ABSTRACT
This paper describes a cross-protocol attack on all versions of TLS; it can be seen as an extension of the Wagner and Schneier attack on SSL 3.0. The attack presents valid explicit elliptic curve Diffie-Hellman parameters signed by a server to a client that incorrectly interprets these parameters as valid plain Diffie-Hellman parameters. Our attack enables an adversary to successfully impersonate a server to a random client after obtaining 240 signed elliptic curve keys from the original server. While attacking a specific client is improbable due to the high number of signed keys required during the lifetime of one TLS handshake, it is not completely unrealistic for a setting where the server has high computational power and the attacker contents itself with recovering one out of many session keys. We remark that popular open-source server implementations are not susceptible to this attack, since they typically do not support the explicit curve option. Finally we propose a fix that renders the protocol immune to this family of cross-protocol attacks.
- R. J. Anderson and R. M. Needham. Robustness principles for public key protocols. In CRYPTO 1995, volume 963 of Lecture Notes in Computer Science, pages 236--247. Springer, 1995. Google ScholarDigital Library
- G. V. Bard. A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL. In SECRYPT 2006, pages 99--109. INSTICC Press, 2006.Google Scholar
- S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, and B. Moeller. Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). RFC 4492 (Informational), 2006.Google Scholar
- D. Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In CRYPTO 1998, volume 1462 of Lecture Notes in Computer Science, pages 1--12. Springer, 1998. Google ScholarDigital Library
- J. Bos, T. Kleinjung, A. Lenstra, and P. Montgomery. This is a tasty factor. Email on NMBRTHRY-list. 8 Mar 2010.Google Scholar
- Certicom Research. SEC 2: Recommended elliptic curve domain parameters, September 2000.Google Scholar
- C. J. F. Cremers. Feasibility of multi-protocol attacks. In ARES 2006, pages 287--294. IEEE Computer Society, 2006. Google ScholarDigital Library
- K. Dickman. On the frequency of numbers containing prime factors of a certain relative magnitude. Arkiv for Matematik, Astronomi och Fysik, 22:1--14, 1930.Google Scholar
- T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), 1999. Google ScholarDigital Library
- T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard), 2006.Google Scholar
- T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), 2008.Google Scholar
- D. Dolev and A. C.-C. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198--207, 1983. Google ScholarDigital Library
- P. Eronen and H. Tschofenig. Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). RFC 4279 (Proposed Standard), 2005.Google Scholar
- A. Freier, P. Karlton, and P. Kocher. The Secure Sockets Layer (SSL) Protocol Version 3.0. RFC 6101 (Historic), 2011.Google Scholar
- T. Kleinjung. Discrete logarithms in GF(p) -- 160 digits. Email on NMBRTHRY-list. 5 Feb 2007.Google Scholar
- V. Kl1ma, O. Pokorny, and T. Rosa. Attacking RSA-Based Sessions in SSL/TLS. In CHES 2003, volume 2779 of Lecture Notes in Computer Science, pages 426--440. Springer, 2003.Google Scholar
- H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational), Feb. 1997. Google ScholarDigital Library
- A. Langley, N. Modadugu, and B. Moeller. Transport Layer Security (TLS) False Start. Internet Draft, 2010.Google Scholar
- A. K. Lenstra and H. W. Lenstra, Jr., editors. The development of the number field sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, Berlin, 1993.Google Scholar
- H. W. Lenstra, Jr. Factoring integers with elliptic curves. Annals of Mathematics (2), 126(3):649--673, 1987.Google ScholarCross Ref
- R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2012. ISBN 3-900051-07-0.Google Scholar
- J.-F. Raymond and A. Stiglic. Security issues in the Diffie-Hellman key agreement protocol. IEEE Transactions on Information Theory, 22:1--17, 2000.Google Scholar
- E. Rescorla, M. Ray, S. Dispensa, and N. Oskov. Transport Layer Security (TLS) Renegotiation Indication Extension. RFC 5746 (Proposed Standard), 2010.Google Scholar
- I. Ristic. Internet SSL Survey, 2011. https://www.ssllabs.com/projects/ssl-survey/.Google Scholar
- D. Taylor, T. Wu, N. Mavrogiannopoulos, and T. Perrin. Using the Secure Remote Password (SRP) Protocol for TLS Authentication. RFC 5054 (Informational), 2007.Google Scholar
- S. Vaudenay. Security Flaws Induced by CBC Padding--Applications to SSL, IPSEC, WTLS ... In EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 534--546. Springer, 2002. Google ScholarDigital Library
- D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In Proceedings of the 2nd USENIX Workshop on Electronic Commerce, volume 2 of WOEC, pages 29--40. USENIX Association, 1996. Google ScholarDigital Library
Index Terms
- A cross-protocol attack on the TLS protocol
Recommendations
On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityEncrypted key transport with RSA-PKCS#1 v1.5 is the most commonly deployed key exchange method in all current versions of the Transport Layer Security (TLS) protocol, including the most recent version 1.2. However, it has several well-known issues, most ...
TLS man-in-the-middle laboratory exercise for network security education
SIGITE '10: Proceedings of the 2010 ACM conference on Information technology educationA novel laboratory exercise is presented that demonstrates a man-in-the-middle (MITM) attack on web browser sessions that use the "secure" HTTPS protocol. The exercise presents the students with six different scenarios and challenges the student to ...
A misuse pattern for transport layer security (TLS): triple handshake authentication attack
SugarLoafPLoP '16: Proceedings of the 11th Latin-American Conference on Pattern Languages of ProgrammingTransport Layer Security (TLS), the successor of the Secure Sockets Layer (SSL) protocol, is a cryptographic protocol that provides a secure communication channel between a client and a server. This secure communication prevents an attacker from ...
Comments