BarMitzvahAttackBreakingSSLwitha13-yearoldRC4WeaknessAbstractRC4isthemostpopularstreamcipherintheworld.
Infact,asofMarch2015,RC4isestimatedtoprotectasmuchas30%ofSSLtraffic,likelyamountingtobillionsofTLSconnectionseveryday.
Yetitsuffersacritical–andlongknown–weaknessknownastheInvarianceWeakness.
InthispaperwewillrevisittheInvarianceWeakness–a13-yearoldvulnerabilityofRC4thatisbasedonhugeclassesofRC4weakkeys,whichwasfirstpublishedintheFMSpaperin2001.
WewillshowhowthisvulnerabilitycanbeusedtomountpartialplaintextrecoveryattacksonSSL-protecteddata,whenRC4isthecipherofchoice,forrecoveringtheLSBsofasmanyas100bytesfromtheencryptedstream.
AsopposedtoBEAST,POODLE,CRIMEandotherattacksonSSLthatwerepublishedinrecentyears,includingtheRoyalHollowayAttackontheusageofRC4,anewattackbasedupontheInvarianceWeaknessdoesnotrelyonaggregationofsmallfragmentsofplaintextinformation,butona"hit",arareeventthatcausesasignificantleakagetooccur.
WeshowhowthisuniquecharacteristiccanbeusedtoattackSSLinnewscenarios,includingthefirstpracticalattackonSSLthatdoesnotrequireanactiveMan-in-the-Middle.
Furthermore,thenewattackisnotlimitedtorecoveryoftemporalsessiontokens,butcanbeusedtostealpartsofpermanentsecretdatasuchasaccountcredentialsandcreditcardnumberswhendeliveredoverHTTPS.
Anothervariantoftheattackrecoversasignificantpartofasecretwithsmallbutnon-negligibleprobability,evenifthatwastransmittedonlyonceovertheSSLconnection.
ThispaperwilldescribetheInvarianceWeaknessindetail,explainitsimpacts,andrecommendsomemitigatingactions.
IntroductionTLSTheProtocolTLSisthemostwidelyusedsecurecommunicationsprotocolontheInternettoday.
StartinglifeasSSL,theprotocolwasadoptedbytheIETFandspecifiedasanRFCstandardunderthenameofTLS1.
0[1].
IthassinceevolvedthroughTLS1.
1[2]tothecurrentversionTLS1.
2[3].
TLS1.
3is,asofMarch2015,indraft[4].
VariousotherRFCsdefineadditionalTLScryptographicalgorithmsandextensions.
SSLiscurrentlyusedforsecuringawidevarietyofapplication-leveltraffic:Itserves,forexample,asthebasisoftheHTTPSprotocolforencryptedwebbrowsing,itisusedinconjunctionwithIMAPorSMTPtocryptographicallyprotectemailtraffic,anditisapopulartooltosecurecommunicationwithembeddedsystems,mobiledevices,andinpaymentsystems.
SSLstrivestofulfilltwomajorgoals:1)allowtwopartiestoauthenticateeachother,and2)securethecommunicationbetweenthetwo.
InmanySSLdeployments,particularsecurewebbrowsing,theauthenticationisone-way,meaningthatonlytheclient(browser)authenticatestheserver(webapplication),butnotviceversa.
SSLsessionsconsistoftwophases:IntheSSLHandshakingProtocoltheclientauthenticatestheserver,theserver(optionally)authenticatestheclientandbothestablishcryptographicsessionkeys,readytoprotectthecommunication.
IntheRecordProtocolthepartiesusetheestablishedsessionkeysandsymmetrickeycryptographytoencrypt(e.
g.
,usingAESblockcipherorRC4streamcipher)andauthenticate(e.
g.
,usingHMACalgorithms)tobuildasecurechannelforapplication-layerdata.
ThepartiescanchoosebetweenmanydifferentauthenticationandencryptionalgorithmsfortheRecordProtocol,essentiallydividedintothefollowingclasses:BlockCipher(CBCmodeofoperation)+HMACStreamCipher(RC4)+HMACAuthenticated-Encryptionusingblockcipher(GCM/CCMmodeofoperation)SSLProtocolWeaknessesInthelastcoupleofyearsseveralsignificantvulnerabilitieshavebeendiscoveredintheSSLprotocol,particularlyinthemostcommonlyusedvariants,AES-CBCandRC4.
TheAES-CBCvarianthasseensignificantcryptanalysis(paddingoracleattacks[5],BEAST[6],Lucky13[7],TIME[16],andPOODLE[15]).
Andin2013AlFardanet-alpublishedananalysis[8]oftheRC4mode,whichshowedhowtomountanattackthatrecoversdatatransmittedoveraSSL/RC4connection.
TheattackwasbasedonsomeofthemanyknowweaknessesofRC4,inparticularthesignificantstatisticalbiasesinitsfirstoutputbytes,andtheweakerstatisticalbiasesintheRC4keystream.
ImplementationWeaknessesInrecentyearsSSLimplementationshavereceivedsignificantattentionandscrutinyfromsecurityresearchers,andthishasresultedinsteadydiscoveryofnewvulnerabilities(andpatching,withorwithoutdisclosure).
In2014severaldozenvulnerabilitieswerediscoveredintheOpenSSLlibrary(themostpopularimplementationofSSL),HeartbleedbeingthemostsevereoneinthatitallowsanattackertodumpmemorysegmentsfromtheSSLserver,inmanycasesexposingsecretkeyinformation.
Vulnerabilitiesinseveralotherimplementationswerepublishedaswell(e.
g.
,CVE-2014-6321inMicrosoftSChannel).
OnRC4TheStreamCipherThe4-lineStreamCipherRivestCipher4(RC4)isoneofthesimplestcryptographicalgorithms,implementingapseudo-randomgeneratorthatisusedtoimplementastreamcipher.
TheinternalstateofRC4includesapermutationSof[0,1,.
.
,255]andtwoindicesiandjinthispermutation.
Inthekeyschedulingphase(KSA)anL-bytelongRC4key(forLvaryingbetween5and256)isusedtoconstructtheinitialstatepermutationS0.
Intheencryptionphase,RC4PRGA,whichisinitializedwiththeresultantS0isusedtogenerateastreamofpseudo-randombytes,denotedasthekeystream.
LikemostoftheStreamCiphers,thesepseudo-randombytesareXOR-edwiththeplaintextbytestogeneratetheciphertextbytes.
ThebuildingblocksofRC4aredescribedbelow.
KSA(K)PRGA(S0)j=0S=[0,1,2,…,255]fori=0.
.
255j=(j+S[i]+K[imodeL])S[i]S[j]Alloperationsaredonemod256i,j=0,0S=S0whilebytesareneeded:i=i+1j=j+S[i]S[i]S[j]EmitS[S[i]+S[j]]Knownforitssimplicityandforitsrespectedauthor,RC4gainedconsiderablepopularity.
Andgivenitsimpressiveperformance,beingabletoencryptanddecryptalmosttwotimesfasterthanAES,formanyyearsitwasconsideredtobethedefaultstreamcipher.
SecurityofRC4RC4isnotasecurecipher.
Backinthe90s,whenRC4wasatradesecretofRSAanditsdetailswhereknownbutnotformallyapproved,RC4wasbelievedtobesecure.
However,inthefollowingdecade,RC4hadundergonesignificantscrutinybycryptographyexperts,whichshowedstatisticalbiasesinthepseudo-randomstreamthatallowanattackertodistinguishRC4fromrandom([9],[10])andtopredictitsallegedlypseudo-randombitswithhighprobability([10]).
WhilethisstatisticalanalysisrequiresmanymillionsofRC4keystreambytes,tworesearchesin2001ontheinitializationofRC4hadswitchedthefocusofRC4analysistoitspoorinitializationmechanisms.
Thefirst[11]hadshownthatthesecondbyteofRC4hashugestatisticalbias,havingtwicetheexpectedprobabilitytobezero.
Thesecond[12],laterknownastheFMSresearch,hadcompletelybrokenRC4inthewayitwasusedintheWEPprotocol.
TheseresultshadinitiatedawaveofresearcheffortsandanalysisresultsonRC4initialization,awavewhoseendisyettobeseen.
Correlationbetweenkeybytesandstatebytes(e.
g.
,[13]),correlationbetweenkeybytesandfirstoutputbytes(e.
g.
,[12]),andbetweenkeybytesandfurtheroutputbytes([14]),significantstatisticalbiasesinthefirst256outputbytes[17],andmanyotherresults.
