Creating cryptographic agility with alternatives to OpenSSL

Emergency Response

Article from Issue 164/2014
Author(s):

When dangerous security flaws are discovered, being able to switch to alternative software can be crucial.

If you haven't heard by now, a recent kerfuffle was caused by an information leak in OpenSSL that could result in private keys being disclosed to a remote attacker. The majority of vendors got OpenSSL [1] updates out within a few hours of the issue going public, and many sites rolled out the updates not too long afterward. However, cryptographically agile sites willing to invest some time and effort in advance could swap cryptographic protocols and software suites within minutes or even seconds.

What exactly is cryptographic agility? Simply put, the idea is that you have a plan B ready to go in case plan A fails. For example, most SSL/TLS software suites support more than one algorithm for hashing, encryption, and so on. If a flaw is found in one (e.g., RC4), you can switch to another (e.g., AES).

However, the software suites themselves have problems. OpenSSL, GnuTLS, PolarSSL, and the like all have their share of CVEs for various security flaws. So, for example, if you use the Apache HTTPD web server, you can use mod_openssl and have mod_gnutls ready to switch to in case a flaw is found in mod_ssl or OpenSSL itself.

[...]

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Download Article PDF now with Express Checkout
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
Print Issues
Digital Issues
SUBSCRIPTIONS
Print Subscriptions
Digital Subscriptions

Related content

  • GnuTLS Removes Questionable Extension

    Version 2.0.2 of the GnuTLS security library does without the TLS authorization extension due to threats of patent claims.

    more »
  • Server Name Indication

    Server Name Indication lets you operate more than one SSL-protected service per IP address.

    more »
  • Charly's Column – H2O

    H2O is a web server that has been in development for some time but seems to be a baby compared with the long-serving Apache. Columnist Charly sets out to discover what the "new kid" is capable of.

    more »
  • DTLS – Encryption for UDP

    TLS encryption is wonderful if it is running over a reliable transport protocol like TCP; but if your needs call for the less reliable UDP transport, you'd better start learning about DTLS.

    more »
  • GnuTLS Version 2.0.0 Released

    Version 2.0.0 of the GnuTLS security database improves access to X.509 certificates and adds RSA with SHA-256/384/512 certificates to the crop of supported crypto approaches.

    more »
comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More

News

Tag Cloud

Administration Community Desktop Events Hardware Linux Mobile Programming Security Software Ubuntu Web Development Windows free software open source