A researcher at Lucent Bell Labs has discovered a flaw in the Secure Sockets Layer technology which underlies many electronic commerce platforms and sites. But the flaw is almost impossible to exploit undetected, and it seems never to have been used in anger. Daniel Bleichenbacher of Secure Systems Research was working on a proprietary protocol for Lucent when he discovered that the error messages returned in an attack leaked small amounts of information about a given encrypted session. He wondered whether other, commercially used protocols might be vulnerable to the same attack. Upon investigation he found that indeed, SSL was vulnerable. To attack an unprotected SSL server, a hacker could send thousands of messages. Using the Public Key Cryptography System Number One (PKCS #1) as its key establishment protocol, SSL rejects all the messages that do not conform to the correct session format, but it accepts the few that do. By tracking which messages are accepted and which are rejected, a hacker could piece together the key for an encrypted session. However the attack is far from unobtrusive. On average, one million messages are required before the key can be deduced. That level of traffic is easy for a site administrator to spot. In addition, as Bleichenbacher points out: Most messages trigger an error, and most error messages are logged by SSL servers. If someone had ever attempted to hack an e-commerce site this way, they would almost certainly have been caught. Finally, for the attack to work the hacker must already have gained access to the client or server system. Taken together, those limitations make it pretty unlikely that anyone could ever exploit this flaw. It’s not that serious [a problem], Bleichenbacher concludes. SSL is a pretty good protocol. RSA Data Security, which originally defined PKCS #1, says it is working on countermeasures with a broad spectrum of web server vendors, from C2Net and Open Market to Netscape, Microsoft, IBM and Lotus. RSA adds that while SET and S/MIME also depend on PKCS #1, mechanisms already implemented in those protocols make them invulnerable to this particular attack.
