Protecting against Heartbleed attacks
“The Heartbleed vulnerability in OpenSSL is one of the most devastating hosted server-side vulnerabilities of all time,” said Michael Mehlberg, vice president of security products management at Microsemi. “Though a patch was quickly released, there is no guarantee server keys will not be compromised through similar vulnerabilities discovered in the future. Microsemi’s WhiteboxSSL product is more than a patch; it is a fundamental solution to the security problems related to generating, storing, and transferring crypto keys through networked systems. With WhiteboxSSL, server keys are substantially better protected against memory attacks.”
WhiteboxSSL provides security for server keys in memory and at rest. Designed for IT administrators who are responsible for maintaining the IT security infrastructure, the white box cryptography key protection techniques enable them to protect the keys generated and managed by servers running the popular OpenSSL software.
WhiteboxSSL replaces vulnerable key libraries found in OpenSSL, and is packaged as a complete OpenSSL implementation or plugin, and is also packaged with MicroSemi’s FPGA technology for embedded designs. It uses typical OpenSSL cryptography algorithms such as AES, ECC, SHA, and RSA; each is uniquely obfuscated to an individual server. That is, every user of WhiteboxSSL has a uniquely constructed key algorithm preventing an attacker from creating a “break-once-run-everywhere” attack.
According to Netcraft, OpenSSL is used on 66% of the active websites on the Internet today, and approximately 17% of those sites were exposed to the Heartbleed bug. A typical server running OpenSSL will generate thousands of keys in its lifetime. These keys are critical to securing the data stored and transferred through that system. Compromising these keys can lead to major breaches in privacy, exposure to sensitive user data, and even loss of company IP. Microsemi’s WhiteboxSSL enhances and complements its field-tested WhiteboxCRYPTO providing the capability to protect OpenSSL-generated keys with complex crypto-algorithm obfuscations and key transformations rendering attempts to capture network keys impractical given the tools available to a network-based attacker.
Despite the complexity introduced for an attacker, installing WhiteboxSSL uses one of two methods: An IT administrator can simply replace an OpenSSL installation with Microsemi WhiteboxSSL, or can add WhiteboxSSL as a plug-in to the key management portion of OpenSSL.
Unlike a classical key generated by OpenSSL, which leads to full data loss when captured, a WhiteboxSSL key can be subjected to as much cryptographic analysis as an attacker attempts. The relationship between a WhiteboxSSL key and a classical key is nontrivial making it impractical to reconstruct the classical key using tools available to a network-based attacker. In short, when using WhiteboxSSL, classical crypto keys can never be found in memory or on disk.
WhiteboxSSL is written in ANSI-C compliant code allowing it to work on nearly any system configuration including Intel-based, ARM-based and PowerPC-based processors running Linux, Solaris, Windows, VxWorks, iOS, Android, and a variety of other operating systems. Importantly, Microsemi WhiteboxSSL is a comprehensive security solution that is easy to install and requires no customization.
Related stories:
Heartbleed challenges the Internet of Thing
Hardened hardware crypto chips resist fierce attacks and viruses
Programmable hardware-based encryption chip secures IoT connected devices
Microsemi aims to secure the Internet of Things
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
