumberswhendeliveredoverHTTPS.
Anothervariantoftheattackrecoversasignificantpartofasecretwithsmallbutnon-negligibleprobability,evenifthatwastransmittedonlyonceovertheSSLconnection.
ThispaperwilldescribetheInvarianceWeaknessindetail,explainitsimpacts,andrecommendsomemitigatingactions.
IntroductionTLSTheProtocolTLSisthemostwidelyusedsecurecommunicationsprotocolontheInternettoday.
StartinglifeasSSL,theprotocolwasadoptedbytheIETFandspecifiedasanRFCstandardunderthenameofTLS1.
0[1].
IthassinceevolvedthroughTLS1.
1[2]tothecurrentversionTLS1.
2[3].
TLS1.
3is,asofMarch2015,indraft[4].
VariousotherRFCsdefineadditionalTLScryptographicalgorithmsandextensions.
SSLiscurrentlyusedforsecuringawidevarietyofapplication-leveltraffic:Itserves,forexample,asthebasisoftheHTTPSprotocolforencryptedwebbrowsing,itisusedinconjunctionwithIMAPorSMTPtocryptographicallyprotectemailtraffic,anditisapopulartooltosecurecommunicationwithembeddedsystems,mobiledevices,andinpaymentsystems.
SSLstrivestofulfilltwomajorgoals:1)allowtwopartiestoauthenticateeachother,and2)securethecommunicationbetweenthetwo.
InmanySSLdeployments,particularsecurewebbrowsing,theauthenticationisone-way,meaningthatonlytheclient(browser)authenticatestheserver(webapplication),butnotviceversa.
SSLsessionsconsistoftwophases:IntheSSLHandshakingProtocoltheclientauthenticatestheserver,theserver(optionally)authenticatestheclientandbothestablishcryptographicsessionkeys,readytoprotectthecommunication.
IntheRecordProtocolthepartiesusetheestablishedsessionkeysandsymmetrickeycryptographytoencrypt(e.
g.
,usingAESblockcipherorRC4streamcipher)andauthenticate(e.
g.
,usingHMACalgorithms)tobuildasecurechannelforapplication-layerdata.
ThepartiescanchoosebetweenmanydifferentauthenticationandencryptionalgorithmsfortheRecordProtocol,essentiallydividedintothefollowingclasses:BlockCipher(CBCmodeofoperation)+HMACStreamCipher(RC4)+HMACAuthenticated-Encryptionusingblockcipher(GCM/CCMmodeofoperation)SSLProtocolWeaknessesInthelastcoupleofyearsseveralsignificantvulnerabilitieshavebeendiscoveredintheSSLprotocol,particularlyinthemostcommonlyusedvariants,AES-CBCandRC4.
TheAES-CBCvarianthasseensignificantcryptanalysis(paddingoracleattacks[5],BEAST[6],Lucky13[7],TIME[16],andPOODLE[15]).
Andin2013AlFardanet-alpublishedananalysis[8]oftheRC4mode,whichshowedhowtomountanattackthatrecoversdatatransmittedoveraSSL/RC4connection.
TheattackwasbasedonsomeofthemanyknowweaknessesofRC4,inparticularthesignificantstatisticalbiasesinitsfirstoutputbytes,andtheweakerstatisticalbiasesintheRC4keystream.
ImplementationWeaknessesInrecentyearsSSLimplementationshavereceivedsignificantattentionandscrutinyfromsecurityresearchers,andthishasresultedinsteadydiscoveryofnewvulnerabilities(andpatching,withorwithoutdisclosure).
In2014severaldozenvulnerabilitieswerediscoveredintheOpenSSLlibrary(themostpopularimplementationofSSL),HeartbleedbeingthemostsevereoneinthatitallowsanattackertodumpmemorysegmentsfromtheSSLserver,inmanycasesexposingsecretkeyinformation.
Vulnerabilitiesinseveralotherimplementationswerepublishedaswell(e.
g.
,CVE-2014-6321inMicrosoftSChannel).
