From: Andrew Roos <AndrewR@beetle.vironix.co.za>
To: sameer <sameer@c2.org>
Message Hash: c630868c7bf28f25e2e60a06f8b4d8b2f4a2674970e1852bdd6563da5535c6a3
Message ID: <305F486F@beetle.vironix.co.za>
Reply To: N/A
UTC Datetime: 1995-09-19 22:45:31 UTC
Raw Date: Tue, 19 Sep 95 15:45:31 PDT
From: Andrew Roos <AndrewR@beetle.vironix.co.za>
Date: Tue, 19 Sep 95 15:45:31 PDT
To: sameer <sameer@c2.org>
Subject: A Netscape Server implementation error
Message-ID: <305F486F@beetle.vironix.co.za>
MIME-Version: 1.0
Content-Type: text/plain
Hi Sameer
Thanks in advance for the T-shirt, and I like the Web site. On the
subject of Netscape implementation errors, I note that the SSL protocol
specification states in section 5.6.1 (CLIENT-MASTER-KEY) that "It is
also an error if CLEAR-KEY-LENGTH is non-zero and the the CIPHER-KIND is
not an export cipher".
However, I note that Netscape Commerce Server 1.1 will happily accept a
"secure" connection using the non-export cipher SSL_CK_RC4_128_WITH_MD5,
even if the CLEAR-KEY-LENGTH is set to 16 and the *entire* master key is
sent unencrypted.
Here is an extract from an SSL session with www.netscape.com which
illustrates the oversight:
------------------------------- Start of Session
---------------------------
(1) The session was initialised as normal, and the following values were
exchanged in the SERVER-HELLO and CLIENT-HELLO:
Challenge:
a2 ff 2e 94 8d f9 f4 e2 2c f6 bd ae 7f 47 db 6c
Connection id:
ef 47 3b 44 db d9 8d 1a f0 da 3e 14 73 97 a3 1f
(2) I then sent the following CLIENT-MASTER-KEY message, which is
reproduced in full:
SSL Record Header:
80 9a
Message type: SSL_MT_CLIENT_MASTER_KEY
02
Cipher kind: SSL_CK_RC4_128_WITH_MD5
01 00 80
Clear key length: 16
00 10
Encypted key length: 128 bytes
00 80
Key arg length: 0
00 00
Clear key data: the *entire* master key sent in the clear
af 24 2e e8 2b b1 75 d1 27 a2 b8 76 8b 49 c3 f3
Encrypted key: this is a zero-length block formatted using PKCS#1 block
type 2 and encrypted under Netscape's public key. Since it contains no
data, an eavesdropper would not need to decrypt it in order to decrypt
the rest of the session.
af 24 2e e8 2b b1 75 d1 27 a2 b8 76 8b 49 c3 f3
9b 9b 0b ff cd e8 2f 2c 0d 16 4e 90 73 26 4e e7
e0 3f 45 8a ce 9a 21 d6 2a 6b b8 9a 20 4e bc cf
d0 01 36 86 1c db e0 8b a8 e3 4c 9b 15 11 ea 95
b1 50 3f c9 42 9a 97 77 0f 9d 29 97 7e 87 1b 8f
77 b6 c9 c6 53 90 5b 74 4c 92 99 62 ad 8b bf 4c
28 ac 1b 11 32 64 56 c9 f0 d5 6f c9 89 6b 55 3f
b9 42 aa 7b 7c f0 a1 89 93 22 13 46 e2 58 63 23
b2 51 83 92 76 46 05 65 87 86 5b 52 5a d1 02 ee
(3) I calculated the session keys in the normal manner, using the master
key which was sent entirely in the clear. The result was:
Client read key:
14 3e 84 a6 54 57 d6 51 94 cf 54 f5 5a 29 4a ef
Client write key:
9d e1 16 77 92 ee 89 f2 2d 30 c2 a2 e1 77 9f 5d
(4) Instead of disconnecting, the Netscape server sent the following
reply (the header has been removed):
28 40 00 75 b8 d6 60 68 f5 cf ba 65 78 49 35 83
d3 3a b5 d3 81 23 2d f8 7d c6 f8 47 4d 0c 62 c3
b4
This was decrypted using the client read key to give the following
SERVER_VERIFY message:
Message Authentication Code:
7b 95 2a 84 a1 55 fc 59 32 6b 53 ec e0 1d 80 4a
Message type: SSL_MT_SERVER_VERIFY
05
Challenge data (which agrees with the challenge sent in the
CLIENT-HELLO):
a2 ff 2e 94 8d f9 f4 e2 2c f6 bd ae 7f 47 db 6c
(5) The negotiation phase of the protocol was concluded with encrypted
CLIENT-FINISHED and SERVER_FINISHED messages as per normal.
(6) I sent the encrypted HTTP command "GET / HTTP/1.0" and received the
following text (after decryption, stripping MAC and header, etc:
HTTP/1.0 200 OK
Server: Netscape-Commerce/1.1
Date: Tuesday, 19-Sep-95 21:15:23 GMT
Last-modified: Tuesday, 19-Sep-95 21:14:09 GMT
Content-length: 5278
Content-type: text/html
Followed by the Netscape home page, which included the following
statement:
Find out how
Netscape is responding immediately to upgrade customers and minimize risk
of future threats.
(7) Having obtained the warm, fuzzy feeling I so desired, I closed the
connection secure in the knowledge that my secrets were safe with
Netscape.
-------------------------------- End of Session
-----------------------------
This shows that Commerce Server 1.1 is prepared to accept a "secure"
connection which is completely insecure as the entire master key has been
sent in the clear and an eavesdropper could decrypt the session without
any cryptanalysis.
This does not mean that sessions between "well-behaved" browsers and
Netscape servers are insecure, since the browser will send all 16 bytes
of the key encrypted. Neither could it be used for an active attack,
since if a new master was substituted for the one sent by the client,
this would be detected during authentication of the SERVER-VERIFY
message.
However, it would provide an opportunity for a malicious browser supplier
to "doctor" secure browsers so that they sent all (or part) of the master
key in the clear, even when using non-export ciphers. (Of course there
are better ways to do this; the "random padding" of PKCS block type 2
comes to mind).
Although this is not nearly as important a result as Ian and Davids, it
is the first server hack, so can I have another T shirt? :-)
Andrew
________________________________________________________________
Andrew Roos <andrewr@vironix.co.za>
// C++ programmers have class (but not much inheritance)
PGP Fingerprint: F6 D4 04 6E 4E 16 80 59 3A F2 27 94 8B 9F 40 26
Full key at ftp://ftp.vironix.co.za/PGP-keys/AndrewRoos
Return to September 1995
Return to “sameer <sameer@c2.org>”