Feeds

Unlucky for you: UK crypto-duo 'crack' HTTPS in Lucky 13 attack

OpenSSL patch to protect against TLS decryption boffinry

Providing a secure and efficient Helpdesk

Two scientists say they have identified a new weakness in TLS, the encryption system used to safeguard online shopping, banking and privacy. The design flaw, revealed today, could be exploited to snoop on passwords and other sensitive information sent by users to HTTPS websites.

Professor Kenny Paterson from the Information Security Group at Royal Holloway, University of London and PhD student Nadhem Alfardan claim they can crack TLS-encrypted traffic in a man-in-the-middle attack.

According to their study, the weakness revolves around altering messages exchanged between the web server and browser, and noting microsecond differences in the time taken to process them.

These timings effectively leak information about the data being transferred, allowing eavesdroppers to rebuild the original unencrypted information slowly piece by piece.

Specifically, an attacker strategically changes the data used to pad out the encrypted blocks of information, and measures the time taken for the server to work out that the message was tampered with before rejecting it. The progress of the algorithms processing the blocks is revealed by this time difference, and it's enough to gradually calculate the contents of the original message.

But it is tricky to precisely measure these timings due to network jitter and other effects. And tampering with the data will cause the connection between the browser and the server to fail. Thus, a bit of client-side malware is needed to repeatedly probe a server with new connections, replaying slightly altered versions of the original encrypted message, which might for example be a login cookie. This is similar to the earlier BEAST (Browser Exploit Against SSL/TLS) attack.

We're told attacks against DTLS - a variant of TLS used by VPNs to secure traffic - can be carried out in a single session.

Speaking to El Reg, Prof Paterson said JavaScript code injected into a web page could implement the new research and decrypt a victim's login cookie in about two hours: "An ordinary cyber-criminal would just use a phishing attack [to get a password] but for a nation state interested in getting an activist's login cookie for Tor, this sort of attack is possible for a determined and well-resourced attacker.

"TLS is not quite as bullet-proof as we thought."

A paper [PDF] titled Lucky Thirteen: Breaking the TLS and DTLS Record Protocols was published on Monday, and states:

The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks like the Internet. It is widely used to secure web traffic and e-commerce transactions on the Internet. Datagram TLS (DTLS) is a variant of TLS that is growing in importance. We have found new attacks against TLS and DTLS that allow a Man-in-the-Middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode encryption is used.

The attacks arise from a flaw in the TLS specification rather than as a bug in specific implementations. We have carried out experiments to demonstrate the feasibility of the attacks against the OpenSSL and GnuTLS implementations of TLS, and we have studied the source code of other implementations to determine whether they are likely to be vulnerable.

Professor Paterson said: "While these attacks do not pose a significant threat to ordinary users in its current form, attacks only get better with time. Given TLS's extremely widespread use, it is crucial to tackle this issue now.

"Luckily we have discovered a number of countermeasures that can be used. We have been working with a number of companies and organisations, including OpenSSL, Google and Oracle, to test their systems against attack and put the appropriate defences in place."

The attacks apply to all TLS and DTLS implementations that are compliant with TLS 1.1 or 1.2, or with DTLS 1.0 or 1.2. All TLS and DTLS cipher-suites that include CBC-mode encryption are potentially vulnerable.

Like CRIME (Compression Ratio Info-leak Made Easy) and the earlier BEAST SSL exploit, both developed by security researchers Juliano Rizzo and Thai Duong, the Royal Holloway academics' Lucky Thirteen study threatens a fundamental e-commerce security protocol. The latest attacks "are quite different from BEAST and CRIME" as the university pair explain in an FAQ:

BEAST exploits the inadvisable use of chained IVs in CBC-mode in SSL and TLS 1.0. CRIME cleverly exploits the use of compression in TLS. Our attacks are based on analysing how decryption processing is carried out in TLS. However, our attacks can be enhanced by combining them with BEAST-style techniques.

The computer-science duo tested their attack against OpenSSL and GnuTLS. For OpenSSL, full plaintext recovery of encrypted data is possible. For GnuTLS, partial recovery is possible. The researchers have not studied any closed-source implementations of TLS. Blocking the attack can be achieved by either adding random time delays to CBC-mode decryption or switching to either the RC4 or AES-GCM cipher-suites.

GnuTLS released a patch on Monday. OpenSSL is working on a fix. Other vendors, including web browser developers, may also need to adapt their software in response to the threat. ®

Bootnote

The researchers have a neat explanation for why the attack they have developed is called Lucky Thirteen:

"In Western culture, 13 is considered an unlucky number. However, for our attack, the fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible. So, in the context of our attacks, 13 is lucky - from the attacker's perspective at least. This is what passes for humour amongst cryptographers."

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.