30 April 2014

HOW I USED HEARTBLEED TO STEAL A SITE’S PRIVATE CRYPTO KEY

April 28, 2014 · by Fortuna's Corner 

How I Used HeartBleed To Steal A Site’s Private Crypto Key


Rubin Xu had an online article yesterday (April 27, 2014) in Ars Technica, with the titlw above. Mr. Xu writes that “by now, everyone knows about the OpenSSL HeartBleed vulnerability: a missing bounds check in one of the most popular TLS implementations has made millions of Web servers (and more) leak all sorts of sensitive information from memory. A HeartBleed compromise can leak login credentials, authentication cookies, and Web traffic to attackers. But, could it be used to recover the sites TSL key?,” he asks. If so, Mr. Xu writes that “this would enable complete decryption of previously-recorded traffic — if perfect forward secrecy was not negotiated at the time; and otherwise, Man-In-The-Middle attacks to all future TSL sessions.”

Mr. Xu wrote that “since this would be a much more serious consequence of HeartBleed — I decided to investigate. The results were positive: I was able to extract private keys from a test Nginx server, after a few days work. Later, he applied techniques to solve the CloudFlare challenge. Along with a few other security researchers, Mr. Xu independently demonstrated that RSA private keys are indeed at risk.”

Mr. Xu thoroughly explains in his article how he was able to execute this technique and pleae go to Ars Technica and type in the title above to read his explanation. V/R, RCP

No comments: