Friday, February 5, 2016

What is FREAK Attack ?



How does FREAK Attack affect us

Normally, we use HTTP Protocol to browse the internet and visit a website. When we type a URL in the browser, an HTTP request goes to the server and the server responds with appropriate HTML page.






If we think about security, HTTP is an unsecured protocol. When data travels between the client and the server, it is unencrypted and as a result, not safe from attacks like Man In The Middle Attack.

But, we need some secure protocol to transfer sensitive data, for example while transferring data for bank transactions etc. And so, HTTPS was developed.

This HTTPS uses SSL/TLS for security. That means, all data transferred between the server and the browser gets encrypted first and then transferred. First, a TLS connection is established between the server and client (browser) and a key is negotiated between them. And then, all data is encrypted with the key and sent over.

FREAK Attack is an attack in which the attacker exploits a vulnerability of SSL/TLS protocol and breaks the encryption to steal sensitive data transferred between the browser and the server.



How is FREAK Attack perpetrated

Many a times SSL/TLS protocol depends on RSA to transfer secret information between the browser and the server. Once upon a time, servers and clients used to use 'export RSA' instead of RSA and that would rely on a 512 bit long weaker export RSA encryption keys. Later, we stopped using 'export RSA', but in many servers and browsers the support for 'export RSA' remained.

FREAK Attack is an attack in which the attacker exploits this opportunity and tricks the browser and the server to use 'export RSA' instead of stronger RSA.

Let's understand how the attack works actually.

  • The browser uses HTTPS, which is HTTP over SSL/TLS and tries to establish a secure connection to the server. For that reason, the browser sends a Client Hello message to the server asking for using standard stronger RSA ciphersuite.
  • The attacker intercepts the conversation and replaces RSA ciphersuite message with 'export RSA'
  • The server does not understand the trick and responds to the client with a 512 bit export RSA key signed with its certificate.
  • The client (browser) also does not understand the trick and accepts 'export RSA'
  • The communication starts using 'export RSA'
  • The client and the server exchanges pre-master secret, that is the secrets on the encryption keys using which the data will be encrypted further.
  • The attacker easily breaks weaker export RSA encryption and gets the secret information.
  • The attacker can now derive the secret keys using which the sensitive data will be encrypted and transferred between the browser and the server.


Mitigation

Good that almost all modern browsers have released security patches against this vulnerability of FREAK Attack. As per the security patches, modern browsers and servers removed the support for 'export RSA' ciphersuite, making our data more secure.



This was an article to give information on FREAK Attack, hope you liked it.

No comments:

Post a Comment