FREAK

Factoring Attack on RSA-Export Keys

"This server is vulnerable to FREAK attack. Disable support for any export suites on your server and disable all insecure ciphers."

Problem

During the 1990s, the U.S. government set up rules for the export of encryption systems. These rules limited the strength of the RSA encryption keys to a maximum 512 bits in any Secure Socket Layer (SSL) implementations targeted for export. Eventually the rules changed. The "export" cipher suites stopped being used, and by the year 2000, browsers were able to use a higher security SSL.

A team of researchers revealed that the old export-grade cryptographic suites are still in use today. Servers that support RSA export cipher suites could allow a man-in-the-middle (MITM) to trick clients, who support the weak cipher suites, into using these weak 40- and/or 56-bit export cipher suites to downgrade their connection. The MITM can then use today's computing power to crack those keys in just a few hours.

The FREAK attack is possible because some servers, browsers, and other SSL implementations still support and use the weaker export-grade cryptographic suites, which lets a MITM force these clients to use export-grade keys even if they didn't ask for export-grade encryption. Once the encryption of the session is cracked, the MITM can steal any 'secured' personal information from the session.

A connection is vulnerable if these conditions are met:

  1. Server must support RSA export cipher suites.
  2. Client must meet one of these conditions:
    • Must offer an RSA export suite
    • Must be using Apple SecureTransport
    • Must be using a vulnerable version of OpenSSL
    • Must be using Secure Channel (Schannel).

Export-grade cryptographic suites were discovered in OpenSSL and Apple’s Secure Transport (used in Chrome, Safari, Opera, and the Android and the BlackBerry stock browsers), as well as Windows Secure Channel/Schannel (a cryptographic library included in all supported versions of Windows and used in Internet Explorer).

Solution

Server-side

Disable support for all export-grade cipher suites on your servers. We also recommend disabling support for all known insecure ciphers (not just RSA export ciphers), and ciphers with 40- and 56-bit encryption, and enabling prefect forward secrecy (see Enabling Perfect Forward Secrecy).

Additional resources:

Client-side

Vulnerable clients include software that rely on OpenSSL or Apple's Secure Transport (Chrome, Safari, Opera, the Android and the BlackBerry stock browsers), or Windows Secure Channel/Schannel (Internet Explorer).

Additional resources: