Encryption Hole In OpenSSL

Posted on March 5, 2010 by sophieparker

A severe vulnerability has been found by computer boffins in the worlds most prolific software package. The hole would allow hackers to retrieve a machine’s private cryptographic key.

The bug is in the OpenSSL cryptographic library. Which is pretty scary stuff as the open-source package is used worldwide in OSs and applications. It could potentially be applied to many devices. Smartphones and Media-players with anti-copying mechanisms will be most easily affected.

Wherever the origin of information is needed to be verified is where the OpenSSL library come in, and it does much more than just? SSL. However, the issue is said to be easily fixed. Scientist at Michigan University say applying cryptographic “salt”? to an error-checking algorithm will do the trick. This extra randomization will make the attack impossible. OpenSSL engineers are currently pushing out a patch, so don’t panic.

The process of carrying out the attack in the real world is somewhat impracticle. To grab bits of a key you have to inject slight fluctuations in a devices power supply as it is processing the encrypted data. It took the boffins over 100 hours to deduce an entire key. So..not very likely some one will actually do this is it? The boffins also said:

“This is probably not as much of a threat to a server system as it is to a consumer device, The place where this would be more applicable would be if you want to attack a Blu-ray player (where) you have an environment where someone is giving you a device that has a private key to protect intellectual property and you have physical access to the device.”

Right. So getting into a comms room and doing this to a server for over one hundred hours undetected seems unlikely. But if the machine overheats or experiences fluctuations “naturally”, it will leek secret data. This could then be intercepted by attackers. the boffins have also tried natural radiation and laser sources.

It may also be possible to apply this method to other crypto libraries, such as the one created by Mozilla.

Sounds like pulling this off would take a highly trained team of covert operatives. So?I don’t think your average business has much to worry about.

Latest tweets

We now have the silver Microsoft desktop comptenecy by passing another set of exams and completing 3 customer references... well done team!

PhillipsTaylorBrown PhillipsTaylorBrown

Renewing our competencies - should have the Microsoft desktop competency by the end of the day...

PhillipsTaylorBrown PhillipsTaylorBrown

4 New clients joined us this month and as usual - none have left us... A very good month already and we're only just over half way through!

PhillipsTaylorBrown PhillipsTaylorBrown

Our London virtualization marketing campaign starts this month - very exciting...

PhillipsTaylorBrown PhillipsTaylorBrown