John Black
University of Colorado at Boulder
USA

Martin Cochran
University of Colorado at Boulder
USA

Ryan Gardner
University of Colorado at Boulder
USA

The Internet Chess Club (ICC) is a popular online chess server with
more than 30,000 members worldwide including various celebrities and
the best chess players in the world. Although the ICC website assures
its users that the security protocol used between client and server
provides sufficient security for sensitive information to be transmitted
(such as credit card numbers), we show this is not true. In particular
we show how a passive adversary can easily read all communications
with a trivial amount of computation, and how an active adversary
can gain virtually unlimited powers over an ICC user. We also show
simple methods for defeating the timestamping mechanism used by ICC.
For each problem we uncover, we suggest repairs and draw conclusions
about to best avoid repeating these types of problems in the future.

Keywords: Network security, cryptanalysis, security implementation

Read Paper (in PDF)