Function: nsm-protocol-check--rsa-kx
nsm-protocol-check--rsa-kx is a byte-compiled function defined in
nsm.el.gz.
Signature
(nsm-protocol-check--rsa-kx HOST PORT STATUS &optional SETTINGS)
Documentation
Check for static RSA key exchange.
Static RSA key exchange methods do not offer perfect forward secrecy, therefore, the security of a TLS session is only as secure as the server's private key. Due to TLS' use of RSA key exchange to create a session key (the key negotiated between the client and the server to encrypt traffic), if the server's private key had been compromised, the attacker will be able to decrypt any past TLS session recorded, as opposed to just one TLS session if the key exchange was conducted via a key exchange method that offers perfect forward secrecy, such as ephemeral Diffie-Hellman key exchange[1].
There is a long history of attacks against static RSA key exchange in TLS, dating back to Bleichenbacher's attack in 1998, and mitigation that has subsequently itself been broken. In 2017, it was discovered that an attacker can decrypt ciphertexts or sign messages with the server's private key[2]. The poor security of this key exchange protocol was confirmed by new attacks discovered in 2018[3]. RSA key exchange has been removed in TLS 1.3 (RFC 8446)[4].
Reference:
[1]: Sheffer, Holz, Saint-Andre (May 2015). "Recommendations for
Secure Use of Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)", "(4.1. General Guidelines)"
https://tools.ietf.org/html/rfc7525#section-4.1
[2]: Böck, Somorovsky, Young (August 2018). "Return Of
Bleichenbacher’s Oracle Threat (ROBOT)",
https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bock.pdf
[3]: Ronen, Gillham, Genkin, Shamir, Wong, and Yarom (2018). "The 9
Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS
Implementations.", https://eprint.iacr.org/2018/1173.pdf
[4]: Rescorla (2018). "The Transport Layer Security (TLS) Protocol
Version 1.3", https://tools.ietf.org/html/rfc8446
Source Code
;; Defined in /usr/src/emacs/lisp/net/nsm.el.gz
;; Key exchange checks
(defun nsm-protocol-check--rsa-kx (_host _port status &optional _settings)
"Check for static RSA key exchange.
Static RSA key exchange methods do not offer perfect forward
secrecy, therefore, the security of a TLS session is only as
secure as the server's private key. Due to TLS' use of RSA key
exchange to create a session key (the key negotiated between the
client and the server to encrypt traffic), if the server's
private key had been compromised, the attacker will be able to
decrypt any past TLS session recorded, as opposed to just one TLS
session if the key exchange was conducted via a key exchange
method that offers perfect forward secrecy, such as ephemeral
Diffie-Hellman key exchange[1].
There is a long history of attacks against static RSA key exchange in
TLS, dating back to Bleichenbacher's attack in 1998, and mitigation
that has subsequently itself been broken. In 2017, it was
discovered that an attacker can decrypt ciphertexts or sign messages
with the server's private key[2]. The poor security of this key
exchange protocol was confirmed by new attacks discovered in 2018[3].
RSA key exchange has been removed in TLS 1.3 (RFC 8446)[4].
Reference:
[1]: Sheffer, Holz, Saint-Andre (May 2015). \"Recommendations for
Secure Use of Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)\", \"(4.1. General Guidelines)\"
`https://tools.ietf.org/html/rfc7525#section-4.1'
[2]: Böck, Somorovsky, Young (August 2018). \"Return Of
Bleichenbacher’s Oracle Threat (ROBOT)\",
`https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-bock.pdf'
[3]: Ronen, Gillham, Genkin, Shamir, Wong, and Yarom (2018). \"The 9
Lives of Bleichenbacher’s CAT: New Cache ATtacks on TLS
Implementations.\", `https://eprint.iacr.org/2018/1173.pdf'
[4]: Rescorla (2018). \"The Transport Layer Security (TLS) Protocol
Version 1.3\", `https://tools.ietf.org/html/rfc8446'"
(let ((kx (plist-get status :key-exchange)))
(and (string-match "^\\bRSA\\b" kx)
(format-message
"RSA key exchange method (%s) does not offer perfect forward secrecy"
kx))))