The attack: ftp://ftp.rsa.com/pub/pdfs/bulletn7.pdf 4-page PDF file. There's also a Postscript version available. The paper is by Bleichenbacher of Lucent and Burt Kaliski and Jessica Staddon of RSA Labs. OEM Countermeasures: http://www.rsa.com/rsalabs/pkcs1/oem_counter.html (below) Countermeasures for Users of Servers: http://www.rsa.com/rsalabs/pkcs1/countermeasures.html (below - it's pointers to vendor home pages, pleasantly including C2. Apparently they've done a good job coordinating it...) Q&A : http://www.rsa.com/rsalabs/pkcs1/qa.html ====== RSA to Provide OEM Customers with Guidelines and Technology to Thwart Potential Web Server Security Attack OAEP Formatting Adds Important Security to Vulnerable Applications June 26, 1998 -- RSA Data Security, Inc. today announced guidelines to assist its OEM customers in both assessing their products vulnerability to a newly discovered potential security attack, and to identify pre-emptive countermeasures to thwart such an attack. The guidelines are designed to help developers understand the nature and mechanism of the threat, pose a series of technical questions to identify vulnerable constructs in the developers software design, and provide a set of countermeasures from which to choose based on the developers needs. These guidelines are available online at http://www.rsa.com/rsalabs/. The potential threat affects server products that employ an interactive key establishment protocol in conjunction with the PKCS #1 standard for digital envelopes, including SSL-based servers. SET (Secure Electronic Transaction) and other secure messaging protocols, such as S/MIME (Secure Multipurpose Internet Mail Extension), are not susceptible to or already implement mechanisms preventing this potential attack. Recent research by cryptographer Daniel Bleichenbacher of the Bell Labs Secure Systems Research Department, the research and development arm of Lucent Technologies, indicate that the above combination is potentially vulnerable to a class of attack known as Adaptive Chosen Ciphertext Attacks. The potential attack noted by Mr. Bleichenbacher relies on sending a target server on the order of a million carefully constructed messages and observing variations in the servers response. As such, the attack is both detectable and can be prevented with countermeasures. For some developers, the most effective countermeasure is incorporation of the Optimal Asymmetric Encryption Padding (OAEP) technology, a method of formatting an encrypted message so that attackers cannot learn information about the contents through repeated probing. OAEP is designed to thwart a variety of attacks, including the Adaptive Chosen Ciphertext Attack. For other developers, the most effective countermeasure will be preventing an assailant from gaining information from messages returned from their server. RSAs guidelines provide design information for developers to use in implementing this form of countermeasure as well. RSA Laboratories, the research arm of RSA, plans to include OAEP in the next version of PKCS #1, a widely used cryptography standard, that will be available as a draft for comment in July. PKCS #1 is used in SSL and other popular security mechanisms to provide confidentiality for exchange of symmetric encryption keys (digital envelopes), as well as to construct digital signatures. OAEP has already been integrated into RSAs newest release of BSAFE 4.0, the companys flagship cryptographic security development suite which began shipping this month. RSA intends to make available OAEP updates conforming to the new PKCS #1 specification for its BSAFE 3.0 and 4.0 products in July, and to incorporate OAEP in an upcoming version of JSAFE, RSAs security engine for Java. RSA recommends that developers target these upcoming OAEP updates for inclusion in their products. Check this site for more information on OAEP updates in the coming weeks. RSAs Website will also host links to vendors sites where countermeasures are made available as a service to both OEMs and end customers. See RSAs related announcement on this subject. Currently, the following vendor information Website links are available: C2Net Software, Inc. http://www.c2.net Consensus Development Corporation http://www.consensus.com/ssl-rsa.html IBM Corporation http://www.ibm.com/security Lotus Development Corporation http://www.lotus.com/security Microsoft Corporation http://www.microsoft.com/security Netscape Communications Corporation http://www.netscape.com Open Market, Inc. http://www.openmarket.com/security/ RSA Data Security, Inc. http://www.rsa.com/rsalabs An RSA Labs technical paper discussing this vulnerability, as well as additional information, is available on RSAs Website, http://www.rsa.com/rsalabs. ============ SSL Countermeasures These countermeasures enhance the security of popular Internet servers and software products based on the Secure Sockets Layer (SSL) protocol. The countermeasures are available from respective vendors' Web sites, and include configuration guidelines, software updates where applicable and additional information. Currently available vendor information may be found at the following sites: Aventail Corporation http://www.aventail.com/ C2Net Software, Inc. http://www.c2.net/ Consensus Development Corporation http://www.consensus.com/ Lotus Development Corporation http://www.lotus.com/security IBM Corporation http://www.ibm.com/security/ Microsoft Corporation http://www.microsoft.com/security/ Netscape Communications Corporation http://help.netscape.com/products/server/ssldisc overy/index.html Open Market, Inc. http://www.openmarket.com/security/ RSA Data Security, Inc. http://www.rsa.com/rsalabs/ Thanks! Bill Bill Stewart, bill.stewart@pobox.com PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639