OnRC4TheStreamCipherThe4-lineStreamCipherRivestCipher4(RC4)isoneofthesimplestcryptographicalgorithms,implementingapseudo-randomgeneratorthatisusedtoimplementastreamcipher.
TheinternalstateofRC4includesapermutationSof[0,1,.
.
,255]andtwoindicesiandjinthispermutation.
Inthekeyschedulingphase(KSA)anL-bytelongRC4key(forLvaryingbetween5and256)isusedtoconstructtheinitialstatepermutationS0.
Intheencryptionphase,RC4PRGA,whichisinitializedwiththeresultantS0isusedtogenerateastreamofpseudo-randombytes,denotedasthekeystream.
LikemostoftheStreamCiphers,thesepseudo-randombytesareXOR-edwiththeplaintextbytestogeneratetheciphertextbytes.
ThebuildingblocksofRC4aredescribedbelow.
KSA(K)PRGA(S0)j=0S=[0,1,2,…,255]fori=0.
.
255j=(j+S[i]+K[imodeL])S[i]S[j]Alloperationsaredonemod256i,j=0,0S=S0whilebytesareneeded:i=i+1j=j+S[i]S[i]S[j]EmitS[S[i]+S[j]]Knownforitssimplicityandforitsrespectedauthor,RC4gainedconsiderablepopularity.
Andgivenitsimpressiveperformance,beingabletoencryptanddecryptalmosttwotimesfasterthanAES,formanyyearsitwasconsideredtobethedefaultstreamcipher.
SecurityofRC4RC4isnotasecurecipher.
Backinthe90s,whenRC4wasatradesecretofRSAanditsdetailswhereknownbutnotformallyapproved,RC4wasbelievedtobesecure.
However,inthefollowingdecade,RC4hadundergonesignificantscrutinybycryptographyexperts,whichshowedstatisticalbiasesinthepseudo-randomstreamthatallowanattackertodistinguishRC4fromrandom([9],[10])andtopredictitsallegedlypseudo-randombitswithhighprobability([10]).
WhilethisstatisticalanalysisrequiresmanymillionsofRC4keystreambytes,tworesearchesin2001ontheinitializationofRC4hadswitchedthefocusofRC4analysistoitspoorinitializationmechanisms.
Thefirst[11]hadshownthatthesecondbyteofRC4hashugestatisticalbias,havingtwicetheexpectedprobabilitytobezero.
Thesecond[12],laterknownastheFMSresearch,hadcompletelybrokenRC4inthewayitwasusedintheWEPprotocol.
TheseresultshadinitiatedawaveofresearcheffortsandanalysisresultsonRC4initialization,awavewhoseendisyettobeseen.
Correlationbetweenkeybytesandstatebytes(e.
g.
,[13]),correlationbetweenkeybytesandfirstoutputbytes(e.
g.
,[12]),andbetweenkeybytesandfurtheroutputbytes([14]),significantstatisticalbiasesinthefirst256outputbytes[17],andmanyotherresults.
Interestingly,theseriesofsuccessfulattacksdidn'thaveasignificantimpactonthepopularityofRC4,andinfactduringthewaveofCBCattacksonSSLin2012,someexpertsrecommendedswitchingtoRC4.
TheInvarianceWeaknessTheFMSresearch[12]detailstwosignificantRC4weaknesses.
TheIVweakness,resultinginapracticalkeyrecoveryattackandcompletebreakofRC4intheWEPprotocol,receivedmostoftheattention,leavingtheotherweakness-denotedinthepaperastheInvarianceWeakness-intheshadowsfor13years.
TheInvarianceWeakness,isanL-shapekeypatterninRC4keys,whichonceitexistsinanRC4key,preservespartofthestatepermutationintactthroughouttheinitializationprocess.
Thisintactpartincludestheleastsignificantbitsofthepermutation,whenprocessedbythePRGAalgorithm,determinestheleastsignificantbitsoftheallegedlypseudo-randomoutputstreamalongalongprefixofthestream.
Thesepatterns,andadetailedexplanationofhowtheyarepreserved,aredescribedindetailin[12]and[13].
ThesebiasedstreambytesareXOR-edwiththeplaintextbytes,resultinginsignificantleakageofplaintextbytesfromtheciphertextbytes.
ThesepatternsoccurfordifferentnumberofLSBs,asingleLSB,2LSBs,3LSBsto7LSBs,resultingwithdifferentclassesofweakRC4keys.
Duetothestructureoftheseclasses,eachclasscontainsthesucceedingclassesandthusthefirstclassisthelargest,denotedbelowastheMainClass.
Theportionofq-classforL-bytekeys(whichistheprobabilityofarandomkeytobeintheclass)is2-(qL+(9-q)).
For16-bytekeytheportionoftheMainClass(1-class)is2-24(1in16million)andtheportionof2-classis2-39(veryrare).
Thesenumbersareshowninthefollowingtable.
#LSBsApplicabilityClassProbability(8-bytekey)ClassProbability(16-bytekey)1Keyswithevennumberofbytes2-162-242Keyswithnumberofbytesthatisamultipleof42-232-393Keyswithnumberofbytesthatisamultipleof82-302-544Keyswithnumberofbytesthatisamultipleof162-372-69Whenakeyfromaq-classisused,thefollowingthingshappen:TheinitializationphaseofRC4failstomixthestatewithkeymaterialproperly,andpreservestheKleastsignificantbitsofitsinternalstateAsaresult,theinitialstateofRC4hasfixednon-mixedqLSBsqleastsignificantbitsofthefirst30-50bytesstreambytescomplywithadeterministicpatternwithsignificantprobabilityqleastsignificantbitsofthefirst30-50plaintextbytesareexposedwithsignificantprobabilityTheprobabilityoftheqLSBstocomplywiththepatterndropswiththestream.
ThisprobabilityisdemonstratedinthefollowingdiagramsforasingleLSB,2LSBsand3LSBs.
Figure1:SingleLSB(advantageover0.
5)Figure2:2LSBs(advantageover0.
25)Figure3:3LSBs(advantageover0.
125)Thereasonforthedecreasingprobabilityisthestatepatterngetting"ruined"withthestreamgenerationandafter50bytesemittedbyRC4PRGA,thepatternfadesout.
However,subsequentanalysisweranonRC4streamswhenusingweakkeysshowedadifferencepatternbetweenstreamLSBs,whichislesssensitivetothis"ruining"effect,andmanagestosurviveforasmanyas100bytesofthekeystream.
ThesurvivalprobabilityofdifferencepatternsisdemonstratedinthefollowingdiagramsforasingleLSB,2LSBsand3LSBs,withreferencetothevaluepatterns(thediffpatternisinredandthevaluepatternremainsinblue).
Figure4:SingleLSB(diffpattern;advantageover0.
5)Figure5:2LSBs(diffpattern;advantageover0.
25)Figure6:3LSBs(diffpattern;advantageover0.
125)ApplicationsoftheInvarianceWeaknessTheInvarianceWeaknessofRC4hasseveralcryptanalyticapplications,describedindetailin[12]and[13],includingstatisticalbiasesintheRC4pseudo-randomstreamthatallowanattackertodistinguishRC4streamsfromrandomnessandenhancementoftradeoffattacksonRC4.
AnotherapplicationoftheInvarianceWeakness,whichweuseforourattack,istheleakageofplaintextdataintotheciphertextwhenq-classkeysareused.
Theauthorsof[8]hadtranslatedstatisticalbiasesinthekeystreamintoplaintextleakageattacks.
Wefollow[8]anduseourstatisticalbiastorecoverplaintextinformation.
TheInvarianceWeaknessbiasesarenotasstrongasthebiasesusedin[8].
However,thesebiaseshaveuniquecharacteristics,ononehandoccurringrarely,butontheotherhandeffectivein100keystreambyteswithextremelyhighprobability,openingthedoortoplaintextleakageattacksinseveralcircumstancesthatwerebelievedtobecompletelysecure.
