Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce - NSS: accepting short DHE keys

November 2010 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/

SYNTHESIS OF THE VULNERABILITY

When an SSL/TLS server uses a short DHE key, an attacker who
captured the session can decrypt it more easily.

Severity: 1/4

Creation date: 02/11/2010

DESCRIPTION OF THE VULNERABILITY

The NSS (Network Security Services) library implements SSL/TLS.

An attacker, who is located between the client and the server, and
who knows the server secret key, can decrypt a SSL/TLS session.
The EDH/DHE (Ephemeral Diffie-Hellman) algorithm is used to
compute a new key only known by the client and the server, so the
intermediate attacker cannot decrypt the session.

However, if the SSL/TLS server uses a short DHE key (8 bit for
example), the NSS client does not reject it. The DHE protection
can thus be bypassed by a brute force (256 cases to test for
example).

When an SSL/TLS server uses a short DHE key, an attacker who
captured the session can therefore decrypt it more easily. It can
be noted that the server has no legitimate reason to use a short
key, so this vulnerability is initially due to a server error.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/NSS-accepting-short-DHE-keys-10090


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts