°øÁö»çÇ×

Á¦¸ñ OpenSSL ´ÙÁß Ãë¾àÁ¡ º¸¾È¾÷µ¥ÀÌÆ® ±Ç°í
ÀÛ¼ºÀÏ 2014-10-23

 

°³¿ä

  • OpenSSL¿¡¼­ ¹ß»ýÇÑ ¸Þ¸ð¸® °í°¥ Ãë¾àÁ¡, Ǫµé(Poodle, Padding Oracle On Downloaded Legacy Encryption) Ãë¾àÁ¡ µî ÃÑ 4°³ÀÇ Ãë¾àÁ¡À» º¸¿ÏÇÑ º¸¾È¾÷µ¥ÀÌÆ®¸¦ ¹ßÇ¥ÇÔ[1]

¼³¸í

  • DTLS SRTP Çڵ彦ÀÌÅ© ¸Þ½ÃÁö¸¦ ó¸®ÇÏ´Â Áß ¹ß»ýÇÏ´Â ¸Þ¸ð¸® °í°¥ Ãë¾àÁ¡ (CVE-2014-3513)
  • SSL/TLS/DTLS ¼­¹ö¿¡¼­ session ticket °ªÀ» ¹ÞÀ» ¶§ ¹ß»ýÇÏ´Â ¸Þ¸ð¸® °í°¥ Ãë¾àÁ¡ (CVE-2014-3567)
  • SSL3.0¿¡¼­ ´Ù¿î ±×·¹À̵带 ÅëÇØ MITM(man-in-the-middle)°ø°ÝÀ» °¡´ÉÇÏ°Ô Çϴ Ǫµé(Poodle, Padding Oracle On Downloaded Legacy Encryption) Ãë¾àÁ¡ (CVE-2014-3566)
  • OpenSSL build optionÀÎ no-ssl3¿¡¼­ ¹ß»ýÇÑ Ãë¾àÁ¡ (CVE-2014-3568)

ÇØ´ç ½Ã½ºÅÛ

  • ¿µÇâ ¹Þ´Â Á¦Ç° ¹× ¹öÀü
    • OpenSSL 0.9.8 ´ë ¹öÀü
    • OpenSSL 1.0.0 ´ë ¹öÀü
    • OpenSSL 1.0.1 ´ë ¹öÀü

ÇØ°á ¹æ¾È

  • ÇØ´ç Ãë¾àÁ¡¿¡ ¿µÇâ ¹Þ´Â ¹öÀüÀÇ »ç¿ëÀÚ´Â ¾Æ·¡ ¹öÀüÀ¸·Î ¾÷µ¥ÀÌÆ®[2]
    • OpenSSL 0.9.8 »ç¿ëÀÚ : 0.9.8zc·Î ¾÷µ¥ÀÌÆ®
    • OpenSSL 1.0.0 »ç¿ëÀÚ : 1.0.0o·Î ¾÷µ¥ÀÌÆ®
    • OpenSSL 1.0.1 »ç¿ëÀÚ : 1.0.1j·Î ¾÷µ¥ÀÌÆ®

¿ë¾î ¼³¸í

  • DTLS(Datagram Transport Layer Security) : µ¥ÀÌÅÍ ±×·¥ Àü¼Û°èÃþÀ» º¸È£Çϱâ À§ÇÑ UDP ±â¹Ý TLS ÇÁ·ÎÅäÄÝ
  • SRTP(Secure Real-time Transport Protocol) : ½Ç½Ã°£À¸·Î Àü¼ÛµÇ´Â ¸ÖƼ¹Ìµð¾î µ¥ÀÌÅ͸¦ ¾ÏȣȭÇÏ¿© ¼Û¼ö½ÅÇÏ´Â ÇÁ·ÎÅäÄÝ

 

 

[Âü°í»çÀÌÆ®]
[1] https://www.openssl.org/news/secadv_20141015.txt
[2] https://www.openssl.org/

 

¡ã ÀÌÀü±Û Freak Attack Ãë¾àÁ¡ ÁÖÀÇ
¡å ´ÙÀ½±Û SHA-1 ¾Ë°í¸®Áò¿¡ Á¦±âµÇ´Â º¸¾ÈÀ§Çè °¡´É¼º¿¡ ´ëÀÀ ¹æ¾È °øÁö.