Security flaw throws SSL back on quick-fix drawing board

A researcher at Lucent Technologies' Bell Laboratories has discovered a vulnerability in the SSL encryption commonly used in electronic commerce transactions.

The flaw, which has been exposed only in a laboratory setting, would allow a hacker to capture encrypted data in a session between a browser and server -- even if the browser was using the much-vaunted Secure Sockets Layer protocol to keep uninvited snoopers out.

The implications are perhaps most serious for home banking, because a hacker using this flaw could capture a user's banking information.

Although there are no known real-world attacks taking advantage of this SSL flaw, software vendors promise to have patches that mask the error messages. Netscape already has one available on its Web site for several applications, including Netscape Enterprise Server, Netscape Proxy Server and the company's messaging servers.

The vulnerability is hardly fatal, say experts. Rather, it's a hole that a savvy Web site administrator should be able to spot before a hacker can do any damage. "The good news here is that you still have to be pretty smart to break it," said Julie Ferguson, chief technology officer of Texas-based ClearCommerce.

The Lucent researcher, Daniel Bleichenbacher, who works in the secure systems research department of Bell Labs, in New Jersey, found a way for a hacker to derive the session key used in a transaction by feeding off the error messages created by a server.

First, the hacker must prepare roughly 1 million messages to send against the server to capture the information. Bleichenbacher said he created an algorithm that analyzes those messages and derives the session key -- which is randomly generated for each transaction by a combination of public and private keys at the Web site and the consumer's browser. Still, a competent site administrator should notice that his Web site has suddenly received a barrage of bad messages.

"It should be very easy to see that an attack is taking place," Bleichenbacher said. The hacker would also have to capture a session at some point on the line, likely at an Internet service provider, not knowing whether there is information within it that is worth stealing.

Because a session key is randomly generated for each session, it's possible for a hacker to capture information only about that individual session, said officials at RSA Data Security, which developed SSL in conjunction with Netscape Communications Corp. The flaw, technically found in the standard known as Public Key Cryptography System #1, does not apply to encryption algorithms themselves but rather to the way packets are placed into encrypted 'envelopes'. PKCS#1 is due to be upgraded next month, and the latest revision will account for the newly found vulnerability, said Scott Schnell, vice president of marketing at RSA.

Microsoft has also created a fix to mask the error messages that a hacker would rely upon. Company officials said they have worked with Netscape to ensure that their respective fixes do not create interoperability problems.

Both companies said they have already alerted major customers about the problem and provided them with fixes.