(LiveHacking.Com) – FREAK (or ‘Factoring attack on RSA-EXPORT Keys’) is a newly disclosed vulnerability that can force browsers into using weaker encryption keys. Once the connection is using weaker keys then the traffic can be cracked relatively quickly. This then exposes all the information that was being sent over the secure connection.
The vulnerability stems directly from an old U.S. government policy that made it illegal to export strong encryption and required that weaker “export-grade” products be shipped to customers in other countries. These export restrictions were lifted in the late 1990s, but the weaker encryption got built-in into widely used software, some of which made its way back into USA.
In the 1990s the USA only allowed companies to create technology with 512-bit encryption for use overseas. The law was designed to limit the trade in military technology. But 512-bit encryption has long been seen as “unacceptably weak” and most security experts thought that its use had ceased completely.
According to the Washington Post, it is possible to crack the export-grade encryption key in about seven hours, using computers on Amazon Web services. The site freakattack.com has a list of sites that are vulnerable to FREAK. The list “includes news organizations, retailers and financial services sites such as americanexpress.com.” According to Nadia Heninger, a University of Pennsylvania cryptographer, over 5 million sites are vulnerable to this attack vector.
FREAK has been assigned the Common Vulnerabilities and Exposures identifier CVE-2015-0204. According to the description, “The ssl3_get_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k allows remote SSL servers to conduct RSA-to-EXPORT_RSA downgrade attacks and facilitate brute-force decryption by offering a weak ephemeral RSA key in a noncompliant role.”
According to a security advisory from OpenSSL, “an OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. A server could present a weak temporary key and downgrade the security of the session.”
This issue affects all current OpenSSL versions: 1.0.1, 1.0.0 and 0.9.8. OpenSSL 1.0.1 users should upgrade to 1.0.1k, OpenSSL 1.0.0 users should upgrade to 1.0.0p, and OpenSSL 0.9.8 users should upgrade to 0.9.8zd.
This issue was reported to OpenSSL on 22nd October 2014 by Karthikeyan Bhargavan of the PROSECCO team at INRIA. The fix was developed by Stephen Henson of the OpenSSL core team the following day.
It also looks like Android’s web browser and Apple’s Safari browser are vulnerable. According to Matt Green, “A group of cryptographers at INRIA, Microsoft Research and IMDEA have discovered some serious vulnerabilities in OpenSSL clients (e.g., Android) and Apple TLS/SSL clients (e.g., Safari) that allow a ‘man in the middle attacker’ to downgrade connections from ‘strong’ RSA to ‘export-grade’ RSA.”