Researchers devise new attack techniques against SSL

The new 'Lucky Thirteen' attacks can be used to decrypt SSL/TLS and DTLS data if certain conditions are met

By Lucian Constantin, IDG News Service |  Security

DTLS on the other hand does not kill the session if the server fails to decrypt a record because it was altered, making the Lucky Thirteen attacks borderline practical against this protocol, Green said.

"The attacks can only be carried out by a determined attacker who is located close to the machine being attacked and who can generate sufficient sessions for the attacks," AlFardan and Paterson said. "In this sense, the attacks do not pose a significant danger to ordinary users of TLS in their current form. However, it is a truism that attacks only get better with time, and we cannot anticipate what improvements to our attacks, or entirely new attacks, may yet to be discovered."

Ivan Ristic, director of engineering at security firm Qualys, agrees that the Lucky Thirteen attacks are practical for DTLS, but not practical in their current form for TLS. Nevertheless, the research is significant from an academic standpoint, he said Tuesday via email.

Web server administrators have the option of prioritizing a cipher suite that's not affected by these types of attack in their HTTPS implementations. For many, the only choice is RC4, a stream cipher that dates back to 1987.

"There's a wide dislike of RC4 because of its known flaws (none of which apply or applied to SSL/TLS), but we haven't yet seen a working attack against RC4 as used in TLS," Ristic said. "In that sense, even though RC4 is not ideal, it appears to be stronger than the alternatives currently available in TLS 1.0."

TLS 1.2 supports AES-GCM (AES Galois Counter Mode), a more modern cipher suite that's also not vulnerable to these types of attack. However, the overall adoption of TLS 1.2 is currently low.

According to data from SSL Pulse, a project created by Qualys to monitor the quality of SSL/TLS support across the Web, only 11 percent of the Internet's top 177,000 HTTPS websites have support for TLS 1.2.

"I think this discovery will be yet another reason to speed up TLS 1.2 deployment," Ristic said.

This is not the first time people have suggested prioritizing RC4 in TLS to prevent padding oracle attacks. The same thing happened two years ago when the BEAST (Browser Exploit Against SSL/TLS) attack was announced.

"From the most recent SSL Pulse results (January), we know that 66.7% of the servers are vulnerable to the BEAST attack, which means that they do not prioritize RC4," Ristic said. "Of those, a small number will support TLS 1.2 and may prioritize a non-CBC suite supported only in this version of the protocol. However, because so few browsers support TLS 1.2, I think we can estimate that about 66% of the servers will negotiate CBC."

Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question