UsingtheInvarianceWeaknesstoAttackSSLSSLUsageofRC4SSLRecordProtocolusesRC4forencryptioninmanySSLciphersuites.
IntheHandshakingprotocol,RC4encryptionkeysaregeneratedforupstreamanddownstreamcommunication.
IntheRecordprotocol,theupstreamkeyisusedforencryptionofclient-to-servercommunication,whereasthedownstreamkeyisusedforencryptionofserver-to-clientcommunication.
Itisimportanttonotethattheencryptionsarestatefull,usingthefirstkeystreambytesforencryptingthefirstmessage,thesucceedingkeystreambytesforencryptingthenextmessage,etc.
GiventhattheInvarianceweaknessisexpressedonlyinthefirst100bytesofthekeystream,itcanbeusedonlyforthefirst100bytesoftheprotectedupstreamtrafficandthefirst100bytesoftheprotecteddownstreamtraffic.
GiventhatthefirstencryptedmessageineachdirectionistheSSLHandshakeFinishedmessage(36-bytesintypicalusageofSSL),about64bytesofsecretplaintextdataareleftfortheattack.
Thisflowisdepictedinthefollowingdiagram.
Thefirst36bytesoftheupstreamkeystreamareusedforencryptingtheFinishedmessage.
Thenextbytesareusedtoencrypttheactualapplicationdata.
TheAttackScenarioOurattacksarebasedonthefollowingscenario:theattackersniffsalargenumberofSSLconnectionsencryptedwithRC4,waitingfora"hit";thatisthearrivalofaweakkey.
Onceaweakkeyarrives,theattackerpredictstheLSBsofthekeystreambytes,andusesthesetoextracttheLSBsoftheplaintextbytesfromtheciphertextwithsignificantadvantage.
Inordertofulfillthisscenario,theattackerneedstodeterminewhichSSLsessionsaretheonesinwhichweakkeyswereused.
ForthisisolationtheattackercanusethefactthatthefirstencryptedbytesincludetheSSL"Finished"messageandHTTPrequest,bothhavingpredictableinformation.
Thus,whenaweakkeyisused,theplaintextpatternsareXOR-edwithkeystreampatterns,generatingciphertextpatternsvisibletotheattacker.
[7],[8]andotherpreviousattacksonSSL,usetinystatisticalbiasestoaggregatetinypiecesofplaintextinformation.
Inordertomakethisaggregationpossible,thetargetobjectmustbeencryptedmanytimes,withthesamekeyin[7andwithdifferentkeysinabroadcastscenarioin[8].
Asopposedtotheseattacks,ourattackscenario,whenaweakkeyarrives,getsatonceasignificantamountofdataonthetargetobject,providingimmediatepartialplaintextrecovery.
Ontheotherhand,thispartialplaintextrecoverycannotbeextendedintofullplaintextrecoverybycontinuingtheattackandlisteningtomoresessions.
WhatcanyoudowithLSBsTheabovescenarioallowstheattackertorecovertheleastsignificantbitsofuptoahundredsecretbytes.
Whenthetargetobjectisasessioncookie,theattackerreducestheeffectivesizeofthecookie,allowingaccelerationofbruteforceattackonthesessioncookieforthesakeofSessionHijacking.
Forexample,learningtheLSBsofASPsessioncookies,whichcontain16charactersof5-bitentropyeach,reduces16bitsofthecookieentropyandthuscanbeusedforfasterbruteforceattackonthesessioncookievalue.
ForPHPsessioncookiesthisaccelerationcanincreasetouptoafactorof232.
Whenthetargetobjectisann-characterpassword,anattackerpossessingthepasswordLSBscanaccelerateadictionaryattackwithafactorof2n,reducingthesecurityofan8-charpasswordbyafactorof256.
Furthermore,anattackerwhorunsabruteforceattackonaloginAPI,canscanadatabaseofknownpopularpasswords,extractthepasswordsthatcomplywiththeLSBpatternandtryonlythese,reducingthenumberofattemptsbyafactorof2n.
Werananexperimentonadatabaseofmostcommonlyusedpasswords,wherewegrouppasswordsaccordingtotheirleastsignificantbits.
ForasingleLSBthemostcommon1000passwordsweregroupedinto252sets,leavingthebruteforceattackeranaverageofonly4attempts,belowthebarrierformostbruteforceprotectionpolicies.
Theestimationforthenumberofwebaccountsthatareprotectedwithoneofthetop1000mostcommonly-usedpasswordsvariesbetween10-15percent,settingthestageforanattackthatusestheInvarianceWeaknesstoextracttheLSBsofthepasswordinhopethattheuserisoneofthecareless10%.
Weusedapasswordspopularityanalysisfrom[18]toestimatethenumberofbruteforceattemptsanattackerneedstomakeoncehehastheLSBsofapasswordknowntobeinthetop100,1000and10,000(wetookthenumbersfrom[18]asis).
PortionofwebaccountsNumberofLSBgroupsBruteforceworstcase(#Attempts)Bruteforceaveragecase(#Attempts)Top1004.
4%6861.
5Top100013.
2%252244Top10,00030%55720118Theentropyofa16-digitcreditcardnumberisusuallyconsideredtobe5digits,sincethefirst6digitsarenon-secret,thelast4digitsarefreelyexposedonreceiptsandforvalidationpurposes,andthereisa1-bytechecksum(Luhnalgorithm).
AnattackerpossessingtheLSBsofacreditcardnumber,reducesthesearchdomainfrom100,000intoonly1500.
These1500candidatenumberscanbetestedbymakingattemptsforsmallamountpaymentsinretailwebapplicationstofindthevalidoneafter750attemptsonaverage.
Thusthereductioninthecreditcardentropyfrom100,000potentialnumbersinto1500potentialnumbersissignificant,andincreasesthepracticalityofattacks.
AMan-in-the-MiddleAttackThefirstattackwedescriberesemblestheRC4attackfrom[8],withtheattackerusingalargenumberofencryptionsofsecretdata,e.
g.
,asessioncookie,inordertorecoverpartsofthiscookie.
OnewaytoobtainthislargenumberofencryptionsisthroughtheBEASTscenario,whereJavaScriptmalwareisdownloadedfromanattacker-controlledwebsiteandrunsinthevictim'sbrowser,repeatedlysendingHTTPSrequeststothevictimwebserver.
Sessioncookiesareautomaticallyincludedineachoftheserequestsinapredictablelocation,andcanthusbetargetedintheattack.
Theattacker,whoneedsnewSSLconnectionsfornewRC4keystreamprefixes,canenforceterminationoftheSSLsessionafterthetargetencryptedcookieissent;thebrowserwillautomaticallyestablishanewSSLsessionwhenthenextHTTPSrequestissent.
Theattackin[8]recoversthesessioncookiewithprobabilityof50%after226sessions.
Ourattackisexpectedtohaveahit–1-classkeybeingused–every224connections.
Sincesuchahitistranslatedtolongkeystreampatternwithprobabilityof1%-5%,severaldozenhitsarerequiredtocompleteasuccessfulpartialplaintextrecovery.
Forthesakeofsimplicity,intherestofthediscussionweuseasinglenumberof1billionasthenumberofattemptsrequiredtomounttheattack,reflectingthenumberofencryptionstheattackerisexpectedtoseeuntilbeingabletorecoverthedata.
AsopposedtotheBEASTattack,thecurrentattackdoesnotrequirethatthesamekeyisusedinallencryptions,butfollows[8]inrequiringthatthekeybechangedbetweenencryptions.
Moreover,asopposedtotheattackin[8],whichishighlysensitivetosituationswhereinthesessioncookieexpiresorthebrowserisclosedbytheuser(inwhichcasetheattackhastobeginfromthestart),ourattackiscompletelyinsensitivetothesecases.
Whenaweakkeyisused,thelearntinformationisonthesessioncookiefromthatparticularrequest,regardlessofanythingthathappenedbeforethehit,andanythingthatwillhappenafterthehit.
