• DocumentCode
    2895099
  • Title

    Cryptographic vulnerabilities in real-life web servers

  • Author

    Alashwali, Eman Salem

  • Author_Institution
    Coll. of Comput. & IT, King Abdulaziz Univ., Jeddah, Saudi Arabia
  • fYear
    2013
  • fDate
    19-21 June 2013
  • Firstpage
    6
  • Lastpage
    11
  • Abstract
    This paper examines the security of real-life Internet servers using the most popular Secure Socket Layer (SSL) protocol to ensure secure connections. We concentrate on Rivest-Shamir-Adleman (RSA) public-key vulnerabilities which result from the initial settings of web servers. We look at the question of breaking individual RSA keys. The possibility of factoring RSA keys used by real web servers on the Internet has been a disturbing discovery which has received a lot of press in the recent months. We have conducted an Internet scan with a particular focus on commercial websites (.com and .co domains). We have created a database containing over 3 million certificate chains together with detailed information about each website, its security settings, geographic location and other relevant data. This allowed us to see how different key sizes are adopted, how many servers are using weak keys and which countries are quicker to adopt secure keys. We attempted to factor all keys we were able to collect from our scan and from another public database. The method to achieve this seemed trivial at first, but it can only be done efficiently by using a special algorithm proposed by Bernstein. We ran the computation based on an open implementation of Bernstein´s algorithm. We have been able to factor few thousands keys. The infected servers we inspected appear as Embedded Web Servers (EWS). Although we have not yet found any immediate threats to e-commerce websites, the risks that such vulnerable servers present should not be underestimated as they can be exploited to perform different types of attacks, including Denial of Service (DoS), corporate espionage and firmware modification.
  • Keywords
    Internet; cryptographic protocols; public key cryptography; Bernstein algorithm; DoS; EWS; Rivest-Shamir-Adleman public key vulnerability; SSL; corporate espionage; cryptographic vulnerability; denial of service; embedded web servers; firmware modification; geographic location; real life Internet servers; real life web servers; secure keys; secure socket layer protocol; Protocols; Public key; Web servers; cryptography; encryption; information security; public key;
  • fLanguage
    English
  • Publisher
    ieee
  • Conference_Titel
    Communications and Information Technology (ICCIT), 2013 Third International Conference on
  • Conference_Location
    Beirut
  • Print_ISBN
    978-1-4673-5306-9
  • Type

    conf

  • DOI
    10.1109/ICCITechnology.2013.6579513
  • Filename
    6579513