Security Question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

Security Question

K.S.Sreeram
Hi All

Is it possible to decrypt a recorded SSL session, if the attacker gains
access to the RSA private keys at a later point in time? If yes, what
would be the best way to avoid this?

Thanks in Advance!
Regards
Sreeram


signature.asc (260 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security Question

Sudharsan Rangarajan
Im not sure if SSL gives u such options, but the best way to prevent
compromise of a RSA key would be to establish a diffie hellman key.
You would want to do a shared secret anyawy..and im sure SSL does
it..if the shared secret is computed using diffie hellman and nobody
gets hold of the exponents..u r safe

Sudharsan

On 5/25/06, Sreeram Kandallu <[hidden email]> wrote:

> Hi All
>
> Is it possible to decrypt a recorded SSL session, if the attacker gains
> access to the RSA private keys at a later point in time? If yes, what
> would be the best way to avoid this?
>
> Thanks in Advance!
> Regards
> Sreeram
>
>
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Question

Sudharsan Rangarajan
I must apologize for not being SSL specific..But it gives u a hint and
u can take a look at the SSL specs and see what they allow.

Sudharsan

On 5/25/06, Sudharsan Rangarajan <[hidden email]> wrote:

> Im not sure if SSL gives u such options, but the best way to prevent
> compromise of a RSA key would be to establish a diffie hellman key.
> You would want to do a shared secret anyawy..and im sure SSL does
> it..if the shared secret is computed using diffie hellman and nobody
> gets hold of the exponents..u r safe
>
> Sudharsan
>
> On 5/25/06, Sreeram Kandallu <[hidden email]> wrote:
> > Hi All
> >
> > Is it possible to decrypt a recorded SSL session, if the attacker gains
> > access to the RSA private keys at a later point in time? If yes, what
> > would be the best way to avoid this?
> >
> > Thanks in Advance!
> > Regards
> > Sreeram
> >
> >
> >
> >
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Question

Sudharsan Rangarajan
well..i took a quick look and the client chooses a premaster secret
and the various keys are a function of it..doesnt look like theres any
scope for a DH exchange..Maybe some of the experienced security pple
can help

Sudharsan

On 5/25/06, Sudharsan Rangarajan <[hidden email]> wrote:

> I must apologize for not being SSL specific..But it gives u a hint and
> u can take a look at the SSL specs and see what they allow.
>
> Sudharsan
>
> On 5/25/06, Sudharsan Rangarajan <[hidden email]> wrote:
> > Im not sure if SSL gives u such options, but the best way to prevent
> > compromise of a RSA key would be to establish a diffie hellman key.
> > You would want to do a shared secret anyawy..and im sure SSL does
> > it..if the shared secret is computed using diffie hellman and nobody
> > gets hold of the exponents..u r safe
> >
> > Sudharsan
> >
> > On 5/25/06, Sreeram Kandallu <[hidden email]> wrote:
> > > Hi All
> > >
> > > Is it possible to decrypt a recorded SSL session, if the attacker gains
> > > access to the RSA private keys at a later point in time? If yes, what
> > > would be the best way to avoid this?
> > >
> > > Thanks in Advance!
> > > Regards
> > > Sreeram
> > >
> > >
> > >
> > >
> >
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Question

Victor Duchovni
In reply to this post by K.S.Sreeram
On Fri, May 26, 2006 at 07:23:05AM +0530, Sreeram Kandallu wrote:

> Hi All
>
> Is it possible to decrypt a recorded SSL session, if the attacker gains
> access to the RSA private keys at a later point in time? If yes, what
> would be the best way to avoid this?

    $ ciphers='kEDH:!aNULL:!LOW:!EXPORT:@STRENGTH'
    $ openssl -v $ciphers
    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
    DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
    EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
    EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
    DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
    DHE-DSS-RC4-SHA         SSLv3 Kx=DH       Au=DSS  Enc=RC4(128)  Mac=SHA1

For all these ciphers the attacker has to brute force the symmetric key,
or brute force the DH exchange. Recovery of the RSA or DSS key does not
yield the session key. As DSS certificates are rare in practice, in practice
you get one of:

    $ ciphers='kEDH+aRSA:!aNULL:!LOW:!EXPORT:@STRENGTH'
    $ openssl ciphers -v "$ciphers"
    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
    EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1

These ciphers require SSLv3 or TLSv1.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Question

Bear Giles
In reply to this post by K.S.Sreeram
I don't have the details at hand, but look at "perfect forward secrecy"
in "SSL and TLS", Rescorla.

Sreeram Kandallu wrote:

>Hi All
>
>Is it possible to decrypt a recorded SSL session, if the attacker gains
>access to the RSA private keys at a later point in time? If yes, what
>would be the best way to avoid this?
>
>Thanks in Advance!
>Regards
>Sreeram
>
>  
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Question

Sudharsan Rangarajan
In reply to this post by Victor Duchovni
Thats cool..they do have DH ...a quick look suggested a premaster
secret(randomly choosen). Dint seem like theres a DH exchange

Sudharsan

Sudharsan

On 5/25/06, Victor Duchovni <[hidden email]> wrote:

> On Fri, May 26, 2006 at 07:23:05AM +0530, Sreeram Kandallu wrote:
>
> > Hi All
> >
> > Is it possible to decrypt a recorded SSL session, if the attacker gains
> > access to the RSA private keys at a later point in time? If yes, what
> > would be the best way to avoid this?
>
>    $ ciphers='kEDH:!aNULL:!LOW:!EXPORT:@STRENGTH'
>    $ openssl -v $ciphers
>    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
>    DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
>    EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
>    EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
>    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
>    DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
>    DHE-DSS-RC4-SHA         SSLv3 Kx=DH       Au=DSS  Enc=RC4(128)  Mac=SHA1
>
> For all these ciphers the attacker has to brute force the symmetric key,
> or brute force the DH exchange. Recovery of the RSA or DSS key does not
> yield the session key. As DSS certificates are rare in practice, in practice
> you get one of:
>
>    $ ciphers='kEDH+aRSA:!aNULL:!LOW:!EXPORT:@STRENGTH'
>    $ openssl ciphers -v "$ciphers"
>    DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
>    EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
>    DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
>
> These ciphers require SSLv3 or TLSv1.
>
> --
>        Viktor.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Question

Bear Giles
In reply to this post by Victor Duchovni
Related note: you can explicitly request re-keying at any time, and
should do it periodically on long-term connections. That makes analysis
even more expensive since there's less data and less payoff.

Victor Duchovni wrote:

>For all these ciphers the attacker has to brute force the symmetric key,
>  
>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Question

K.S.Sreeram
In reply to this post by Victor Duchovni
Thanks!

looks like RSA+DH is the way to go for perfect forward secrecy!

Sreeram


signature.asc (260 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Security Question

Kyle Hamilton
RSA is for authentication.  DH key exchange is the way to go for
perfect forward secrecy.  For non-DH exchange protocols, the RSA key
will be enough to read the server side of the connection (receive and
transmit).

-Kyle H

On 5/25/06, Sreeram Kandallu <[hidden email]> wrote:
> Thanks!
>
> looks like RSA+DH is the way to go for perfect forward secrecy!
>
> Sreeram
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Security Question

Marek.Marcola
In reply to this post by K.S.Sreeram
Hello,
> Is it possible to decrypt a recorded SSL session, if the attacker gains
> access to the RSA private keys at a later point in time?
If key_exchange was done with RSA and server RSA private key
was compromised ... without problem.

Best regards,
--
Marek Marcola <[hidden email]>

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]