The FREAK crypto downgrade attack [LWN.net]

By Jake Edge
March 4, 2015

For the most part, cryptography is not what is letting us down security-wise. Most of the algorithms are solid and, if used correctly, essentially uncrackable in any sensible time frame. There are exceptions, of course, but by and large cryptography has served us well. Unfortunately, we commonly have programs that provide ways to downgrade the cryptographic algorithms or hamper them in other ways (e.g. shorter keys) so that they no longer serve to protect our data as they should.

When an attacker can cause systems to use a weaker encryption algorithm, perhaps one that has serious flaws, it is called a "downgrade attack". The latest entrant into the pantheon of downgrade attacks is one that has been dubbed FREAK (which stands for "Factoring attack on RSA-EXPORT keys"). It uses the ability of a man-in-the-middle attacker to downgrade the encryption used by many web sites when accessed by users with the Safari and Android browsers. As the name indicates, attackers could cause the affected systems to use the purposely weakened export version of the RSA cipher that limited key length to 512 bits.

In a delicious irony, the web site of the US National Security Administration (NSA)—which mandated the use of export-grade RSA keys during the crypto wars of the 1990s—was affected by FREAK. Many other sites were too, of course. But those sites are only vulnerable when they are accessed from a vulnerable client.

Even though the export version of the RSA suite is considered to be a "zombie" by many, it is evidently still present in multiple web servers. As Matthew Green noted in his analysis, it shouldn't matter if the web servers still have the export version of RSA available if the clients do not request the 512-bit export-grade keys. Also, clients need to reject those keys if they haven't requested them. It is the latter piece that fails here.

It turns out that a man in the middle can alter the client's initial message to the server (which is sent in the clear) to change its request for the standard RSA cipher to a request for the export version. If the server supports export RSA, it will happily send back a weak RSA key that is vouched for by the server's certificate. Apparently, roughly 35% of the internet, much of that being systems run by content delivery networks (CDNS), does or did support export-grade RSA. The client, though, knows (or should know) that it requested the standard RSA cipher so it should reject the weakened export key. But the vulnerable clients do not do that.

Even after the twin assumptions that few servers still supported export RSA and that few clients would request and accept those keys were invalidated, there was still one more line of defense: factoring 512-bit RSA keys is not trivial, so traffic could not be intercepted in realtime. It could only be read later, after the key was broken, which takes some seven hours and costs $104 on Amazon's cloud servers.

But, in reality, even that "barrier" fell. It turns out that, by default, Apache's mod_ssl will only generate a single export RSA key every time it starts up. From then on, it uses the same key over and over again. So, breaking that key once allows realtime decryption of all of the traffic from then on—until the web server gets restarted.

While man-in-the-middle attacks seemed somewhat difficult for attackers to engineer at one point in time, that is really no longer operative (if it ever really was). It is clear that governments, at least, are fully willing to perform such attacks. Any internet service provider (ISP) is perfectly positioned to attack its customers that way, as are the operators of the wireless networks in millions of locations worldwide. But, of course, encryption is meant to thwart man-in-the-middle attacks.

Part of the problem here is that TLS (or, really, its predecessor, SSL) was "designed to be broken", Green said. Because of US government mandates about exporting cryptography, SSL needed to handle both strong and weak encryption. That led to the cipher suite negotiation that would (hopefully) allow clients and servers to arrive at the strongest encryption that both could support. But it also led to attackers exploiting the ability of clients and servers to back down to simpler ciphers and protocols.

FREAK is not the first downgrade vulnerability that we have seen and it certainly won't be the last. POODLE is a famous one that exploited systems that would fall back to SSL 3, rather than require TLS 1.1 or higher, and there have been others. Even ISPs that remove STARTTLS from SMTP server responses are performing a kind of downgrade attack. When protocols are designed with the possibility to downgrade, attackers are going to try to find a way to exploit that. It is something for protocol designers to keep in mind down the road.

Index entries for this article
Security	Cryptography
Security	Vulnerabilities/Crypto downgrade

to post comments

The FREAK crypto downgrade attack

Posted Mar 5, 2015 8:09 UTC (Thu) by nmav (guest, #34036) [Link] (1 responses)

I think the article confuses on the extend of the issue. This is a bug in a specific crypto library, rather than a generic crypto downgrade attack.

The FREAK crypto downgrade attack

Posted Mar 5, 2015 8:21 UTC (Thu) by dlang (guest, #313) [Link]

I thought that the issue here was less about the ability to affect what cipher is selected than it is the fact that the old, now horribly weak, ciphers were still enabled by default.

I would have expected that significant sites would have been adjusting what ciphers they support over time. I know that the routine third-party scans that I have dealt with have raised this issue routinely (it's one of the more trivial things for the automatic scanning tools to check, and it sounds very impressive as a scary problem, justifying the third party work). I worked for a long time in the Banking industry and I know how horribly insecure a lot of the infrastructure and internals of banking systems are, but the external websites should have been better than this.

The FREAK crypto downgrade attack

Posted Mar 5, 2015 10:25 UTC (Thu) by xnox (subscriber, #63320) [Link] (2 responses)

How can I check that my server / my OS does not support these weak RSA keys _at all_? Can I recompile openss/gnutls/nss without them?

The FREAK crypto downgrade attack

Posted Mar 5, 2015 10:39 UTC (Thu) by jnareb (subscriber, #46500) [Link] (1 responses)

On https://freakattack.com/ you can check if your *client* is vulnerable, and there is there also list of top servers still vulnerable, and instructions how to configure server to disable weak keys support.

The FREAK crypto downgrade attack

Posted Mar 6, 2015 22:27 UTC (Fri) by job (guest, #670) [Link]

Look under the heading "Servers" on the mentioned page, and there is a link to https://tools.keycdn.com/freak , which can test if your web server is vulnerable.

The authors say that 37% of all servers are vulnerable, but that may depend on where in the world you are. I had to search very hard before I finally found a server in the wild that is vulnerable to this. The published top list of vulnerable sites consists mostly of Chinese and Indian sites (but then again, that may be true for most of the web today).

The FREAK crypto downgrade attack

Posted Mar 5, 2015 23:34 UTC (Thu) by jello (subscriber, #6083) [Link]

Mozilla has a nice UI to help server admins set secure ciphers at https://mozilla.github.io/server-side-tls/ssl-config-gene... with options for how old the browsers you support are. All their options disable the EXPORT ciphers.

The LWN admins may want to take a look at it, according to https://www.ssllabs.com/ssltest/analyze.html?d=lwn.net there are a few improvements that could be made. :)