Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Stunnel: RSA timing attacks / key discovery
From: Brian Hatch <bri () ifokr org>
Date: Fri, 21 Mar 2003 12:28:42 -0800

Release Date:          2003-Mar-21
Package:               stunnel
Versions:              Stunnel 3.x    x <= 22
                       Stunnel 4.x    x <= 04
Problem type:          Key discovery / Information Leakage
Exploit script:        None publicly available
Severity:              High
Network-accessible:    yes
Network-accessible:    yes
Discovery:             D. Boneh, D. Brumley
Writeup:               Brian Hatch <bri () stunnel org>

Summary:               SSL sessions where RSA blinding is not in effect
                       are vulnerable to timing attacks which could
                       allow a cracker to discover your private RSA key.

   Stunnel is an SSL wrapper able to act as an SSL client or server,
   enabling non-SSL aware applications and servers to utilize SSL encryption.

   Dan Boneh and David Brumley have successfully implemented an RSA
   timing attack against OpenSSL-enabled SSL software, including
   Stunnel.  Their writeup is available at

   If you use an RSA key for an SSL server, a determined cracker could
   eventually determine your key.  This could be used to impersonate
   your server via a man-in-the-middle attack, or to decrypt all SSL
   connections between client and server that can be sniffed/etc from
   the cracker's location.

Mitigating factors:

   The timing attack works best under situations where there is little
   or no network lag, such as over a localhost connection.  If the
   attacking host is more distant that network packets have a larger
   range of turnaround times may make the attack less successful.
   However a very slow CPU on the Stunnel server (which would process
   the RSA number crunching more slowly) may counteract the network lag.

   The number of connections an attacking host must make to discover
   the key is rather large, enough that you may well notice the increase
   in your CPU usage, number of available sockets, or volume of log
   messages spewing through your system.

   * Recompile OpenSSL using the patch[1] they have supplied and then
     recompile Stunnel.


   * Apply the patch for Stunnel 3.x available at 

     or the patch for Stunnel 4.x available at 

     and recompile Stunnel.

   I expect Stunnel 4.05 and 3.23 will be released which incorporate
   these or similar patches.

For more information about Stunnel, consult the folowing pages:

   http://stunnel.mirt.net/    # Official Stunnel home page
   http://www.stunnel.org/     # Stunnel.org: FAQ/Distribution/Patches/Etc


  The code to successfully perform an RSA timing attack against Stunnel
  was created by David Brumley and Dan Boneh.  Here is the original
  email they sent to the Stunnel mailing list on 13-Mar-2003.


  To: stunnel-users () mirt net
  Date: 13 Mar 2003 16:09:17 -0800
  From: David Brumley <dbrumley () stanford edu>
  Subject: Timing attack against stunnel/OpenSSL
  Dan Boneh and I have been researching timing attacks against software
  crypto libraries.  Timing attacks are usually used to attack weak
  computing devices such as smartcards.  We've successfully developed and
  mounted timing attacks against software crypto libraries running on
  general purpose PC's.
  We found that we can recover an RSA secret from OpenSSL using anywhere
  from only 300,000 to 1.4 million queries.  We demonstrated our attack
  was pratical by successfully launching an attack against Apache +
  mod_SSL and stunnel on the local network.  Our results show that timing
  attacks are practical against widely-deploy servers running on the
  While OpenSSL definitely does provide for blinding, mod_SSL doesn't
  appear to use it. One reason is it appears difficult to enable blinding
  from the SSL API.
  This paper was submitted to Usenix security 03.  The link to the paper
  is here:
  We notified CERT about a month ago re: this attack, so it's possible you
  heard about this from them already.
  flames > /dev/null.  Feel free to write with any questions.
  -David Brumley


Brian Hatch                  Quantum Mechanics:
   Systems and                The dreams stuff
   Security Engineer          is made of.

Every message PGP signed

Attachment: _bin

  By Date           By Thread  

Current thread:
  • Stunnel: RSA timing attacks / key discovery Brian Hatch (Mar 21)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]