University of Bristol researchers have circumvented the security that OpenSSL should provide by targeting a bug in the software.
The team attacked a very specific version of the cryptography toolkit for implementing the SSL protocol, 0.9.8g, and only when a particular set of options were used. The researchers sent carefully constructed messages to the Web server, and each triggered the bug and allowed part of a cryptographic key to be recovered. By using enough messages the researchers were able to recover the entire key.
"With software and hardware playing increasingly significant roles in our day-to-day life, how much can and should we trust them to be correct?" says Bristol lecturer and research team member Dan Page. "The answer, in part at least, is a stronger emphasis on and investment in formal verification and correctness of open source software."
Page says their research emphasizes the importance of software verification for software engineers in the future.
From University of Bristol News
View Full Article
Abstracts Copyright © 2012 Information Inc. , Bethesda, Maryland, USA
No entries found