Lucky 13 – a new attack against SSL/TLS

But there is a flaw in the design of the protocol, Ivan Ristic, director of application security research at Qualys and a key figure behind SSL Labs told Infosecurity. “The flaw is not critical, but it’s not entirely safe – and it’s been haunting SSL ever since about 2002. Exploiting this flaw is very difficult, but every now and then researchers find new and better ways to make use of it.”

The latest has just been revealed. Called ‘Lucky 13’ after the 13-byte headers in the TLS MAC calculations, the process will theoretically allow man-in-the-middle attacks against SSL-protected communications. It was revealed in a technical paper published this week by Nadhem J. AlFardan and Kenneth G. Paterson of Royal Holloway, London University. “We reiterate that the attacks are ciphertext only, and so can be carried out by the standard MITM attacker, without a chosen-plaintext capability.” Importantly, the weakness is in SSL/TLS itself, and not in any particular implementation.

Paul Ducklin explains the process in everyday language. “Now imagine that you're a MiTM, or a man-in-the-middle. You can't decrypt and re-encrypt the packets as they fly past, but you can intercept them, shorten them, alter them subtly, and pass on the modified versions.” The result may just leak information from the broken session. “That won't immediately give you the crown jewels, but if you can extract anything from the enciphered data stream, you've violated the cryptographic sanctity that TLS is supposed to provide.”

The reality, however, is that this is a theoretical rather than practical attack. Firstly the researchers notified various browser and library vendors before publication, and noticeably an OpenSSL advisory and patch is already available. 

Secondly, Ristic told Infosecurity, “the bottom line is that to carry out this attack the attacker needs a very controlled environment and a very long amount of time. Basically, we’re talking about the need for two servers more or less next to one another so that you have access to at least half a million requests, which is effectively impractical. This will take days. It’s a theoretical attack rather than a practical threat.”

But, he continued, “it is important research. Knowing that you can break the protocol, even in a very controlled environment, can only lead to improved security.” He expects to see new patches from different vendors over the next few days, but notes that Microsoft’s IE users are not vulnerable. Furthermore, he added, “those people controlling the TLS protocol are a bit fed up with all of these attacks because of the original design weakness, and there are already discussions on how to improve the basic protocol.”

What’s hot on Infosecurity Magazine?