Shulou(Shulou.com)06/01 Report--

I. loophole analysis

Cause of event

On March 26th, Itsik Mantin, a researcher of Imperva, a foreign data security company, published a paper "Attacking SSL when using RC4" in BLACK HAT ASIA 2015 to explain the use of the 13-year-old RC4 loophole, the invariant weak key ("Weakness in the Key Scheduling Algorithm of RC4", FMS published in 2001), and named it "Bar Mitzvah Attack".

Until March 2015, about 30 per cent of network traffic was protected by RC4. Through the "bar mitzvah" *, * * users can restore the plain text in encrypted messages protected by RC4 only by sniffing and listening under certain circumstances, resulting in the exposure of account, password, credit card information and other important sensitive information, and session hijacking can be carried out through Man-in-the-middle.

* * methods and modes

* the user listens to a large number of SSL links and can determine that the first encrypted message contains a SSL completion message and a HTTP request, both of which have predictable information. Then wait for an invariant weak key link to arrive, and when you get a weak key link, you can extract the LBS. When a weak key is used, the plaintext and the key are XOR, and the ciphertext pattern generated can be seen by the ciphertext.

* users also carry out DNS poisoning, linking all links to a malicious host, and the host acts as a middleman, which can effectively sniff and hijack a large number of users.

Principles and details of vulnerabilities

According to the description in "Attacking SSL when using RC4", the main cause of the vulnerability is that the invariant weak key is an L-shaped figure in the RC4 key. Once it exists in the RC4 key, it maintains the integrity of the state transition during the whole initialization process. This complete part includes the least significant bits in the replacement process, which, when processed by the RPGA algorithm, determines the least significant bits of the pseudorandom output stream. These deviated stream bytes are XOR with plaintext, resulting in the disclosure of important plaintext information in ciphertext.

Host vulnerability-SSL/TLS Commandment (BAR-MITZVAH) * vulnerability (CVE-2015-2808) [principle scan]-RC4 cipher suite

State transition (from "Attacking SSL when using RC4")

This pattern occurs in different numbers such as LSBs,a single LSB, 2 LSBs, etc., resulting in different kinds of RC4 weak keys.

Host vulnerability-SSL/TLS Commandment (BAR-MITZVAH) * vulnerability (CVE-2015-2808) [principle scan]-RC4 cipher suite

If a key of q-class (Q refers to the number of LSB) is used, the following problems occur:

The initialization statement of RC4 does not match the state and key information correctly, and stores the internal state with K least significant bits.

The initial state of RC4 has a fixed non-mixed Q LSB

The Q least significant bits of the first plaintext throttling 30-50 bytes follow the significant probability determination mode

The Q least significant bits of 30-50 bytes of the first plaintext throttling have significant probability exposure.

SSL uses RC4 for encryption in many cipher suites. The RC4 key is generated in the handshake to encrypt the uplink data stream and the downlink data stream. The upstream data stream is used to encrypt the client-server data stream, and the downstream data stream is used to encrypt the server-client data stream. Encryption is stateful, using the first keystream to encrypt the first byte of information, and then the keystream to encrypt the next message (like CBC mode). Since string encryption destroys the least significant bit certainty, the invariant weak key can only be used for the first 100 bytes protected.

SSL's handshake end message is the first encrypted message in each direction (uplink and downlink), and the end message always uses 36 bytes, so there are 64 bytes left for those who use it.

Host vulnerability-SSL/TLS Commandment (BAR-MITZVAH) * vulnerability (CVE-2015-2808) [principle scan]-RC4 cipher suite

Second, safety inspection

Online detection: server test: https://www.ssllabs.com/ssltest/index.html

Host vulnerability-SSL/TLS Commandment (BAR-MITZVAH) * vulnerability (CVE-2015-2808) [principle scan]-RC4 cipher suite

Browser test: https://www.ssllabs.com/ssltest/viewMyClient.html

Host vulnerability-SSL/TLS Commandment (BAR-MITZVAH) * vulnerability (CVE-2015-2808) [principle scan]-RC4 cipher suite

Local detection: (for the server, openssl needs to be installed under the linux server)

Host vulnerability-SSL/TLS Commandment (BAR-MITZVAH) * vulnerability (CVE-2015-2808) [principle scan]-RC4 cipher suite

$openssl s_client-connectyinxiang.com:443-cipher RC4

Host vulnerability-SSL/TLS Commandment (BAR-MITZVAH) * vulnerability (CVE-2015-2808) [principle scan]-RC4 cipher suite

If you can see the certificate information, then there is a risk vulnerability.

If sslv3 alerthandshake failure is displayed, the server does not have this vulnerability.

III. Patching methods

Server

Patching for NGINX

Modify the ssl_ciphers entry in the nginx configuration file

Ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH- RSAcopyright DESmurCBC3, Shaze AES256, GCMMerSHA384V AES128, GCMMaSHA256AES256, SHA256MA256MA256, SHA126MA128SHAa256veAES256, SHAMORC128, SHAVOLMER HIGLLL, eNULLREX, EXPORTOR, MD5MD5, PSKRC4 "

Ssl_prefer_server_ciphers on

Reload:

$sudo / etc/init.d/nginx reload

Repair for apache

Open the configuration file

$sudo vi / etc/httpd/conf.d/ssl.conf

Modify configuration

SSLCipherSuite

HIGHVONG MEDIUMVUR A NULLRU MD5 nternal RC4

$sudo / etc/init.d/httpd restart

Repair for TOMCAT

Add the following to SSL connector in server.xml:

SSLEnabled= "true" sslEnabledProtocols= "TLSv1,TLSv1.1,TLSv1.2" ciphers= "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA "

Tomcat example:

For IIS patching

Save the following as fix.reg and double-click run to modify the registry:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ DES56/56] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ NULL] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC240/128] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC256/128] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC440/128] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC456/128] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC464/128] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ PCT1.0\ Server] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ SSL2.0\ Server] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ SSL3.0\ Server] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Protocols\ SSL3.0\ Client] "DisabledByDefault" = dword:00000001

Client browser

Patching for chrome browsers

@ linux

Close the browser and enter the command directly in terminal to run

$google-chrome-cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007

@ windows

Shortcut icon-> right-> add the contents in quotation marks after the target "- cipher-suite-blacklist=0 × 0004, 0 × 0005,0xc011 0xc007"

Restart the browser takes effect

@ macos

Enter in the terminal type:

/ Applications/GoogleChrome.app/Contents/MacOS/GoogleChrome--cipher-suite-blacklist=0x0004,0x0005,0xc011,0xc007

For firefox (full platform)

Enter about:config enter in the address bar, enter rc4 in the search box, double-click the value of value to change it to false and disable ssl transmission related to rc4, as shown below:

Host vulnerability-SSL/TLS Commandment (BAR-MITZVAH) * vulnerability (CVE-2015-2808) [principle scan]-RC4 cipher suite

For IE (on windows platforms only)

Reference solution: https://www.sslshopper.com/article-how-to-disable-ssl-2.0-in-iis-7.html

Run-> regedit- > to set the following key values:

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC4128/128]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC440/128]

"Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC456/128]

"Enabled" = dword:00000000

Or save the following as fix.reg, and then double-click to run fix.reg to modify the registry:

WindowsRegistry Editor Version 5.00

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC4128/128] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC440/128] "Enabled" = dword:00000000

[HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\ SecurityProviders\ SCHANNEL\ Ciphers\ RC456/128] "Enabled" = dword:00000000

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.