Sometimes news comes in waves, and with the recent conclusion of the Black Hat conference in Las Vegas, there’s quite a bit of security news floating around. Here are a few things we thought were especially interesting:
BREACH: The New SSL Attack That’s Hard to Stop
SSL underlies much of the Internet’s security, and attacks against it can be devastating. We want secure transactions with ecommerce sites, safe transmission of passwords, and assurances that we’re interacting with the right people online. Thwarting SSL’s cryptography can undo a lot of that trust and power, making it difficult for people to securely interact with each other online.
This is why many people are worried about a demonstration at Black Hat showing a new method for breaking SSL cryptography called BREACH. The researchers who discovered the method showed that in certain scenarios involving data compression they could extract the underlying ciphertext or secret securing a connection. The attack is complex, but the results were astonishing. During the presentation, the researchers were able to uncover the ciphertext securing an Outlook Web Access session in under 30 seconds.
Unfortunately, there’s no good fix for this problem right now, although Ars Technica has a couple of ideas. The most common recommendation is that you should disable server-side compression. In addition, a member of the Ruby community has also proposed a clever solution that simultaneously offers improved security against cross site request forgery attacks.
RSA Encryption: It May Be Weaker Than We Thought
Also at Black Hat, four security researchers gave a presentation about how the RSA and Diffie-Hellman cryptography algorithms may be cracked in the next 5 years. The researchers believe that new techniques will emerge in the next few years that simplify solving the discrete logarithm problem, which will subsequently cripple these algorithms.
So what does it all mean? Well, RSA turns out to be the foundation of a whole lot of cryptography, including the above mentioned SSL. (It’s not been a good week for SSL.) Breaking RSA would permit attackers to crack SSL and read or modify your personal information (assuming they didn’t get their fill from the BREACH attack).
So what’s the solution to this problem? Well it turns out the NSA, when not reading the emails of regular Americans, has for the last several years recommended we all switch to elliptic curve cryptography (or ECC for short). In a rare case of international agreement, it turns out the Russians have been saying the same thing.
The only catch? Many of the patents for ECC are currently owned by Research In Motion, making it hard for anyone to get a head start implementing it on a global basis. We may be stuck with RSA for a little bit longer.