[openssl-users] openssl impact on CVE-2015-2808

Michael Wojcik Michael.Wojcik at microfocus.com
Mon Apr 6 19:46:58 UTC 2015


Bar Mitzvah is an improvement on existing attacks against RC4. It's a credible exposure under some threat models. Primarily it's an issue for sites with a lot of RC4 conversations, since it depends on the use of weak keys, which are a large subset of all RC4 keys. When a conversation (randomly) chooses a weak key, some information is leaked to the attacker, who can then try to brute-force parts of the conversation. Typically that will be something like a session ID - generally only useful for the lifetime of the session - or a commonly-used user password. (The Bar Mitzvah paper describes how it can be used to improve brute-force attacks on user passwords that are passed in RC4-encrypted data.)

So: If your systems participate in a lot of RC4 conversations, and your threat model includes passive attackers gaining sufficient information to make brute-forcing small pieces of data feasible, then Bar Mitzvah is a problem.

We can't tell you whether it's something you need to be concerned about. That depends on YOUR threat model. If you don't know what your threat model is, then you can't make informed security decisions.

The attack applies to all implementations of RC4, and its use by any SSL/TLS implementation. OpenSSL can't fix the problem. A future release of OpenSSL may remove RC4 suites from the default list (indeed, it's probably all but inevitable), so applications won't use it unless they enable it. For now, it's enabled by default.

Michael Wojcik
Technology Specialist, Micro Focus


From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Sandeep Umesh
Sent: Monday, April 06, 2015 14:20
To: OpenSSL User Support ML
Subject: [openssl-users] openssl impact on CVE-2015-2808


Just want to understand the impact of openssl for RC4 Bar mitzvah attack.

Please correct me if my understanding is wrong, basically this attack is triggered based on the design of RC4.
openssl is one of the implementers of RC4 algo.
I am not sure if there will be any design change or openssl will try to disable RC4 support...
But, Is disabling RC4 algo usage in the applications which are using openssl a better approach? Thanks


This message has been scanned for malware by Websense. www.websense.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150406/c1e3ac35/attachment-0001.html>


More information about the openssl-users mailing list