29 February 2012

Software Engineers Develop Cryptographic Attack That Allows Access to Secure Internet Servers

HTTP or HyperText Transfer Protocol is the underlying protocol used by the World Wide Web. It defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various browser and computer commands. Entering a web address or URL in a browser sends an HTTP command to the web server directing it to fetch and transmit the requested Web page.

Hypertext Transfer Protocol Secure (HTTPS) is a combination of Hypertext Transfer Protocol (HTTP) with SSL/TLS protocol. It provides encrypted communication and secure identification of a network web server. HTTPS connections are often used for payment transactions on the World Wide Web and for sensitive transactions in corporate information systems. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) , are cryptographic protocols that provide communication security over the Internet.

A padlocked icon in a web-browser or a URL starting with https provides communication security over the Internet. The icon or URL indicates OpenSSL, a cryptography toolkit implementing the SSL protocol, or a similar system is being used. New research by a collaborative team has developed an attack that can circumvent the security OpenSSL should provide. The attack worked on a very specific version of the OpenSSL software, 0.9.8g, and only when a specific set of options were used.

Dr Dan Page, Senior Lecturer in Computer Science in the Department of Computer Science at the University of Bristol, and one of the collaborative team, will present a paper at the RSA conference in San Francisco next week [Wednesday 29 February] about the EPSRC-funded research.

The attack worked by targeting a bug in the software. Carefully constructed messages were sent to the web-server, each of which triggered the bug and allowed part of a cryptographic key to be recovered. Using enough messages, the entire key could be recovered.

Video: What is HTTP and HTTPS?

Dr Dan Page said: "Our work suggests an underlying problem. With software and hardware playing increasingly significant roles in our day-to-day life, how much can and should we trust them to be correct?

"The answer, in part at least, is a stronger emphasis on and investment in formal verification and correctness of open source software. Our research highlights the important role this topic will play for software engineers of the future."

SSL is designed to provide two guarantees. Firstly, that a web-server accessed is the one expected, and, secondly, that subsequent communication between the user and the web-server cannot be read by anyone else.

Both guarantees are important for e-commerce websites that need to manage sensitive data such as credit card details in a secure, dependable way. However, both depend on the web-server keeping various cryptographic keys secret.

OpenSSL is embedded in many platforms, particularly those based on the Linux operating system. Some operating system vendors have started to release advisories that prompt the upgrade of older versions of OpenSSL. This acts to limit any implications of an attack.


University of Bristol
RSA conference in San Francisco
Cryptography and Information Security Group
Quantum Computers: Tomorrows Technology
Quantum Computers Offer Secure Cloud Computing
Hackers Getting More Advanced and Dangerous
Multi-purpose Photonic Chip Developed for Quantum Computers
Project Sixtrack: The Large Hadron Collider and Your Computer
Digital Contact Lens for Heads Up Display and Augmented Reality
Mysterious Coded Manuscript Cracked After 300 Years
More People Are Finding Love Through Online Dating
MIT NEWS: The faster-than-fast Fourier transform
Twitter Growth in US Aided By Other Social Networks