OpenSSL 0.9.6a Debolezza dell'algoritmo PRNG: come sfruttare?

4

Ho visto un advisor di sicurezza OpenSSL per Openssl 0.9.6a

Recently a cryptographic flaw in OpenSSL's built-in pseudo-random number generator (PRNG) was pointed out to us by Markku-Juhani O. Saarinen , who showed how an attacker could reconstruct the PRNG's internal state from the output of a couple of hundred 1-byte PRNG requests. This problem dates back to SSLeay, which OpenSSL is based on, and was found in other SSLeay-based toolkits as well. While a number of enhancements have been done to the original PRNG during the development of OpenSSL, this design error was overlooked so far.

The PRNG (implemented in source code file crypto/md_rand.c) uses a hash function, by default SHA-1, to update its internal secret state and to generate output. The secret state consists of two components: A chaining variable 'md', sized according to the hash function's output (160 bits for SHA-1), and a large buffer 'state'. 'md' is always replaced by a hash function output during the PRNG's operation. 'state' is accessed circularly and is used for storing additional entropy.

When generating output bytes, OpenSSL versions up to 0.9.6a set 'md' to the hash of one half of its previous value and some other data, including bytes from 'state'. The design error was that the half of 'md' input to the hash function was the same half that was also used as PRNG output, meaning that it in general cannot be considered secret. Also the number of bytes used from 'state' depended on the number of bytes requested as PRNG output and could be as small as one, allowing for easy brute-force analysis of all possible cases. The combination of these effects made it possible to reconstruct the complete internal PRNG state from the output of one PRNG request appropriately sized to gain knowledge on 'md' followed by enough consecutive 1-byte PRNG requests to traverse all of 'state'.

Vedi anche: ID avviso SecurityTracker: 1001961

    
posta freak_warrior 06.10.2015 - 10:07
fonte

1 risposta

1

Dall'advisor di sicurezza che hai pubblicato, mi sembra che l'errore di progettazione possa essere riepilogato come

Il PRNG è una funzione hash. l'input per il PRNG (funzione di hash), metà di esso proviene dall'output PRNG precedente, che è noto, puoi semplicemente leggerlo dall'output precedente. Quindi, in sostanza, la forza dell'hash SHA-1 diventa dimezzata: 80 bit anziché 160 bit.

Quindi, se la libray di OpenSSL viene utilizzata nella generazione della chiave, è possibile eseguire un attacco di forza bruta sulla restante chiave da 80 bit. È sicuramente una grande vulnerabilità e fragile per gli attuali standard di potenza di elaborazione. Ma è ancora un compito enorme.

    
risposta data 31.03.2016 - 10:26
fonte

Leggi altre domande sui tag