By Dan Goodin in San Francisco
4th March 2010
Computer scientists say they've discovered a "severe vulnerability" in
the world's most widely used software encryption package that allows
them to retrieve a machine's secret cryptographic key.
The bug in the OpenSSL cryptographic library is significant because the
open-source package is used to protect sensitive data in countless
applications and operating systems throughout the world. Although the
attack technique is difficult to carry out, it could eventually be
applied to a wide variety of devices, particularly media players and
smartphones with anti-copying mechanisms.
"Wherever you need to verify the origin of a piece of software or a
piece of information, those building blocks come in handy," said Karsten
Nohl, an independent security researcher who in unrelated attacks has
broken encryption in widely used smartcards and cordless phones. "The
OpenSSL library provides much more than just SSL."
The scientists, from the University of Michigan's electrical engineering
and computer science departments, said the bug is easily fixed by
applying cryptographic "salt" to an underlying error-checking algorithm.
The additional randomization would make the attack unfeasible.
Register now for HITBSecConf2010 - Dubai, the premier
deep-knowledge network security event in the GCC,
featuring keynote speakers John Viega and Matt Watchinski!