ANon-TargetedPassiveAttackThenatureoftheInvarianceWeakness,allowingtheattackertolearnsignificantplaintextdatafromasinglehit(thatisasinglemessagethatwasencryptedwithaweakkey)opensthedoortonewattackscenarioswhichwerenotpossibleinanyofthepreviousattacks.
Thenextattackwe'lldescribeisapassivevariantoftheaforementionedattack.
Init,theattackereavesdropsontheinboundtraffictoapopularretailorfinancialwebapplication,aimingtostealcreditcardnumberinfo(asimilarattackworksonpasswords).
Theattackerisrequiredtowait1billionconnectionsforaweakkeyusageevent,thiseventbeingvisiblethroughfixedorstructureddatainthisapplication,propagatingthroughthekeystreampatternsintotheciphertext.
TheattackerthenusestheInvarianceWeaknesstopredictkeystreamLSBs,andusesthesetocalculateplaintextLSBsfromciphertextLSBs.
Itisimportanttonotethatthecompromisedcreditcardnumberorpasswordisofarandomvictim,withtheattackernothavinganycontroloveritsidentity.
AccordingtoFacebookuserstatistics,thenumberofdailyactiveusersinFacebookiscloseto1billion.
Thenumberoftimeseachoftheseusersexecutesalogin,eithervisitingFacebookseveraltimes,orpressingaLikebuttoninanotherapplication,canberoughlyestimatedas4.
ThusapassiveeavesdroppersniffingonFacebookinboundlineswaitingforhits,willsee256weakkeysonthedaily4billionlogins,4ofwhichareexpectedtogeneratealongstreampatternandexposethepasswordLSBs.
LuckilyFacebookhadrecentlyremovedRC4fromitslistofSSLsupportedciphers.
GroupAttacksIntheBEAST-likevarianttheattackerisrequiredtogenerate1billionconnectionsfromthevictim'sbrowser.
Ontheotherhand,inthepassivevarianttheattackerneedstosniffon1billionconnectionstothesamewebapplication.
Inanothervariantoftheattack,combiningthetwo,theattackerobtainsthese1billionconnectionsactivelyfromagroupofvictimusers.
TheattackerneedstogetGroupMan-in-the-Middlesetup,beingamaninthemiddleforagroupofusers.
Sincethemostnaturalmethodsofestablishingman-in-the-middleareDNSpoisoningandmakingusersconnecttoamalicioushotspot(eitherofwhichwillestablishtheattackerasMan-in-the-Middleforagroupofusers),thisGroupMan-in-the-Middlesituationispractical.
TheattackerthenrunstheBEAST-likeattackwitheachofthepotentialvictims,terminatingtheirconnectionsimmediatelyafterthesessioncookiebeingsent,untiloneofthemgetsasuccessfulhit,aweakkeythatpropagatessuccessfullyintoalongpattern.
Thiseventisexpectedtooccurafteratotalnumberof1billionSSLconnectionsfromallusersaltogether.
Thisattackscenarioisunique,andstemsfromtheuniquenatureofthisattack,witheveryhitleakingalargequantityofsecretinformation.
One-TimeEncryptionFromtheperspectiveofavictim,theseverityofanattackisproportionaltothedamageoftheattackandtoitslikelihood.
ConsiderauserwhousesSSLtoprotecthismostprecioussecret,andsendsitonlyonceoverSSL.
Interestingly,thisone-timeoperationhasariskofonein64milliontogetaweakRC4keyandoneinabilliontoleakpartsofhisprecioussecret.
Itistruethatoneinabillionisatinyfraction,butstill,itisnotanegligiblefraction.
TheimplicationisthedisturbingfactthateverywebuserisclearlyriskinghisdataeverysingletimehesendsitoveranRC4/SSLconnection.
ConclusionandRecommendationsInthispaperwedemonstratedhowtheInvarianceWeaknesscanbeusedtomountnewattacksonSSLwhenusingRC4.
Weimprovedthesizeoftheprefixforwhichplaintextinfoleaksinto100bytes.
