FREAK Attack
What is FREAK Attack?
FREAK AttackA 2015 TLS attack (CVE-2015-0204) that downgrades RSA key exchange to 512-bit export-grade keys and factors them to decrypt sessions.
FREAK (Factoring RSA Export Keys) was disclosed in March 2015 by Beurdouche, Bhargavan, Delignat-Lavaud and others, with the main vulnerability tracked as CVE-2015-0204. An MITM rewrites the TLS handshake to ask for RSA_EXPORT and a vulnerable server happily signs a fresh 512-bit RSA modulus. Many implementations cached and reused this short key, and 512-bit moduli could be factored in hours on cloud resources, letting the attacker derive the premaster and decrypt the session. FREAK revealed how long-dead 1990s export controls survived in OpenSSL, Secure Transport, and SChannel. Fixes: remove export ciphersuites, never reuse ephemeral RSA keys, and migrate to TLS 1.2/1.3 with ECDHE.
● Examples
- 01
Decrypting an iOS Safari connection to a banking site by forcing RSA_EXPORT and factoring the 512-bit modulus.
- 02
Exploiting Apache mod_ssl servers that reused export RSA keys across many sessions.
● Frequently asked questions
What is FREAK Attack?
A 2015 TLS attack (CVE-2015-0204) that downgrades RSA key exchange to 512-bit export-grade keys and factors them to decrypt sessions. It belongs to the Attacks & Threats category of cybersecurity.
What does FREAK Attack mean?
A 2015 TLS attack (CVE-2015-0204) that downgrades RSA key exchange to 512-bit export-grade keys and factors them to decrypt sessions.
How does FREAK Attack work?
FREAK (Factoring RSA Export Keys) was disclosed in March 2015 by Beurdouche, Bhargavan, Delignat-Lavaud and others, with the main vulnerability tracked as CVE-2015-0204. An MITM rewrites the TLS handshake to ask for RSA_EXPORT and a vulnerable server happily signs a fresh 512-bit RSA modulus. Many implementations cached and reused this short key, and 512-bit moduli could be factored in hours on cloud resources, letting the attacker derive the premaster and decrypt the session. FREAK revealed how long-dead 1990s export controls survived in OpenSSL, Secure Transport, and SChannel. Fixes: remove export ciphersuites, never reuse ephemeral RSA keys, and migrate to TLS 1.2/1.3 with ECDHE.
How do you defend against FREAK Attack?
Defences for FREAK Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for FREAK Attack?
Common alternative names include: FREAK, Factoring RSA Export Keys.
● Related terms
- attacks№ 631
Logjam
A 2015 TLS attack that downgrades Diffie-Hellman key exchange to weak 512-bit export-grade primes and uses precomputation to break them.
- attacks№ 1093
SSL/TLS Downgrade Attack
An active man-in-the-middle attack that forces a client and server to negotiate a weaker protocol version, cipher, or key size to enable further compromise.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- attacks№ 941
ROBOT Attack
A 2017 resurrection of Bleichenbacher's 1998 RSA PKCS#1 v1.5 padding oracle on TLS servers, enabling session decryption or impersonation.