TLS security: Lucky 13 attack

According to the two researchers, the latest vulnerability in Transport Layer Security (TLS) protocol will not immediately cause problems, but it will leave an opportunity for similar attacks to be improved in the future. In addition, it is also the latest issue of the client-server security mechanism based on the Internet.

Professor kenth Paterson, co-author of a recently published TLS (Transport Layer Security) attack paper, said in a telephone interview: "Over the years, I have always been keen on the practical application of encryption technology. In this environment, TLS is our biggest research goal." He said that he has been studying other communication protocols for several years. The research content is to understand the message content through the various message call sequence of these protocols. This paper is named Lucky 13, which breaks down TLS and DTLS record protocol. It is jointly completed by Paterson and his doctoral student Nadhem AlFardan, all of whom belong to the information security team at Royal horway University in London.

Paterson pointed out that For TLS accounts, the attacker is located between the client and the server using the TLS protocol, and "What the attacker does is intercept packets and then tamper with them in a mysterious way ." The packets transmitted to the server have a special arrangement, with a header domain containing 13 bytes. Therefore, this attack is named "Lucky 13 ". Professor pointed out that the attacker "will then send these packets to the server for decryption. Because TLS has an Integrity protection mechanism, an error will occur during server decryption ."

"The server is very obedient. It will certainly send an error message to the client ." What will happen next is very important: "In fact, the time required to generate an error message varies according to the decryption process. We modified the data packet, and the modification process would take a certain amount of server processing time, and then the plaintext will be leaked during this time difference ."

According to Paterson, the time difference is measured in milliseconds. The data size depends on the hardware used by the server. The time difference is also affected by another factor, that is, packets containing these error messages must also be transmitted over the network. Therefore, they will be affected by various latency and jitter factors such as network routing ."

The optimal scenario for measuring the exact time difference is that the attacker and the server are disconnected from the same network. Paterson pointed out that this is not a typical situation, but it is also possible that an attacker is actually an ISP, And you are actually the target ISP.

However, in general, the author of this paper shows that this is not the first attack target for any witty attackers. First, the farther the attacker leaves the server in the network topology, the more difficult the time difference will be. However, even if it is nearby, restoring each byte will produce many time difference samples.

All of these examples mean that many TLS sessions need to be initialized. This will cause a lot of "noise", which can easily expose attackers (and, even if they do not consider the issue of attackers, in fact, most commercial servers do not start many abnormal sessions for the same IP address ).

Although Lucky 13 attacks of this version may not be common in the actual environment, Lucky 13's team pointed out that they are not clear about the number of improved versions of these attacks, I do not know whether the improved versions will produce more reliable attack effects.

What are possible improvements? The first possibility is to reduce the number of sessions required to crack the underlying password. In addition, Paterson pointed out some methods that can effectively reduce the number of sessions: "If you want to get some content-for example, if you want to parse the first few bytes of the Cookie header, knowing the standard Cookie format, the number of samples required can be reduced from 223 to 219." "Then, there is another way: If attackers still know one of the last two bytes in the block, the number of samples required can be reduced from 219 to 213," he said ."

This is still a noise, but the attack speed has been significantly improved. In the test environment used in this paper, it cracked the plaintext of 1 byte in 15 minutes. If Paterson wants to launch an attack (he chooses to send a phishing email), this method is not his first choice, but it is in TLS security and upper layer security (SSL). For example, the processing defect of SSL has been used to remotely eliminate the memory of Android and iOS Mobile devices. The JavaScript attack tool BEAST is also used to attack the SSL session of browsers; e-certificate problems often occur by disguising the underlying trust of the SSL protocol to undermine the most widely used SSL Security Mechanism on the Internet. There are many examples of TLS/SSL attacks, and lucky 13 mentioned in this article is only one of them ......