Weshowedhowthe"ResetInsensitivity"oftheInvarianceWeaknesssetsthestagefornewattackscenarios,includingthefirstpassiveattackonSSL.
ThesecurityofRC4hasbeenquestionableformanyyears,inparticularitsinitializationmechanisms.
However,onlyinrecentyearshasthisunderstandingbeguntranslatingintoacalltoretireRC4.
Inthisresearchwefollow[8]andshowthattheimpactofthemanyknownvulnerabilitiesonsystemsusingRC4isclearlyunderestimated.
Whilewaitingforabroad-brushretirementofRC4,specificpartiesshouldconsiderthefollowingactionstoprotectthemselvesfromitsweaknesses:WebapplicationadministratorsshouldstronglyconsiderdisablingRC4itintheirapplications'TLSconfigurations.
Webusers(particularlypowerusers)areencouragedtodisableRC4itintheirbrowser'sTLSconfiguration.
BrowservendorswoulddowelltoconsiderremovingRC4fromtheirTLScipherlists.
OrganizationsleveragingImpervaSecureSpheretoprotecttheirbusiness-criticalwebapplicationsanddata,andwhereinSecureSphereissettohandleTLSconnectionsonbehalfoftheapplications,canconfigureSecureSpheretostopusingtheweakciphersandworkonlywithrobustciphers.
References1.
T.
DierksandC.
Allen.
TheTLSProtocolVersion1.
0.
RFC2246,InternetEngineeringTaskForce,Jan.
1999.
URLhttp://www.
rfc-editor.
org/rfc/rfc2246.
txt.
2.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
1.
RFC4346,InternetEngineeringTaskForce,Apr.
2006.
URLhttp://www.
rfc-editor.
org/rfc/rfc4346.
txt.
3.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
2.
RFC5246,InternetEngineeringTaskForce,Aug.
2008.
URLhttp://www.
rfc-editor.
org/rfc/rfc5246.
txt.
4.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
3,http://tools.
ietf.
org/html/draft-ietf-tls-tls13-045.
B.
Canvel,A.
Hiltgen,S.
Vaudenay,andM.
Vuagnoux.
PasswordinterceptioninaSSL/TLSchannel.
AdvancesinCryptology-CRYPTO2003,pages583–599,2003.
6.
T.
DuongandJ.
Rizzo.
HerecometheNinjas.
2011.
http://www.
hit.
bme.
hu/~buttyan/courses/EIT-SEC/abib/04-TLS/BEAST.
pdf7.
N.
AlFardanandK.
G.
Paterson.
Lucky13:BreakingtheTLSandDTLSrecordprotocols.
InIEEESymposiumonSecurityandPrivacy,2013.
URLhttp://www.
isg.
rhul.
ac.
uk/tls/Lucky13.
html.
8.
NadhemJ.
AlFardan,DanielJ.
Bernstein,KennethG.
Paterson,BertramPoettering,JacobC.
N.
Schuldt.
OntheSecurityofRC4inTLSandWPA,USENIXSecuritySymposium20139.
S.
R.
FluhrerandD.
McGrew.
StatisticalanalysisoftheallegedRC4keystreamgenerator.
InB.
Schneier,editor,FSE,volume1978ofLectureNotesinComputerScience,pages19–30.
Springer,2000.
10.
I.
Mantin.
PredictinganddistinguishingattacksonRC4keystreamgenerator.
InR.
Cramer,editor,EUROCRYPT,volume3494ofLectureNotesinComputerScience,pages491–506.
Springer,2005.
11.
I.
MantinandA.
Shamir.
ApracticalattackonbroadcastRC4.
InM.
Matsui,editor,FSE,volume2355ofLectureNotesinComputerScience,pages152–164.
Springer,2001.
12.
S.
R.
Fluhrer,I.
Mantin,andA.
Shamir.
WeaknessesinthekeyschedulingalgorithmofRC4.
InS.
VaudenayandA.
M.