Interestingly,theseriesofsuccessfulattacksdidn'thaveasignificantimpactonthepopularityofRC4,andinfactduringthewaveofCBCattacksonSSLin2012,someexpertsrecommendedswitchingtoRC4.
TheInvarianceWeaknessTheFMSresearch[12]detailstwosignificantRC4weaknesses.
TheIVweakness,resultinginapracticalkeyrecoveryattackandcompletebreakofRC4intheWEPprotocol,receivedmostoftheattention,leavingtheotherweakness-denotedinthepaperastheInvarianceWeakness-intheshadowsfor13years.
TheInvarianceWeakness,isanL-shapekeypatterninRC4keys,whichonceitexistsinanRC4key,preservespartofthestatepermutationintactthroughouttheinitializationprocess.
Thisintactpartincludestheleastsignificantbitsofthepermutation,whenprocessedbythePRGAalgorithm,determinestheleastsignificantbitsoftheallegedlypseudo-randomoutputstreamalongalongprefixofthestream.
Thesepatterns,andadetailedexplanationofhowtheyarepreserved,aredescribedindetailin[12]and[13].
ThesebiasedstreambytesareXOR-edwiththeplaintextbytes,resultinginsignificantleakageofplaintextbytesfromtheciphertextbytes.
ThesepatternsoccurfordifferentnumberofLSBs,asingleLSB,2LSBs,3LSBsto7LSBs,resultingwithdifferentclassesofweakRC4keys.
Duetothestructureoftheseclasses,eachclasscontainsthesucceedingclassesandthusthefirstclassisthelargest,denotedbelowastheMainClass.
Theportionofq-classforL-bytekeys(whichistheprobabilityofarandomkeytobeintheclass)is2-(qL+(9-q)).
For16-bytekeytheportionoftheMainClass(1-class)is2-24(1in16million)andtheportionof2-classis2-39(veryrare).
Thesenumbersareshowninthefollowingtable.
#LSBsApplicabilityClassProbability(8-bytekey)ClassProbability(16-bytekey)1Keyswithevennumberofbytes2-162-242Keyswithnumberofbytesthatisamultipleof42-232-393Keyswithnumberofbytesthatisamultipleof82-302-544Keyswithnumberofbytesthatisamultipleof162-372-69Whenakeyfromaq-classisused,thefollowingthingshappen:TheinitializationphaseofRC4failstomixthestatewithkeymaterialproperly,andpreservestheKleastsignificantbitsofitsinternalstateAsaresult,theinitialstateofRC4hasfixednon-mixedqLSBsqleastsignificantbitsofthefirst30-50bytesstreambytescomplywithadeterministicpatternwithsignificantprobabilityqleastsignificantbitsofthefirst30-50plaintextbytesareexposedwithsignificantprobabilityTheprobabilityoftheqLSBstocomplywiththepatterndropswiththestream.
ThisprobabilityisdemonstratedinthefollowingdiagramsforasingleLSB,2LSBsand3LSBs.
Figure1:SingleLSB(advantageover0.
5)Figure2:2LSBs(advantageover0.
25)Figure3:3LSBs(advantageover0.
125)Thereasonforthedecreasingprobabilityisthestatepatterngetting"ruined"withthestreamgenerationandafter50bytesemittedbyRC4PRGA,thepatternfadesout.
However,subsequentanalysisweranonRC4streamswhenusingweakkeysshowedadifferencepatternbetweenstreamLSBs,whichislesssensitivetothis"ruining"effect,andmanagestosurviveforasmanyas100bytesofthekeystream.
ThesurvivalprobabilityofdifferencepatternsisdemonstratedinthefollowingdiagramsforasingleLSB,2LSBsand3LSBs,withreferencetothevaluepatterns(thediffpatternisinredandthevaluepatternremainsinblue).
Figure4:SingleLSB(diffpattern;advantageover0.
5)Figure5:2LSBs(diffpattern;advantageover0.
25)Figure6:3LSBs(diffpattern;advantageover0.
125)ApplicationsoftheInvarianceWeaknessTheInvarianceWeaknessofRC4hasseveralcryptanalyticapplications,describedindetailin[12]and[13],includingstatisticalbiasesintheRC4pseudo-randomstreamthatallowanattackertodistinguishRC4streamsfromrandomnessandenhancementoftradeoffattacksonRC4.
