ulwazi malunga nentsha (CVE-2020-1968) kwiprotocol ye-TLS, enekhowudi
kunye nokuvumela, kwiimeko ezinqabileyo, ukumisela isitshixo sokuqala sokuqala (i-pre-master), engasetyenziselwa ukukhupha uxhulumaniso lwe-TLS, kuquka i-HTTPS, xa unqanda i-traffic traffic (MITM). Kuphawulwe ukuba uhlaselo lunzima kakhulu ekuphunyezweni okusebenzayo kwaye lungaphezulu kobume bethiyori. Ukwenza uhlaselo, uqwalaselo oluthile lweseva ye-TLS kunye nokukwazi ukulinganisa ngokuchanekileyo ixesha lokucubungula iseva kuyadingeka.
Ingxaki ikhona ngokuthe ngqo kwinkcazo ye-TLS kwaye ichaphazela kuphela uxhulumaniso usebenzisa i-ciphers ngokusekelwe kwiprotocol ye-DH yokutshintshiselana kwesitshixo (Diffie-Hellman, TLS_DH_*"). Nge-ECDH ciphers ingxaki ayenzeki kwaye zihlala zikhuselekile. Kuphela ziiprothokholi ze-TLS ukuya kuguqulelo 1.2 ezisesichengeni; i-TLS 1.3 ayichatshazelwa yingxaki. Ukuba sesichengeni kwenzeka kuphunyezo lwe-TLS oluphinda lusebenzise isitshixo semfihlo se-DH kuyo yonke imidibaniso eyahlukeneyo yeTLS (oku kuziphatha kwenzeka malunga ne-4.4% yeeseva ze-Alexa eziPhezulu ze-1M).
Kwi-OpenSSL 1.0.2e kunye nokukhutshwa kwangaphambili, i-DH engundoqo iqhosha lisetyenziswa kwakhona kulo lonke uqhagamshelo lweseva ngaphandle kokuba ukhetho lwe-SSL_OP_SINGLE_DH_USE lusetwe ngokucacileyo. Ukususela kwi-OpenSSL 1.0.2f, i-DH engundoqo iqhosha lisetyenziswa kwakhona xa usebenzisa i-DH ciphers engatshintshiyo ("DH-*", umzekelo "DH-RSA-AES256-SHA"). Ukuba sesichengeni akubonakali kwi-OpenSSL 1.1.1, kuba eli sebe lingasebenzisi isitshixo esingundoqo se-DH kwaye lingasebenzisi ii-DH ciphers.
Xa usebenzisa indlela yokutshintshiselana yesitshixo se-DH, macala omabini oqhagamshelwano avelisa izitshixo zangasese ezingahleliwe (emva koko isitshixo "a" kunye nesitshixo "b"), ngokusekelwe apho izitshixo zoluntu (ga mod p kunye ne-gb mod p) zibalwe kwaye zithunyelwe. Emva kokuba iqela ngalinye lifumene izitshixo zikawonkewonke, iqhosha eliqhelekileyo eliqhelekileyo (gab mod p) libalwa, elisetyenziselwa ukuvelisa izitshixo zeseshoni. Uhlaselo lweRaccoon lukuvumela ukuba umisele isitshixo esiphambili ngokuhlalutya kwetshaneli esecaleni, esekelwe kwinto yokuba iinkcukacha zeTLS ukuya kuguqulelo 1.2 zifuna ukuba zonke iibytes ezikhokelayo ezingeyonyani zesitshixo eziphambili zilahlwe phambi kokubala okubandakanya oko.
Ukuquka isitshixo esisikiweyo esisitshixo sigqithiselwe kumsebenzi wokuvelisa isitshixo seseshoni, esekwe kwimisebenzi ye-hash enolibaziseko olwahlukileyo xa kusetyenzwa idatha eyahlukeneyo. Ukulinganisa ngokuchanekileyo ixesha lemisebenzi ephambili eyenziwa ngumncedisi ivumela umhlaseli ukuba anqume imikhondo (i-oracle) eyenza kube lula ukugweba ukuba iqhosha eliphambili liqala ukusuka ekuqaleni okanye cha. Umzekelo, umhlaseli angathintela isitshixo sikawonke-wonke (ga) esithunyelwe ngumxhasi, asigqithisele kwakhona kumncedisi kwaye sigqibe.
nokuba iqhosha eliphambili elinesiphumo liqala ku-zero.
Ngokwayo, ukuchaza i-byte enye yesitshixo ayiniki nto, kodwa ngokufumana ixabiso elithi "ga" elihanjiswe ngumthengi ngexesha lothethathethwano loqhagamshelwano, umhlaseli unokuvelisa iseti yamanye amaxabiso anxulumene ne "ga" kwaye ayithumele umncedisi kwiiseshoni zothethathethwano ezahlukeneyo zoqhagamshelwano. Ngokuvelisa kunye nokuthumela amaxabiso e- "gri * ga", umhlaseli anokuthi, ngokuhlalutya utshintsho ekulibazisekeni kwimpendulo yeseva, amisele amaxabiso akhokelela ekufumaneni izitshixo eziphambili ukusuka ku-zero. Emva kokumisela amaxabiso anjalo, umhlaseli unokudala iseti yee-equations kwaye ubale iqhosha lokuqala eliphambili.
Ubuthathaka be-OpenSSL inqanaba eliphantsi lengozi, kwaye ukulungiswa kwancitshiswa ekuhambiseni i-ciphers eyingxaki "TLS_DH_*" ekukhululweni kwe-1.0.2w kudidi lwe-ciphers kunye nenqanaba elinganeleyo lokukhusela ("weak-ssl-ciphers"), ekhutshaziwe ngokungagqibekanga. . Abaphuhlisi beMozilla benze into enye, kwilayibrari yeNSS esetyenziswa kwiFirefox, iDH kunye neDHE cipher suites. Ukusukela kwiFirefox 78, ii-ciphers eziyingxaki zivaliwe. Inkxaso yeChrome ye-DH yayekwa emva kwi-2016. I-BearSSL, i-BoringSSL, i-Botan, i-Mbed TLS kunye neelayibrari ze-s2n azichatshazelwa yingxaki kuba azixhasi i-DH ciphers okanye i-static variants ye-DH ciphers.
Iingxaki ezongezelelweyo ziphawulwa ngokwahlukeneyo () kwisitaki se-TLS sezixhobo ze-F5 BIG-IP, okwenza ukuba uhlaselo lube yinyani. Ngokukodwa, ukuphambuka kwindlela yokuziphatha kwezixhobo phambi kwe-byte ye-zero ekuqaleni kwesitshixo esiphambili kuchongiwe, enokusetyenziswa endaweni yokulinganisa i-latency echanekileyo yokubala.
umthombo: opennet.ru