Exploiting DSA-1571: How to break PFS in SSL with EDH

( I love acronyms :-D )

My English is just horrible (corrections are welcome). Posiblemente quieras leer esto en español.

The following paragraphs assume that you're familiar with the Debian OpenSSL Package Random Number Generator Weakness, which was published on May 13th 2008, and described in DSA-1571-1 (CVE-2008-0166).

At this point, all of you probably know and have seen how H D Moore's toys work. Those toys attack SSH public-key authentication using clone keys and online brute force.

Furthermore, many of you know that there are other effects produced by a biased PRNG besides this one.

Strangely, even though I searched, I couldn't find more of these toys exploiting other aspects (update: check Other related works/links). So, I would like to show you a Wireshark patch which attacks Perfect Forward Secrecy (PFS) provided by Ephemeral Diffie Hellman (EDH).

Introduction to EDH

Let's put it in plain words (if you know what we are talking about, ignore this and jump to the next heading):
In an insecure communications channel the parties agree a common key to cipher their dialog. This is what happens in SSL (in most of the cases, depending on the cipher suite):

The "exploit"

If an eavesdropper can explore the complete private key space (the all possible numbers for Xc or Xs), he/she will be able to get access to the shared secret. With it all the communication can be deciphered. That's what this patch can do.

A Wireshark with this patch and a list of possible private keys will try to brute force the share secret. If one of the parties is using the vulnerable OpenSSL package the communication is totally insecure and will be decrypted.

The patch was submitted in order to be committed on the Wireshark trunk. There you can find the patch against the on-develop source revision 25765.

Issues that can be improved

We (the other developers and myself) detected few things to be improved. But we will do nothing for them. So, if you want to contribute with some code, start from these items and submit the patches to the Wireshark's bugzilla:


Paolo Abeni <paolo.abeni at email.it>
Luciano Bello <luciano at debian.org>
Maximiliano Bertacchini <mbertacchini at citefa.gov.ar>

This work was partially supported by Si6 Labs at CITEFA, Argentina.

Other related works/links

Last update: Fri, 25 Jul 2008 17:42:15 -0300 - Luciano Bello <luciano[at]debian.org>