15 Mar 2013

New SSL Attack Uncovered; Able to Decrypt Login Cookies


A new type of attack against the Transport Layer Security and Secure Sockets Layer protocols has been demonstrated by security researches during the 20th International Workshop on Fast Software Encryption.

The flaw is possible – in theory - because of a weakness in the RC4 algorithm that is widely used in SSL/TLS certificates, among others, such as WEP (Wired Equivalent Privacy), WPA (Wi-Fi Protected Access), TKIP (Temporal Key Integrity Protocol), and Microsoft XBOX.

RC4 is a symmetric stream cipher with an arbitrary key size generated by a pseudo-random number generator. Since there is no randomization in computerland, the password determines the generator's initialization value.

The attack envisioned by Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt relies on “statistical flaws in the keystream generated by the RC4 algorithm which become apparent in TLS ciphertexts when the same plaintext is repeatedly encrypted at a fixed location across many TLS sessions.”

To successfully decrypt traffic, attackers need to receive tens of millions of different encryptions of the same message, but they are confident they can automate the process by renegotiating the connection with the server, which would send the same data (such as a login cookie) encrypted with a different key.

The attack is strictly a partial proof of concept. Even though it has not been rendered functional yet, this theoretical approach is another nail in the coffin for TLS, a protocol that has been shaken in the past month by other attacks, such as BEAST, CRIME, and Lucky 13.