13-Year-Old Encryption Bugs Still Haunt Apps and IoT

RSA encryption has been around for decades. Unfortunately, so have bad implementations that leave it less secure.
Casey Chin

Hackers try to find novel ways to circumvent or under­mine data encryption schemes all the time. But at the Black Hat security conference in Las Vegas on Wednesday, Purdue University researcher Sze Yiu Chau has a warning for the security community about a different threat to encryption: Vulnerabilities that were discovered more than a decade ago still very much persist today.

The issues relate to RSA, the ubiquitous encryption algorithm and crypto system that helps protect everything from web browsers and VPNs to email and messaging applications. The problem isn’t in the RSA specification itself, but in how some companies implement it.

Chau's research focuses on flaws in how RSA cryptography can be set up to handle signature validation, checks to ensure that a "signed" chunk of encrypted data was actually verified by the sender, and that the signature hasn't been tampered with or manipulated along the way. Without strong signature validation, a third party could manipulate data or send fake data that appears to come from a trusted source. Prolific Swiss cryptographer Daniel Bleichenbacher, who currently works at Google, first demonstrated these RSA signature validation weaknesses at the CRYPTO cryptography conference in 2006.

"It's surprising to see this old problem haunt us in different libraries, different settings," says Purdue's Chau. "After 13 years people still don’t know that we have to avoid these problems—they are still persistent. So that's why I wanted to present at Black Hat. Awareness is an important factor, and we need to learn from each other’s mistakes."

Since Bleichenbacher's presentation, researchers have found RSA signature validation issues in major code bases, like the secure communication library OpenSSL in 2007 and Mozilla's Firefox in 2014.

The RSA signature verification flaws don't represent a flaw in the algorithm itself. They arise instead from insecure implementations that are too permissive about the signa­ture characteristics they will accept or allow opportunities to circumvent validity checks. This creates an opening to sneak forged signatures and associated malarky past RSA's checks. But regardless of where the vulnerabilities get introduced, they can have real-world consequences.

In just a brief survey, Chau found six RSA implemen­tations with the signature verification flaws. Two of them, in the open source VPN infrastructure tools Openswan and strong­Swan, could have been exploited to bypass authentication require­ments for VPNs—potentially exposing data that a user expects to be shielded. And since Openswan and strongSwan are both publicly available tools that can be used by anyone, the flaws may have been perpetuated across a number of VPNs and other secure connection tools. Chau says that both Openswan and strongSwan were responsive about the issues and quickly fixed them in August and September 2018.

The signature verification issues can show up in other common and foundational web-security protocol implemen­tations, too, like the secure network protocol SSH and the data-security extensions for the internet’s phone-book lookup protocol, known as DNSSEC.

Not all open source tools and code libraries that contain these weak implementations are responsive about issuing fixes, though. And many developers without a specific background in cryptography will incorporate prefab components into their projects without knowing to check for cryptographic implementation issues. Chau says that this is of particular concern in apps or small gadgets that are often rushed to market, like internet of things devices.

"There are developers in the IoT community using these products. For example, we found the issues in two open source TLS web encryption libraries," Chau says, referring to the Transport Layer Security protocol that encrypts data to and from a website. "We don't know what commercial products use them, but the numbers show that they have 20 or 30 downloads each week. For developers, particularly application developers, they just want to make things work. They don’t necessarily understand how the crypto works underneath."

By continuing to find variants of these vulnerabilities and talk about them, Chau hopes to mobilize developers to stamp them out. But a larger takeaway, he says, is the need to think about how encryption standards and documenta­tion are written, to make it less likely that people can interpret them in ways that are ultimately insecure. Given that it’s been 13 years already for these RSA signature verification issues, it may be time for a more fundamental shift.


More Great WIRED Stories