One document matched: draft-ietf-uta-tls-attacks-01.xml
<?xml version="1.0" encoding="UTF-8"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc tocindent="no"?>
<?rfc toc="yes"?>
<?rfc symrefs="yes"?>
<?rfc tocindent="no"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY rfc5246 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY rfc6989 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6989.xml">
<!ENTITY I-D.popov-tls-prohibiting-rc4 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.popov-tls-prohibiting-rc4.xml">
]>
<rfc docName="draft-ietf-uta-tls-attacks-01" ipr="trust200902" category="info">
<front>
<title abbrev="TLS Attacks">Summarizing Current Attacks on TLS and DTLS</title>
<author initials="Y." surname="Sheffer" fullname="Yaron Sheffer">
<organization abbrev="Porticor">Porticor</organization>
<address>
<postal>
<street>29 HaHarash St.</street>
<city>Hod HaSharon</city>
<code>4501303</code>
<country>Israel</country>
</postal>
<email>yaronf.ietf@gmail.com</email>
</address>
</author>
<author initials="R." surname="Holz" fullname="Ralph Holz">
<organization abbrev="TUM">Technische Universitaet Muenchen</organization>
<address>
<postal>
<street>Boltzmannstr. 3</street>
<city>Garching</city>
<code>85748</code>
<country>Germany</country>
</postal>
<email>holz@net.in.tum.de</email>
</address>
</author>
<author initials="P." surname="Saint-Andre" fullname="Peter Saint-Andre">
<organization abbrev="&yet">&yet</organization>
<address>
<email>ietf@stpeter.im</email>
</address>
</author>
<date/>
<workgroup>
uta
</workgroup>
<keyword>Internet-Draft</keyword>
<abstract>
<t>
Over the last few years there have been several serious attacks on TLS, including attacks on its most commonly used ciphers and modes of operation. This document summarizes these attacks, with the goal of motivating generic and protocol-specific recommendations on the usage of TLS and DTLS.</t>
</abstract>
</front>
<middle>
<section title="Introduction" anchor="d1e329">
<t>
Over the last few years there have been several major attacks on TLS <xref target="RFC5246"/>, including attacks on its most commonly used ciphers and modes of operation. Details are given in <xref target="sec_Attacks"/>, but suffice it to say that both AES-CBC and RC4, which together make up for most current usage, have been seriously attacked in the context of TLS.</t>
<t>
This situation motivated the creation of the UTA working group, which is tasked with the creation of generic and protocol-specific recommendation for the use of TLS and DTLS.</t>
<t>
“Attacks always get better; they never get worse” (ironically, this saying is attributed to the NSA). This list of attacks describes our knowledge as of this writing. It seems likely that new attacks will be invented in the future.</t>
<t>
For a more detailed discussion of the attacks listed here, the interested reader is referred to <xref target="Attacks-iSec"/>.</t>
</section>
<section title="Attacks on TLS" anchor="sec_Attacks">
<t>
This section lists the attacks that motivated the current recommendations. This is not intended to be an extensive survey of TLS's security.</t>
<t>
While there are widely deployed mitigations for some of the attacks listed below, we believe that their root causes necessitate a more systemic solution.</t>
<section title="SSL Stripping">
<t>
Various attacks attempt to remove the use of SSL/TLS altogether, by modifying HTTP traffic and HTML pages as they pass on
the wire. These attacks are known collectively as SSL Stripping, and were first introduced by Moxie Marlinspike
<xref target="SSL-Stripping"/>. In the context of Web traffic, these attacks are only effective if
the client accesses a Web server using a mixture of HTTP and HTTPS.
</t>
</section>
<section title="BEAST" anchor="d1e392">
<t>
The BEAST attack <xref target="BEAST"/> uses issues with the TLS 1.0 implementation of CBC (that is, the predictable initialization vector) to decrypt parts of a packet, and specifically to decrypt HTTP cookies when HTTP is
run over TLS.</t>
</section>
<section title="Lucky Thirteen" anchor="d1e407">
<t>
A consequence of the MAC-then-encrypt design in all current versions of TLS is the existence of padding oracle attacks <xref target="Padding-Oracle"/>. A recent incarnation of these attacks is the Lucky Thirteen attack <xref target="CBC-Attack"/>, a timing side-channel attack that allows the attacker to decrypt arbitrary ciphertext.</t>
</section>
<section title="Attacks on RC4" anchor="d1e428">
<t>
The RC4 algorithm <xref target="RC4"/> has been used with TLS (and previously, SSL) for many years.
