Cryptography Reference
In-Depth Information
be used for protecting data. It is relaxed for the less-exposed master secret, which
is only publicly used to create MACs during the SSL Handshake Protocol.
12.1.6
SSL security issues
SSL is a popular communication protocol and is generally regarded as crypto-
graphically 'strong' if usedwith respected cryptographic algorithms. Most security
problems experienced using recent versions of SSL have arisen from aspects that
are beyond the scope of the protocol specification. These include:
Process failures
. The most common 'failure' of SSL arises when a client does not
perform the necessary checks to validate the server's public-key certificate.
A web user who is presented with a dialogue box warning them of their
browser's inability to verify a public-key certificate is quite likely to disregard it
and proceed with establishing an SSL session. Indeed, it is rather hard to place
too much blame on them for doing so.
A particularly common manifestation of this problem on the Internet is
when a rogue web server, holding a legitimate public-key certificate in its own
name, tries to pass itself off as another web server. Even if the client web browser
successfully verifies the rogue web server's certificate chain, if the client does
not notice that the public-key certificate is not in the name of the expected web
server then the rogue web server will succeed in establishing an SSL protected
channel with the client. This is an entity authentication failure because the
client has succeeded in setting up an SSL session, but it is not with the server
that they think it is with. This failure is often exploited during phishing attacks.
Note that the above phishing attack is not a failure of the SSL Handshake
Protocol. It is a failure in the surrounding processes that support the protocol.
In this case the client has failed to conduct a protocol action (validating the
server's certificate chain) with a sufficient degree of rigour.
Implementation failures
. Because it is an open protocol that can be adopted
for many different applications, on different platforms, by anyone, SSL
is particularly vulnerable to implementation failures. Even if the protocol
specification is followed correctly, it could fail if a supporting component is
weak. For example, if the client uses a weak deterministic generator to generate
the pre-master secret
K
P
then the protocol can be compromised because the
session keys become too predictable.
Key management failures
. As discussed in Section 12.1.5, if either the client
or the server mismanages their cryptographic keys then the protocol can be
compromised. For example, if an attacker obtains the server's private key then
the attacker can recover the pre-master secret. The attacker can then compute
all the resulting session keys and hence undermine any secure channel that
these session keys are used to establish.
Usage failures
. SSL has such a high profile that it runs the risk of being
used inappropriately. Alternatively it may be appropriately deployed, but