AnotherapplicationoftheInvarianceWeakness,whichweuseforourattack,istheleakageofplaintextdataintotheciphertextwhenq-classkeysareused.
Theauthorsof[8]hadtranslatedstatisticalbiasesinthekeystreamintoplaintextleakageattacks.
Wefollow[8]anduseourstatisticalbiastorecoverplaintextinformation.
TheInvarianceWeaknessbiasesarenotasstrongasthebiasesusedin[8].
However,thesebiaseshaveuniquecharacteristics,ononehandoccurringrarely,butontheotherhandeffectivein100keystreambyteswithextremelyhighprobability,openingthedoortoplaintextleakageattacksinseveralcircumstancesthatwerebelievedtobecompletelysecure.
UsingtheInvarianceWeaknesstoAttackSSLSSLUsageofRC4SSLRecordProtocolusesRC4forencryptioninmanySSLciphersuites.
IntheHandshakingprotocol,RC4encryptionkeysaregeneratedforupstreamanddownstreamcommunication.
IntheRecordprotocol,theupstreamkeyisusedforencryptionofclient-to-servercommunication,whereasthedownstreamkeyisusedforencryptionofserver-to-clientcommunication.
Itisimportanttonotethattheencryptionsarestatefull,usingthefirstkeystreambytesforencryptingthefirstmessage,thesucceedingkeystreambytesforencryptingthenextmessage,etc.
GiventhattheInvarianceweaknessisexpressedonlyinthefirst100bytesofthekeystream,itcanbeusedonlyforthefirst100bytesoftheprotectedupstreamtrafficandthefirst100bytesoftheprotecteddownstreamtraffic.
GiventhatthefirstencryptedmessageineachdirectionistheSSLHandshakeFinishedmessage(36-bytesintypicalusageofSSL),about64bytesofsecretplaintextdataareleftfortheattack.
Thisflowisdepictedinthefollowingdiagram.
Thefirst36bytesoftheupstreamkeystreamareusedforencryptingtheFinishedmessage.
Thenextbytesareusedtoencrypttheactualapplicationdata.
TheAttackScenarioOurattacksarebasedonthefollowingscenario:theattackersniffsalargenumberofSSLconnectionsencryptedwithRC4,waitingfora"hit";thatisthearrivalofaweakkey.
Onceaweakkeyarrives,theattackerpredictstheLSBsofthekeystreambytes,andusesthesetoextracttheLSBsoftheplaintextbytesfromtheciphertextwithsignificantadvantage.
Inordertofulfillthisscenario,theattackerneedstodeterminewhichSSLsessionsaretheonesinwhichweakkeyswereused.
ForthisisolationtheattackercanusethefactthatthefirstencryptedbytesincludetheSSL"Finished"messageandHTTPrequest,bothhavingpredictableinformation.
Thus,whenaweakkeyisused,theplaintextpatternsareXOR-edwithkeystreampatterns,generatingciphertextpatternsvisibletotheattacker.
[7],[8]andotherpreviousattacksonSSL,usetinystatisticalbiasestoaggregatetinypiecesofplaintextinformation.
Inordertomakethisaggregationpossible,thetargetobjectmustbeencryptedmanytimes,withthesamekeyin[7andwithdifferentkeysinabroadcastscenarioin[8].
Asopposedtotheseattacks,ourattackscenario,whenaweakkeyarrives,getsatonceasignificantamountofdataonthetargetobject,providingimmediatepartialplaintextrecovery.
Ontheotherhand,thispartialplaintextrecoverycannotbeextendedintofullplaintextrecoverybycontinuingtheattackandlisteningtomoresessions.
WhatcanyoudowithLSBsTheabovescenarioallowstheattackertorecovertheleastsignificantbitsofuptoahundredsecretbytes.
Whenthetargetobjectisasessioncookie,theattackerreducestheeffectivesizeofthecookie,allowingaccelerationofbruteforceattackonthesessioncookieforthesakeofSessionHijacking.
Forexample,learningtheLSBsofASPsessioncookies,whichcontain16charactersof5-bitentropyeach,reduces16bitsofthecookieentropyandthuscanbeusedforfasterbruteforceattackonthesessioncookievalue.
ForPHPsessioncookiesthisaccelerationcanincreasetouptoafactorof232.
Whenthetargetobjectisann-characterpassword,anattackerpossessingthepasswordLSBscanaccelerateadictionaryattackwithafactorof2n,reducingthesecurityofan8-charpasswordbyafactorof256.
Furthermore,anattackerwhorunsabruteforceattackonaloginAPI,canscanadatabaseofknownpopularpasswords,extractthepasswordsthatcomplywiththeLSBpatternandtryonlythese,reducingthenumberofattemptsbyafactorof2n.
Werananexperimentonadatabaseofmostcommonlyusedpasswords,wherewegrouppasswordsaccordingtotheirleastsignificantbits.
ForasingleLSBthemostcommon1000passwordsweregroupedinto252sets,leavingthebruteforceattackeranaverageofonly4attempts,belowthebarrierformostbruteforceprotectionpolicies.
Theestimationforthenumberofwebaccountsthatareprotectedwithoneofthetop1000mostcommonly-usedpasswordsvariesbetween10-15percent,settingthestageforanattackthatusestheInvarianceWeaknesstoextracttheLSBsofthepasswordinhopethattheuserisoneofthecareless10%.
Weusedapasswordspopularityanalysisfrom[18]toestimatethenumberofbruteforceattemptsanattackerneedstomakeoncehehastheLSBsofapasswordknowntobeinthetop100,1000and10,000(wetookthenumbersfrom[18]asis).
PortionofwebaccountsNumberofLSBgroupsBruteforceworstcase(#Attempts)Bruteforceaveragecase(#Attempts)Top1004.
4%6861.
5Top100013.
2%252244Top10,00030%55720118Theentropyofa16-digitcreditcardnumberisusuallyconsideredtobe5digits,sincethefirst6digitsarenon-secret,thelast4digitsarefreelyexposedonreceiptsandforvalidationpurposes,andthereisa1-bytechecksum(Luhnalgorithm).
AnattackerpossessingtheLSBsofacreditcardnumber,reducesthesearchdomainfrom100,000intoonly1500.
These1500candidatenumberscanbetestedbymakingattemptsforsmallamountpaymentsinretailwebapplicationstofindthevalidoneafter750attemptsonaverage.
Thusthereductioninthecreditcardentropyfrom100,000potentialnumbersinto1500potentialnumbersissignificant,andincreasesthepracticalityofattacks.
AMan-in-the-MiddleAttackThefirstattackwedescriberesemblestheRC4attackfrom[8],withtheattackerusingalargenumberofencryptionsofsecretdata,e.
g.
,asessioncookie,inordertorecoverpartsofthiscookie.
OnewaytoobtainthislargenumberofencryptionsisthroughtheBEASTscenario,whereJavaScriptmalwareisdownloadedfromanattacker-controlledwebsiteandrunsinthevictim'sbrowser,repeatedlysendingHTTPSrequeststothevictimwebserver.
Sessioncookiesareautomaticallyincludedineachoftheserequestsinapredictablelocation,andcanthusbetargetedintheattack.
Theattacker,whoneedsnewSSLconnectionsfornewRC4keystreamprefixes,canenforceterminationoftheSSLsessionafterthetargetencryptedcookieissent;thebrowserwillautomaticallyestablishanewSSLsessionwhenthenextHTTPSrequestissent.
Theattackin[8]recoversthesessioncookiewithprobabilityof50%after226sessions.
Ourattackisexpectedtohaveahit–1-classkeybeingused–every224connections.
Sincesuchahitistranslatedtolongkeystreampatternwithprobabilityof1%-5%,severaldozenhitsarerequiredtocompleteasuccessfulpartialplaintextrecovery.
Forthesakeofsimplicity,intherestofthediscussionweuseasinglenumberof1billionasthenumberofattemptsrequiredtomounttheattack,reflectingthenumberofencryptionstheattackerisexpectedtoseeuntilbeingabletorecoverthedata.
AsopposedtotheBEASTattack,thecurrentattackdoesnotrequirethatthesamekeyisusedinallencryptions,butfollows[8]inrequiringthatthekeybechangedbetweenencryptions.
Moreover,asopposedtotheattackin[8],whichishighlysensitivetosituationswhereinthesessioncookieexpiresorthebrowserisclosedbytheuser(inwhichcasetheattackhastobeginfromthestart),ourattackiscompletelyinsensitivetothesecases.
