How secure is https with encryption used by SSL?

Chosen Ciphertext Attacks (June 1998)

In June 1998 researchers at Bell Laboratories discovered a technically sophisticated attack on the PKCS#1 public key cryptography standard, a protocol used by the SSL protocol. This attack allows the session key used to encrypt a single Web session to be discovered by an attacker by sending approximately one million carefully constructed messages to the Web server and observe its responses. If the session key is successfully compromised, the attacker can then read the contents of a single Web session (the requested URL and the returned document, plus any information sent in cookies or fill-out forms). Because the attack does not compromise the server’s private key, the attack has to repeated for each session the attacker wants to read. Although the attack requires many trials and may take a significant length of time to complete, it is far more efficient than brute-force guessing.

Because the attack requires many messages to be sent to the Web server, you may be able to detect it by noting an increase in CPU or memory usage, or unusually high network activity. In addition, products based on the SSLEay library, such as C2Net’s Stronghold product, will observe a sudden growth in the SSL error log by approximately 300 MB.

Next page: Personal Certificates

Pages: 1 2 3 4

Category: Need to Concern
Tags: | |

Newer post:
Older post: