Vin McLellan (vin@shore.net)
Fri, 26 Jun 1998 14:17:23 -0400
Fyi. I think this is a better synopsis and report on the reactions from
the multiple SSL vendors than the relevant CERT Advisory: CERT* Advisory
CA-98.07,
issued June 26, 1998, "Vulnerability in Some Usages of PKCS#1."
The CERT advisory was mailed out by CERT, but doesn't seem to be yet
available on the CERT website.
_Vin
-----------
"RSA Data Security Works With Internet
Software Vendors to Respond to Potential
Security Attack on Secure Web
Communications"
6/26/98 7:19
SAN MATEO, Calif., June 26 /PRNewswire/ -- RSA Data Security, Inc. today
announced it is working with a group of leading Internet software vendors on
pre-emptive countermeasures to thwart a newly-discovered potential attack
against secure Web communications. This vulnerability is currently the
subject of research and has not been reported by any users.
These countermeasures enhance the security of popular Internet server
software products based on the Secure Sockets Layer (SSL) protocol. The
countermeasures are, or will be, available from respective vendors' Web sites,
and include configuration guidelines, software updates where applicable and
additional information. Currently available vendor information may be found
at the following sites:
* C2Net Software, Inc.
http://www.c2.net
* Consensus Development Corporation
http://www.consensus.com/ssl-rsa.html
* IBM Corporation
http://www.ibm.com/security
* Lotus Development Corporation
http://www.lotus.com/security
* Microsoft Corporation
http://www.microsoft.com/security
* Netscape Communications Corporation
http://help.netscape.com/products/server/ssldiscovery/index.html
* Open Market, Inc.
http://www.openmarket.com/security
* RSA Data Security, Inc.
http://www.rsa.com/rsalabs/
RSA will also maintain an updated list of all vendors' countermeasure site
links at its site. In addition, RSA has been working closely with the CERT
Coordination Center on this problem. CERT has made a technical advisory on
this vulnerability available at http://www.cert.org.
These countermeasures address a potential vulnerability discovered by
cryptographer Daniel Bleichenbacher of the Secure Systems Research Department
of Bell Labs, the research and development arm of Lucent Technologies.
Bleichenbacher identified a cryptanalytic vulnerability that could potentially
be used to discover the key for a particular encrypted session through a
process of repeatedly sending on the order of one million carefully
constructed messages to a target server and observing the server's response.
Due to the large number of messages needed, the potential attack is detectable
by network administrators. Additional information is available on the Bell
Labs Web site at http://www.bell-labs.com.
The vulnerability affects interactive key establishment protocols that use
the Public Key Cryptography Standard (PKCS) #1, including SSL. The PKCS
series of standards are defined by RSA Laboratories, reviewed by industry and
have been adopted by many major vendors of information systems and
incorporated in national and international standards. The vulnerability does
not apply to PKCS #1-based secure messaging protocols, such as Secure
Electronic Transactions (SET) and Secure Multipurpose Internet Mail Extension
(S/MIME) because they are not susceptible to, or already implement mechanisms
preventing this potential vulnerability.
A technical overview of the attack and recommended countermeasures for
installed SSL-based server software are available now on the RSA Labs Web site
at http://www.rsa.com/rsalabs/.
Software developers interested in testing their products for this
potential vulnerability should visit RSA's site at http://www.rsa.com where
they can find diagnostic instructions and prescriptive information for
updating their applications. In July, RSA plans to provide developers using
the company's BSAFE security suite with free software enhancements designed
to eliminate this threat.
RSA Laboratories plans to release for comment a draft PKCS #1 v2 in July
following a revision process that began early in the year.
RSA Data Security, Inc.
RSA Data Security, Inc., a wholly owned subsidiary of Security Dynamics
Technologies, Inc. (Nasdaq: SDTI), is a leading supplier of software
components that secure electronic data, with more than 300 million copies of
RSA encryption and authentication technologies installed worldwide. RSA
technologies are part of existing and proposed standards for the Internet and
World Wide Web, ISO, ITU-T, ANSI, IEEE, and business, financial and electronic
commerce networks around the globe. RSA develops and markets platform-
independent security components and related developer kits and provides
comprehensive cryptographic consulting services. RSA can be reached at
http://www.rsa.com.
All products and companies mentioned herein may be trademarks or
registered trademarks of their respective holdings and are hereby
recognized.
SOURCE RSA Data Security, Inc.
-0- 06/26/98
CONTACT: Patrick Corman, Corman Communications, 650-326-9648,
patrick@cormancom.com
Web site: http://www.rsa.com/
(SDTI)
-----
Vin McLellan + The Privacy Guild + <vin@shore.net>
53 Nichols St., Chelsea, MA 02150 USA <617> 884-5548
-- <@><@> --
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:19:08 ADT