RC4 has long been
known to have a variety of cryptographic weaknesses, e.g. <xref target="RC4-Attack-Pau"/>,
<xref target="RC4-Attack-Man"/>, <xref target="RC4-Attack-FMS"/>. Recent cryptanalysis results <xref target="RC4-Attack-AlF"/> exploit biases in
the RC4 keystream to recover repeatedly encrypted plaintexts.
</t>
<t>
These recent results are on the verge of becoming practically
exploitable; currently they require 2^26 sessions or 13x2^30
encryptions. As a result, RC4 can no longer be seen as providing a
sufficient level of security for TLS sessions.
</t>
</section>
<section title="Compression Attacks: CRIME and BREACH" anchor="d1e468">
<t>
The CRIME attack <xref target="CRIME"/> allows an active attacker to decrypt ciphertext (specifically, cookies) when TLS is used with protocol-level compression.</t>
<t>
The TIME attack <xref target="TIME"/> and the later BREACH attack <xref target="BREACH"/> both make similar use of HTTP-level compression to decrypt secret data passed in the HTTP response. We note that compression of the HTTP message body is much more prevalent than compression at the TLS level.</t>
<t>
The former attack can be mitigated by disabling TLS compression, as recommended below. We are not aware of mitigations at the protocol level to the latter attack, and so application-level mitigations are needed (see <xref target="BREACH"/>). For example, implementations of HTTP that use CSRF tokens will need to randomize them even when the recommendations of <xref target='I-D.ietf-uta-tls-bcp'/> are adopted.</t>
</section>
<section title="Certificate Attacks">
<t>
There have been several practical attacks on TLS when used with RSA certificates (the most common use case).
These include
<xref target="Bleichenbacher98"/> and <xref target="Klima03"/>.
While the Bleichenbacher attack has been mitigated in TLS 1.0, the
Klima attack that relies on a version-check oracle is only mitigated by TLS 1.1.
</t>
<t>
The use of RSA certificates often involves exploitable timing issues <xref target="Brumley03"/>, unless the implementation takes
care to explicitly eliminate them.
</t>
</section>
<section title="Diffe-Hellman Parameters">
<t>
TLS allows to define ephemeral Diffie-Hellman and Elliptic Curve Diffie-Hellman parameters in its respective
key exchange modes. This results in an outstanding attack, detailed in <xref target="Cross-Protocol"/>.
In addition, clients that do not properly verify the received parameters are exposed to MITM attacks.
Unfortunately the TLS protocol
does not require this verification, see <xref target="RFC6989"/> for the IPsec analogy.
</t>
</section>
<section title="Denial of Service">
<t>
Server CPU power has progressed over the years so that TLS can now be turned on by default.
However the risk of malicious clients and
coordinated groups of clients ("botnets") mounting denial of service attacks is still very real.
TLS adds another vector for computational
attacks, since a client can easily (with little computational effort) force the server to expend relatively large computational
work. It is known that such attacks have in fact been mounted.
</t>
</section>
</section>
<section title="Security Considerations" anchor="d1e507">
<t>
This document describes protocol attacks in an informational manner, and in itself does not have any security implications.
Its companion documents certainly do.</t>
</section>
<section title="IANA Considerations" anchor="sec_IANA_Considerations">
<t>This document requires no IANA actions.</t>
</section>
<section title="Acknowledgements" anchor="d1e530">
<t>
We would like to thank Stephen Farrell, Simon Josefsson, Yoav Nir, Kenny Paterson, Patrick Pelletier, Tom Ritter
and Rich Salz for their review of this document. We thank Andrei Popov for contributing text on RC4.</t>
<t>
The document was prepared using the lyx2rfc tool, created by Nico Williams.</t>
</section>
</middle>
<back>
<references title="Normative References">
&rfc5246;
</references>
<references title="Informative References">
<reference anchor='I-D.ietf-uta-tls-bcp'>
<front>
<title>Recommendations for Secure Use of TLS and DTLS</title>
<author initials='Y' surname='Sheffer' fullname='Yaron Sheffer'>
<organization />
</author>
<author initials='R' surname='Holz' fullname='Ralph Holz'>
<organization />
</author>
<author initials='P' surname='Saint-Andre' fullname='Peter Saint-Andre'>
<organization />
</author>
<date month='March' day='27' year='2014' />
<abstract><t>Transport Layer Security (TLS) and Datagram Transport Security Layer (DTLS) are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the last few years, several serious attacks on TLS have emerged, including attacks on its most commonly used cipher suites and modes of operation. This document provides recommendations for improving the security of both software implementations and deployed services that use TLS and DTLS.</t></abstract>
</front>
<seriesInfo name='Internet-Draft' value='draft-ietf-uta-tls-bcp-00' />
<format type='TXT'
target='http://www.ietf.org/internet-drafts/draft-ietf-uta-tls-bcp-00.txt' />
</reference>
&rfc6989;
<reference anchor="CBC-Attack"><front><title>Lucky Thirteen: Breaking the TLS and DTLS Record Protocols</title><author initials="N.J." surname="AlFardan" fullname="Nadhem J. AlFardan"/><author initials="K." surname="Paterson" fullname="K. Paterson"/><date year="2013"/></front><seriesInfo name="IEEE Symposium on Security and Privacy" value=""/></reference>
<reference anchor="BEAST" target="http://packetstormsecurity.com/files/105499/Browser-Exploit-Against-SSL-TLS.html"><front><title>Browser Exploit Against SSL/TLS</title><author initials="J." surname="Rizzo" fullname="Juliano Rizzo"/><author initials="T." surname="Duong" fullname="Thai Duong"/><date year="2011"/></front></reference>
<reference anchor="CRIME"><front><title>The CRIME Attack</title><author initials="J." surname="Rizzo" fullname="Juliano Rizzo"/><author initials="T." surname="Duong" fullname="Thai Duong"/><date year="2012"/></front><seriesInfo name="EKOparty Security Conference" value="2012"/></reference>
<reference anchor="BREACH" target="http://breachattack.com/"><front><title>The BREACH Attack</title><author initials="A." surname="Prado" fullname="Angelo Prado"/><author initials="N." surname="Harris" fullname="Neal Harris"/><author initials="Y." surname="Gluck" fullname="Yoel Gluck"/><date year="2013"/></front></reference>
<reference anchor="TIME" target="https://media.blackhat.com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.pdf"><front><title>A Perfect CRIME? Only TIME Will Tell</title><author initials="T." surname="Be'ery" fullname="Tal Be'ery"/><author initials="A." surname="Shulman" fullname="Amichai Shulman"/><date year="2013"/></front><seriesInfo name="Black Hat Europe" value="2013"/></reference>
<reference anchor="RC4"><front><title>Applied Cryptography: Protocols, Algorithms, and Source Code in C, 2nd Ed.</title><author initials="B." surname="Schneier" fullname="Bruce Schneier"/><date year="1996"/></front></reference>
<reference anchor="RC4-Attack-FMS"><front><title>Weaknesses in the Key Scheduling Algorithm of RC4</title><author initials="S." surname="Fluhrer" fullname="Scott Fluhrer"/><author initials="I." surname="Mantin" fullname="Itsik Mantin"/><author initials="A." surname="Shamir" fullname="Adi Shamir"/><date year="2001"/></front><seriesInfo name="Selected Areas in Cryptography" value=""/></reference>
<reference anchor="RC4-Attack-AlF" target="https://www.usenix.org/conference/usenixsecurity13/security-rc4-tls"><front><title>On the Security of RC4 in TLS</title><author initials="N." surname="AlFardan" fullname="Nadhem AlFardan"/><author initials="D.J." surname="Bernstein" fullname="Daniel J. Bernstein"/><author initials="K.G." surname="Paterson" fullname="Kenneth G. Paterson"/><author initials="B." surname="Poettering" fullname="Bertram Poettering"/><author initials="J.C.N." surname="Schuldt" fullname="Jacob C. N. Schuldt"/><date year="2013"/></front><seriesInfo name="Usenix Security Symposium" value="2013"/></reference>
<reference anchor="Attacks-iSec" target="https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf"><front><title>Attacks on SSL, a comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky13 and RC4 biases</title><author initials="P.G." surname="Sarkar" fullname="Pratik Guha Sarkar"/><author initials="S." surname="Fitzgerald" fullname="Shawn Fitzgerald"/><date month="8" year="2013"/></front></reference>
<reference anchor="Padding-Oracle" target="http://www.iacr.org/cryptodb/archive/2002/EUROCRYPT/2850/2850.pdf"><front><title>Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS...</title><author initials="S." surname="Vaudenay" fullname="Serge Vaudenay"/><date year="2002"/></front><seriesInfo name="EUROCRYPT" value="2002"/></reference>
<reference anchor="Cross-Protocol" target="http://doi.acm.org/10.1145/2382196.2382206"><front><title>A cross-protocol attack on the TLS protocol</title><author fullname="Nikos Mavrogiannopoulos" initials="N." surname="Mavrogiannopoulos" /><author fullname="Frederik Vercauteren" initials="F." surname="Vercauteren" /><author fullname="Vesselin Velichkov" initials="V." surname="Velichkov" /><author fullname="Bart Preneel" initials="B." surname="Preneel" /><date year="2012" /><keyword>cross-protocol attack</keyword><keyword> man-in-the-middle</keyword><keyword> server impersonation attack</keyword><keyword> ssl</keyword><keyword> tls</keyword></front></reference>
<reference anchor="RC4-Attack-Pau" target="http://dblp.uni-trier.de/db/conf/sacrypt/sacrypt2007.html#PaulM07"><front><title>Permutation after RC4 key scheduling reveals the secret key.</title><author fullname="Goutam Paul" initials="G." surname="Paul" /><author fullname="Subhamoy Maitra" initials="S." surname="Maitra" /><date year="2007" /><keyword>dblp</keyword></front></reference>
<reference anchor="RC4-Attack-Man"><front><title>A practical attack on broadcast RC4</title><author fullname="Itsik Mantin" initials="I." surname="Mantin" /><author fullname="Adi Shamir" initials="A." surname="Shamir" /><date year="2001" /></front></reference>
<reference anchor="SSL-Stripping" target="http://www.thoughtcrime.org/software/sslstrip/"><front><title>SSL Stripping</title><author initials="M." surname="Marlinspike" fullname="Moxie Marlinspike"><organization/></author><date year="2009" month="February"/></front></reference>
<reference anchor="Bleichenbacher98"><front><title>Chosen ciphertext attacks against protocols based on the RSA encryption standard pkcs1</title><author fullname="Daniel Bleichenbacher" initials="D." surname="Bleichenbacher" /><date year="1998" /></front></reference>
<reference anchor="Klima03"><front><title>Attacking RSA-based sessions in SSL/TLS</title><author fullname="Vlastimil Klima" initials="V." surname="Klima" /><author fullname="Ondej Pokorny" initials="O." surname="Pokorny" /><author fullname="Tomas Rosa" initials="T." surname="Rosa" /><date year="2003" /></front></reference>
<reference anchor="Brumley03"><front><title>Remote timing attacks are practical</title><author fullname="David Brumley" initials="D." surname="Brumley" /><author fullname="Dan Boneh" initials="D." surname="Boneh" /><date year="2003" /></front></reference>
</references>
<section title="Appendix: Change Log" anchor="changes">
<t>
Note to RFC Editor: please remove this section before publication.</t>
<section title="draft-ietf-uta-tls-bcp-01" anchor="changes-01">
<t>
<list style='symbols'>
<t>Added SSL Stripping, attacks related to certificates, Diffie Hellman parameters and denial of service.</t>
<t>Expanded on RC4 attacks, thanks to Andrei Popov.</t>
</list>
</t>
</section>
<section title="draft-ietf-uta-tls-bcp-00" anchor="changes-00">
<t>
<list style='symbols'>
<t>Initial WG version, with only updated references.</t>
</list>
</t>
</section>
<section title="draft-sheffer-uta-tls-bcp-00" anchor="changes-pre">
<t>
<list style='symbols'>
<t>Initial version, extracted from draft-sheffer-tls-bcp-01.</t>
</list>
</t>
</section>
</section>
</back>
</rfc>
| PAFTECH AB 2003-2026 | 2026-04-24 02:54:45 |