Youssef,editors,SelectedAreasinCryptography,volume2259ofLectureNotesinComputerScience,pages1–24.
Springer,2001.
13.
I.
Mantin.
AnalysisofthestreamcipherRC4.
MasterThesis,theWeizmannInstituteofScience.
14.
I.
Mantin.
APracticalAttackontheFixedRC4intheWEPMode.
InAdvancesinCryptology-ASIACRYPT200515.
ThisPOODLEBites:ExploitingtheSSL3.
0Fallback.
GoogleSecurityAdvisoryhttps://www.
openssl.
org/~bodo/ssl-poodle.
pdf16.
APerfectCRIMEOnlyTIMEWillOnlyTIMEWillTell.
TalBe'ery,AmichaiShulman.
https://media.
blackhat.
com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.
pdf17.
S.
SenGupta,S.
Maitra,G.
Paul,andS.
Sarkar.
(Non-)randomsequencesfrom(non-)randompermutations–analysisofRC4streamcipher.
JournalofCryptology,pages1–42,2012.
18.
10,000TopPasswords.
https://xato.
net/passwords/more-top-worst-passwords/#.
VPiyH_ysVew

Pacificrack:新增三款超级秒杀套餐/洛杉矶QN机房/1Gbps月流量1TB/年付仅7美刀

PacificRack最近促销上瘾了,活动频繁,接二连三的追加便宜VPS秒杀,PacificRack在 7月中下旬已经推出了五款秒杀VPS套餐,现在商家又新增了三款更便宜的特价套餐,年付低至7.2美元,这已经是本月第三波促销,带宽都是1Gbps。PacificRack 7月秒杀VPS整个系列都是PR-M,也就是魔方的后台管理。2G内存起步的支持Windows 7、10、Server 2003\20...

HostYun全场9折,韩国VPS月付13.5元起,日本东京IIJ线路月付22.5元起

HostYun是一家成立于2008年的VPS主机品牌,原主机分享组织(hostshare.cn),商家以提供低端廉价VPS产品而广为人知,是小成本投入学习练手首选,主要提供基于XEN和KVM架构VPS主机,数据中心包括中国香港、日本、德国、韩国和美国的多个地区,大部分机房为国内直连或者CN2等优质线路。本月商家全场9折优惠码仍然有效,以KVM架构产品为例,优惠后韩国VPS月付13.5元起,日本东京...

RAKSmart VPS主机半价活动 支持Windows系统 包含香港、日本机房

RAKSmart 商家最近动作还是比较大的,比如他们也在增加云服务器产品,目前已经包含美国圣何塞和洛杉矶机房,以及这个月有新增的中国香港机房,根据大趋势云服务器算是比较技术流的趋势。传统的VPS主机架构方案在技术层面上稍微落后一些,当然也是可以用的。不清楚是商家出于对于传统VPS主机清理库存,还是多渠道的产品化营销,看到RAKSmart VPS主机提供美国、香港和日本机房的半价促销,当然也包括其他...

asp.net网页制作为你推荐
wordpress模板wordpress模板与主题的区别支付宝蜻蜓发布支付宝蜻蜓f4,可以让没有支付宝的人刷脸付款?"AcerMéxico.Listadeprecios-VigenteapartIrdel1deabrilde2011"flashftp下载rmdown怎么下载flashftp下载《蔓蔓青萝(全)》.TXT_微盘下载www.topit.mehttp://www.topit.me/ 中自己上传的照片如何删除yixingjia报价是什么意思加多宝和王老吉王老吉和加多宝的关系?tumblr上不去吃鸡更新完打不开,成这样了,怎么办在线等,挺急的即时通平台寻找娱乐高科技产品
免费国内空间 广西虚拟主机 成都主机租用 免费试用vps 域名备案网站 备案域名出售 联通c套餐 hostgator 香港机房 贵州电信宽带测速 远程登陆工具 网通服务器ip 亚洲小于500m 有奖调查 softbank邮箱 cn3 空间首页登陆 游戏服务器出租 wordpress中文主题 中国联通宽带测试 更多