Skip to main content

FREAK

Factoring Attack on RSA-Export Keys

Related error

"This server is vulnerable to FREAK attack. Disable support for any export suites on your server and disable all insecure ciphers."

Problem

During the 1990s, the U.S. government set up rules for the export of encryption systems. These rules limited the strength of the RSA encryption keys to a maximum 512 bits in any Secure Socket Layer (SSL) implementations targeted for export. Eventually the rules changed. The "export" cipher suites stopped being used, and by the year 2000, browsers were able to use a higher security SSL.

A team of researchers revealed that the old export-grade cryptographic suites are still in use today. Servers that support RSA export cipher suites could allow a man-in-the-middle (MITM) to trick clients that support the weak cipher suites into downgrading their connection. The MITM can then use today's computing power to crack those keys in just a few hours.

The FREAK attack is possible because some servers, browsers, and other SSL implementations still support and use the weaker export-grade cryptographic suites, which lets a MITM force these clients to use export-grade keys even if they didn't ask for export-grade encryption. Once the encryption of the session is cracked, the MITM can steal any "secured" personal information from the session.

A connection is vulnerable if these conditions are met:

  1. Server must support RSA export cipher suites.

  2. Client must meet one of these conditions:

    • Offer an RSA export suite

    • Use Apple SecureTransport

    • Use a vulnerable version of OpenSSL

    • Use Secure Channel (Schannel).

Note

Export-grade cryptographic suites were discovered in OpenSSL and Apple’s Secure Transport (used in Chrome, Safari, Opera, and the Android stock browser), as well as Windows Secure Channel/Schannel (a cryptographic library included in all supported versions of Windows and used in Internet Explorer).

Solution

Server-side

Disable support for all export-grade cipher suites on your servers. We also recommend disabling support for all known insecure ciphers (not just RSA export ciphers), and ciphers with 40- and 56-bit encryption, and enabling perfect forward secrecy (see Enabling Perfect Forward Secrecy).

Additional resources:

Client-side

Vulnerable clients include software that rely on OpenSSL or Apple's Secure Transport (Chrome, Safari, Opera, the Android stock browser), or Windows Secure Channel/Schannel (Internet Explorer).

Additional resources: