FREAK Attack vulnerability rooted in US encryption policy

The Washington Post has reported on findings of a group of security researchers who have identfied a new security flaw that appears to have it's roots in earlier US encryption technology policy.

The FREAK attack (FREAK stands for Factoring RSA Export Keys),  reported by the Post, has it roots in earlier US encryption policy, which prevented strong encryption technologies from being exported outside the US.  This ensured that US government agencies would be able to decrypt foreign messages.  The US would allow deliberately weak export cipher suites - encryption technologies - to be exported, and these technologies have found their way into many products includiong OpenSSL.  While they are disabled by default, some implementations allow the message sequence of export cipher suites to be used even if a non-export cipher sequence was instantiated.

The researchs were able to launch a man-in-the-middle attack from a server which starts with a non-export cipher negotiation, and then they were able to negotiate an export cipher communication, which left the messages vulnerable to decryption within 7 hours using $50 worth of Amazon EC2 compute power, as the RSA key is only 512-bit.  Anyone with Internet access could initiate the attack.

Ironically, many high profile governement sites are vulnerable as they allow use of the export cipher suites.  Some mobile browsers - both Safari and one installed with Android - are also reported to be vulnerable to this flaw, which is concerning as they are not regularly or easily patched by telecom providers.  Experts warn that this comes as the US government continues to push companies and operators for backdoors to their systems, which only creates additional potential vectors for future attacks.

See the full story

And the original report

Test if your client is vulnerable

Rate this article: 
No votes yet

There is 1 Comment

This is a key-length issue. Factoring a 512 bit number takes a known amount of time which is by current standards tractable. What i'd be interested in knowing is whether there were cipher weaknesses that allowed the ciphers to be compromised *without* brute force. Using a 512 bit RSA key today is asking for trouble.