Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • Openssl Analysis Paper

    Încărcat de

    api-374891391
    15 vizualizări3 pagini
    An OpenSSL vulnerability was discovered in February 2017 where renegotiating a TLS handshake with different Encrypt-Then-Mac settings than the original handshake could cause OpenSSL to crash, affecting clients and servers. Specifically, negotiating the Encrypt-Then-Mac extension when it wasn't originally included or vice versa during renegotiation could trigger a crash. This issue affected OpenSSL versions 1.1.0d through 1.1.0a but was fixed in 1.1.0e. Goals for OpenSSL include modernizing its codebase to improve security.

    Descriere originală:

    Titlu original

    openssl analysis paper

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    DOCX, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    An OpenSSL vulnerability was discovered in February 2017 where renegotiating a TLS handshake with different Encrypt-Then-Mac settings than the original handshake could cause OpenSSL to crash, affecting clients and servers. Specifically, negotiating the Encrypt-Then-Mac extension when it wasn't originally included or vice versa during renegotiation could trigger a crash. This issue affected OpenSSL versions 1.1.0d through 1.1.0a but was fixed in 1.1.0e. Goals for OpenSSL include modernizing its codebase to improve security.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    15 vizualizări3 pagini

    Openssl Analysis Paper

    Încărcat de

    api-374891391
    An OpenSSL vulnerability was discovered in February 2017 where renegotiating a TLS handshake with different Encrypt-Then-Mac settings than the original handshake could cause OpenSSL to crash, affecting clients and servers. Specifically, negotiating the Encrypt-Then-Mac extension when it wasn't originally included or vice versa during renegotiation could trigger a crash. This issue affected OpenSSL versions 1.1.0d through 1.1.0a but was fixed in 1.1.0e. Goals for OpenSSL include modernizing its codebase to improve security.

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca DOCX, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 3

    Running Header: OPENSSL ANALYSIS PAPER 1

    OpenSSL Analysis Paper

    Chelsea Hitt

    University of San Diego

    CSOL 560

    01 May 2017
    OPENSSL ANALYSIS PAPER 2

    On 16 February 2017, during a renegotiation handshake if the Encrypt-Then-Mac


    extension is negotiated where it was not in the original handshake (or vice-versa) then this can
    cause OpenSSL to crash (dependent on ciphersuite). Both clients and servers are affected
    (OpenSSL, 2017). The problem was caused by changing the flag indicating whether to use ETM
    or not immediately on negotiation of ETM, rather than at CCS. Therefore, during a renegotiation,
    if the ETM state is changing (usually due to a change of ciphersuite), then an error/crash will
    occur. Due to the fact that there are separate CCS messages for read and write we actually now
    need two flags to determine whether to use ETM or not (Red Hat Bugzilla , 2017). A remote
    authenticated user can cause the target service to crash. A remote authenticated user can trigger a
    crash during a renegotiate handshake and cause the target service to crash, depending on the
    selected cipher suite. Negotiating the Encrypt-Then-Mac extension when the original handshake
    did not include the extension can trigger this flaw. Negotiating without the Encrypt-Then-Mac
    extension when the original handshake included the extension can also trigger this flaw (Security
    Tracker, 2017).
    This issue was said to be fixed in OpenSSL 1.1.0e. This particular issue affected: 1.1.0d,
    1.1.0c, 1.1.0b, 1.1.0a, and 1.1.0 (OpenSSL, 2017). This issue does not affect OpenSSL version
    1.0.2 (Red Hat Bugzilla , 2017).
    Ultimately goals should be to modernize the OpenSSL codebase to make it easier to
    audit, understand and repair. Apply best-practice development processes: Code Review,
    Frequent releases, Open development process, Remove obsolete or broken features and operating
    system support, and use and encourage the incorporation of secure programming interfaces in
    operating systems. Provide secure alternatives on operating systems that do not yet have secure
    programming interfaces available (LibreSSL, 2017).
    OPENSSL ANALYSIS PAPER 3

    References
    LibreSSL. (2017, APR 11). LibreSSL Goals. Retrieved from LibreSSL:
    https://www.libressl.org/goals.html
    OpenSSL. (2017, FEB 16). Vulnerabilities. Retrieved from OpenSSL Cryptography and
    SSL/TLS Toolkit: https://www.openssl.org/news/vulnerabilities.html
    Red Hat Bugzilla . (2017, FEB 13). Bug 1421695 - (CVE-2017-3733) CVE-2017-3733 openssl:
    Encrypt- Then-Mac renegotiation crash . Retrieved from Red Hat Bugzilla :
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3733
    Security Tracker. (2017, FEB 16). Security Tracker Archives. Retrieved from Security Tracker:
    http://securitytracker.com/id/1037846

    S-ar putea să vă placă și