Feeds

HTTPS cookie crypto CRUMBLES AGAIN in hands of stats boffins

Keep calm and carry on ciphering with RC4 - for now

Choosing a cloud hosting partner with confidence

Fresh cryptographic weaknesses have been found in the technology used by Google and other internet giants to encrypt online shopping, banking and web browsing.

The attack, developed by security researchers at Royal Holloway, University of London and University of Illinois at Chicago, targets weaknesses in the ageing but popular RC4 stream cipher. RC4 is quick and simple, and is used in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols of HTTPS to protect sensitive web traffic from prying eyes.

But data encrypted by the algorithm can be carefully analysed to silently extract the original information, such as an authentication cookie used to log into a victim's Gmail account. Cracking the encryption on a punter's web traffic is difficult to pull off, though, for the moment.

The boffins explained:

We have found a new attack against TLS that allows an attacker to recover a limited amount of plaintext from a TLS connection when RC4 encryption is used. The attacks arise from statistical flaws in the keystream generated by the RC4 algorithm which become apparent in TLS cyphertexts when the same plaintext is repeatedly encrypted at a fixed location across many TLS sessions.

An attack using the researchers' findings could work like this: a victim opens a web page containing malicious JavaScript code that tries to log into Google Gmail on behalf of the user via HTTPS; doing so sends the victim's RC4-encrypted authentication cookie (created the last time the punter logged in) using a new session key. Someone eavesdropping on the network then records the encrypted data sent and the JavaScript terminates the connection; it repeats this continually, forcing new keys to be used each time, and thus allows someone snooping on the connections to build up a treasure trove of encoded messages.

Ideally, this data should appear to be random, but RC4 suffers from statistical biases that will reveal parts of the encrypted sensitive information over time - provided the attacker can gather millions of samples to process. In this way, it is similar to the earlier BEAST attack on SSL connections.

The Royal Holloway and Chicago team argue that the most effective countermeasure against the attack is to stop using RC4 in TLS.

"There are other, less-effective countermeasures against our attacks and we are working with a number of TLS software developers to prepare patches and security advisories," the computer scientists revealed in an advisory on their research.

RC4 is used by many websites to provide HTTPS encryption - including Google

Dan Bernstein, one of the researchers, unveiled the attack at the Fast Software Encryption conference in Singapore this week.

"Unfortunately, if your connection is encrypted using RC4, as is the case with Gmail, then each time you make a fresh connection to the Gmail site, you're sending a new encrypted copy of the same cookie," explained Matthew Green, a cryptographer and research professor at Johns Hopkins University in Maryland, US.

"If the session is renegotiated (ie, uses a different key) between those connections, then the attacker can build up the list of ciphertexts he needs.

"To make this happen quickly, an attacker can send you a piece of JavaScript that your browser will run - possibly on a non-HTTPS tab. This JavaScript can then send many HTTPS requests to Google, ensuring that an eavesdropper will quickly build up thousands, or millions, of requests to analyse."

Other security experts say there's no need to panic.

"It's not a very practical attack in general, requiring at least 16,777,216 captured sessions, but as mentioned, attacks will only improve in time," said Arnold Yau, lead developer at mobile security firm Hoverkey. "I think it'd be wise for TLS deployments to migrate away from RC4 as advised."

RC4 was invented by Ron Rivest in 1987. Various attacks have been developed against RC4, which is used in Wi-Fi WEP protection, but the technology is still widely used. About 50 per cent of all TLS traffic is protected using RC4; its use is, if anything, growing after Cipher-block Chaining (CBC), a mode of encryption used by TLS, was broken by experts.

TLS in CBC-mode was cracked by the BEAST and Lucky 13 techniques, which use so-called padding oracle attacks to defeat HTTPS encryption. Cryptographers at Royal Holloway, University of London developed the Lucky 13 breakthrough; BEAST was unleashed by Juliano Rizzo and Thai Duong - who also designed the CRIME attack on HTTPS that exploits the use of data compression in TLS rather than abusing ciphers.

Separately, another team of crypto-researchers took the wraps off a refinement of the CRIME attack: the TIME (Timing Info-leak Made Easy) technique could be used to decrypt browser cookies to hijack online accounts in the process. Tal Be'ery and Amichai Shulman of Imperva unveiled their research at the Black Hat conference in Amsterdam, the Netherlands. ®

Beginner's guide to SSL certificates

More from The Register

next story
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.