Jump to content

Talk:DROWN attack

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by Robwahl (talk | contribs) at 00:04, 13 September 2017 (Background required for non technical users). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Expansion

This stub needs a lot of expansion. But at least it's a start. -- Markshale (talk) 00:51, 2 March 2016 (UTC)[reply]

Background required for non technical users

Hello, this article reveals a recent vulnerability causing use of SSL 2.0 to be discouraged by OpenSSL and others. I think the author should include some material for the less technical user. I would include the following points. I would also expand upon significance

In order to preserve confidentiality of often personal information, sensitive data must be encrypted to prevent it from being sniffed or read by an unwelcome party. One method of encryption is RSA. One implementation that uses RSA is SSL. SSL encrypts data at the transport layer and above and was invented in the 1990s. When the internet browser visits a site using HTTPS, SSL is used. It is also used for local network traffic authentication as well as some VPN traffic which allow remote users to access a network for example, when the user is away from the office that user can access the computer system in the office. SSL does not have a control for who recieves the public key making it ideal for internet use. Knowing the private key is the only way to decrypt it. RSA was once considered to be difficult to break but with newer computers which includes GPUs and multicore to quantum computers it was easier to break. When RSA was invented the protocol architects were overconfident in the key size and math complexity and used RSA just to setup a secure socket rather than for all data trsnsmission unless AES is used like it is for media streaming because it required additional work from the computer's processor. This could multiply because the web server might have multiple people visiting the web site. Because the application only uses it for short commands which are predictable, eavesdroppers can use DROWN attacks to figure out what is said. The DROWN (decrypting RSA with obsolete and weakened eNcryption) "allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, and financial data". To avoid the DROWN attack, turn off SSL v2 and make sure private keys are not used as public keys. However, turning off SSL v2 cannot always be done because usability is exchanged for security meaning that older devices which may not have the latest operating system capabilities may not be able to access the content. This can be problematic for ecommerce sites that depend on having a variety of different operating systems be able to access their web site to make sales.

TLS uses an RSA algorithm of 1024 and 2048 bits and is the successor to SSL. TLS and the downgraded SSL uses the same key generated from multiplying two large prime numbers

Robwahl (talk) 23:18, 12 September 2017 (UTC)[reply]