The “Lucky Thirteen” Attack

Software developers are raising to patch a vulnerability that has recently been discovered that enables attackers to recover plaintext authentication cookies and other encrypted data while travelling over Internet and other unsecured networks.

The discovery is important because it allows attackers in many cases to completely undermine the protection provided through secure protocols of layer sockets and layer transportation. The Datagram Transport Layer Security is the only cryptographer for websites to prove the authenticity and to encrypt data when travelling between webservers and end users, together with SSL, TLS and a close relative TLS. The so-called “Lucky Thirteen” attacks conceived by computer scientists to tap into weaknesses work against nearly all open source TLS implementations and perhaps also Apple and Cisco Systems-supported implementations. (The researchers were told by Microsoft that its software was not susceptible).

There are extremely complicated attacks, so average end-users are likely to be more likely to attack users using phishing e-mails or using fraudulently issued digital certificates to defeat protection from web encryption. Nevertheless, the successful exploits of cryptographers — including the complete plaintext recovery of data protected by the widely used OpenSSL implementation — have clearly brought the developers who manage such programmes to attention. Opera and PolarSSL have been patched to plug the hole and developers are expected to release updates for OpenSSL, NSS and CyaSSL shortly.

“The assaults can only be carried out by a determined attacker who is situated near the attacking machine and can create enough sessions to attack,” written the researchers Nadhem J. AlFardan and Kenneth G. Paterson in a Web post accompanying their research. “In this respect, the attacks do not pose a significant risk in their current form to ordinary users of TLS. But it is truism that the attacks only improve over time. We can not foresee what improvements or totally new attacks can be found in our attacks.”

How does it work?

Lucky Thirteen uses a padding technology known as a TLS cryptographic oracle, which performs cryptography and ensures data integrity. It uses a MEE routine that runs data via a MAC (Message Authentication Code) algorithm and then encodes and codes data in 16-byte chunks. The routine adds data “padding” to the ciphertext so that the results can be clearly aligned within 8 to 16 bytes. When TLS decrypts the ciphertext, the padding is later removed.

The attacks begin by capturing the chip text on the Internet. Using a long-discovered weakness in TLS CBC, or chip block chaining, mode, attackers substitute the last few blocks with the blocks selected, and observe how long the server needs to respond. It takes less time to process TLS messages containing the correct padding. A mechanism in TLS causes the transaction to fail each time a TLS message is received containing manipulated data, which requires attackers to repeatedly send malformed messages in a new session after each previous failure. The scientists could finally properly guess the contents of the ciphertext by sending large numbers of TLS messages and by statistically sampling server response time for each.

It took the scientists as little 2²³ sessions to extract the entire contents of a TLS-encrypted authentication cookie. They were able to improve their results when they knew details of a the ciphertext they were trying to decrypt. Cookies formatted in base 64 encoding, for example, could be extracted in 2¹⁹ TLS sessions. The researchers required 2¹³ sessions when a byte of plaintext in one of the last two positions in a block was already known.

To make the attacks more efficient, they can incorporate methods unveiled two years ago in a separate TLS attack dubbed BEAST. That attack used JavaScript in the browser to open multiple sessions. By combining it with the padding oracle exploit, attackers required 2¹³ sessions to extract each byte without needing to know one of the last two positions in a block.

The attacks of the Lucky Thirteen were just the latest exploits of subverting TLS, which together with SSL are designed to safeguard banking transactions, login sessions and other sensitive activities over unsecured networks. One of the most recent attacks used a universal wildcard certificate to spoof virtually every website’s credentials on the Internet. The above-mentioned BEAST attack could decrypt an eBay authentication cookie, but the technique forced attackers to initially subvert something referred to as the same origin policy. Late last year, CRIME, an attack that used web compression to subvert TLS / SSL, was designed by the same researchers behind BEAST.

TLS is still vulnerable to these attacks, mainly due to design decision-makers who took decisions during the first SSL design in the 1990s, Johns Hopkins University professor, Matthew Green, observed in a Monday blog post explaining how Lucky Thirteen works. Since then, engineers have applied a number of “band-aids” to the protocols and not fixed the problems.

The attacks are applicable to all TLS or DTLS versions 1.1 or 1.2 or 1.0 or 1.1 respectively. They are also used in implementations that conform to SSL version 3.0 or TLS version 1.0 if tweaked to include countermeasures to defeat an earlier oracle padding attack discovered several years ago.

This is not the first time that SSL and TLS were fired with an Oracle padding attack. Later the protocols were patched to prevent attacks that used subtle timing differences in order to discover the encrypted plaintext details. At that time, some cryptographers recognised a small window that could still allow this kind of exploit.

The scientists called their feat “Lucky Thirteen,” because the TLS MAC calculation has made it possible, including 13 bytes of header information.

“To our attacks, 13 are lucky — at least from the point of view of the attacker,” the researchers wrote in their web post. “This is what mood among cryptographers goes through.”