Whenaweakkeyisused,thelearntinformationisonthesessioncookiefromthatparticularrequest,regardlessofanythingthathappenedbeforethehit,andanythingthatwillhappenafterthehit.
ANon-TargetedPassiveAttackThenatureoftheInvarianceWeakness,allowingtheattackertolearnsignificantplaintextdatafromasinglehit(thatisasinglemessagethatwasencryptedwithaweakkey)opensthedoortonewattackscenarioswhichwerenotpossibleinanyofthepreviousattacks.
Thenextattackwe'lldescribeisapassivevariantoftheaforementionedattack.
Init,theattackereavesdropsontheinboundtraffictoapopularretailorfinancialwebapplication,aimingtostealcreditcardnumberinfo(asimilarattackworksonpasswords).
Theattackerisrequiredtowait1billionconnectionsforaweakkeyusageevent,thiseventbeingvisiblethroughfixedorstructureddatainthisapplication,propagatingthroughthekeystreampatternsintotheciphertext.
TheattackerthenusestheInvarianceWeaknesstopredictkeystreamLSBs,andusesthesetocalculateplaintextLSBsfromciphertextLSBs.
Itisimportanttonotethatthecompromisedcreditcardnumberorpasswordisofarandomvictim,withtheattackernothavinganycontroloveritsidentity.
AccordingtoFacebookuserstatistics,thenumberofdailyactiveusersinFacebookiscloseto1billion.
Thenumberoftimeseachoftheseusersexecutesalogin,eithervisitingFacebookseveraltimes,orpressingaLikebuttoninanotherapplication,canberoughlyestimatedas4.
ThusapassiveeavesdroppersniffingonFacebookinboundlineswaitingforhits,willsee256weakkeysonthedaily4billionlogins,4ofwhichareexpectedtogeneratealongstreampatternandexposethepasswordLSBs.
LuckilyFacebookhadrecentlyremovedRC4fromitslistofSSLsupportedciphers.
GroupAttacksIntheBEAST-likevarianttheattackerisrequiredtogenerate1billionconnectionsfromthevictim'sbrowser.
Ontheotherhand,inthepassivevarianttheattackerneedstosniffon1billionconnectionstothesamewebapplication.
Inanothervariantoftheattack,combiningthetwo,theattackerobtainsthese1billionconnectionsactivelyfromagroupofvictimusers.
TheattackerneedstogetGroupMan-in-the-Middlesetup,beingamaninthemiddleforagroupofusers.
Sincethemostnaturalmethodsofestablishingman-in-the-middleareDNSpoisoningandmakingusersconnecttoamalicioushotspot(eitherofwhichwillestablishtheattackerasMan-in-the-Middleforagroupofusers),thisGroupMan-in-the-Middlesituationispractical.
TheattackerthenrunstheBEAST-likeattackwitheachofthepotentialvictims,terminatingtheirconnectionsimmediatelyafterthesessioncookiebeingsent,untiloneofthemgetsasuccessfulhit,aweakkeythatpropagatessuccessfullyintoalongpattern.
Thiseventisexpectedtooccurafteratotalnumberof1billionSSLconnectionsfromallusersaltogether.
Thisattackscenarioisunique,andstemsfromtheuniquenatureofthisattack,witheveryhitleakingalargequantityofsecretinformation.
One-TimeEncryptionFromtheperspectiveofavictim,theseverityofanattackisproportionaltothedamageoftheattackandtoitslikelihood.
ConsiderauserwhousesSSLtoprotecthismostprecioussecret,andsendsitonlyonceoverSSL.
Interestingly,thisone-timeoperationhasariskofonein64milliontogetaweakRC4keyandoneinabilliontoleakpartsofhisprecioussecret.
Itistruethatoneinabillionisatinyfraction,butstill,itisnotanegligiblefraction.
TheimplicationisthedisturbingfactthateverywebuserisclearlyriskinghisdataeverysingletimehesendsitoveranRC4/SSLconnection.
ConclusionandRecommendationsInthispaperwedemonstratedhowtheInvarianceWeaknesscanbeusedtomountnewattacksonSSLwhenusingRC4.
Weimprovedthesizeoftheprefixforwhichplaintextinfoleaksinto100bytes.
Weshowedhowthe"ResetInsensitivity"oftheInvarianceWeaknesssetsthestagefornewattackscenarios,includingthefirstpassiveattackonSSL.
ThesecurityofRC4hasbeenquestionableformanyyears,inparticularitsinitializationmechanisms.
However,onlyinrecentyearshasthisunderstandingbeguntranslatingintoacalltoretireRC4.
Inthisresearchwefollow[8]andshowthattheimpactofthemanyknownvulnerabilitiesonsystemsusingRC4isclearlyunderestimated.
Whilewaitingforabroad-brushretirementofRC4,specificpartiesshouldconsiderthefollowingactionstoprotectthemselvesfromitsweaknesses:WebapplicationadministratorsshouldstronglyconsiderdisablingRC4itintheirapplications'TLSconfigurations.
Webusers(particularlypowerusers)areencouragedtodisableRC4itintheirbrowser'sTLSconfiguration.
BrowservendorswoulddowelltoconsiderremovingRC4fromtheirTLScipherlists.
OrganizationsleveragingImpervaSecureSpheretoprotecttheirbusiness-criticalwebapplicationsanddata,andwhereinSecureSphereissettohandleTLSconnectionsonbehalfoftheapplications,canconfigureSecureSpheretostopusingtheweakciphersandworkonlywithrobustciphers.
References1.
T.
DierksandC.
Allen.
TheTLSProtocolVersion1.
0.
RFC2246,InternetEngineeringTaskForce,Jan.
1999.
URLhttp://www.
rfc-editor.
org/rfc/rfc2246.
txt.
2.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
1.
RFC4346,InternetEngineeringTaskForce,Apr.
2006.
URLhttp://www.
rfc-editor.
org/rfc/rfc4346.
txt.
3.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
2.
RFC5246,InternetEngineeringTaskForce,Aug.
2008.
URLhttp://www.
rfc-editor.
org/rfc/rfc5246.
txt.
4.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
3,http://tools.
ietf.
org/html/draft-ietf-tls-tls13-045.
B.
Canvel,A.
Hiltgen,S.
Vaudenay,andM.
Vuagnoux.
PasswordinterceptioninaSSL/TLSchannel.
AdvancesinCryptology-CRYPTO2003,pages583–599,2003.
6.
T.
DuongandJ.
Rizzo.
HerecometheNinjas.
2011.
http://www.
hit.
bme.
hu/~buttyan/courses/EIT-SEC/abib/04-TLS/BEAST.
pdf7.
N.
AlFardanandK.
G.
Paterson.
Lucky13:BreakingtheTLSandDTLSrecordprotocols.
InIEEESymposiumonSecurityandPrivacy,2013.
URLhttp://www.
isg.
rhul.
ac.
uk/tls/Lucky13.
html.
8.
NadhemJ.
AlFardan,DanielJ.
Bernstein,KennethG.
Paterson,BertramPoettering,JacobC.
N.
Schuldt.
OntheSecurityofRC4inTLSandWPA,USENIXSecuritySymposium20139.
S.
R.
FluhrerandD.
McGrew.
StatisticalanalysisoftheallegedRC4keystreamgenerator.
InB.
Schneier,editor,FSE,volume1978ofLectureNotesinComputerScience,pages19–30.
Springer,2000.
10.
I.
Mantin.
PredictinganddistinguishingattacksonRC4keystreamgenerator.
InR.
Cramer,editor,EUROCRYPT,volume3494ofLectureNotesinComputerScience,pages491–506.
Springer,2005.
11.
I.
MantinandA.
Shamir.
ApracticalattackonbroadcastRC4.
InM.
Matsui,editor,FSE,volume2355ofLectureNotesinComputerScience,pages152–164.
Springer,2001.
12.
S.
R.
Fluhrer,I.
Mantin,andA.
Shamir.
WeaknessesinthekeyschedulingalgorithmofRC4.
InS.
VaudenayandA.
M.
Youssef,editors,SelectedAreasinCryptography,volume2259ofLectureNotesinComputerScience,pages1–24.
Springer,2001.
13.
I.
Mantin.
AnalysisofthestreamcipherRC4.
MasterThesis,theWeizmannInstituteofScience.
14.
I.
Mantin.
APracticalAttackontheFixedRC4intheWEPMode.
InAdvancesinCryptology-ASIACRYPT200515.
ThisPOODLEBites:ExploitingtheSSL3.
0Fallback.
GoogleSecurityAdvisoryhttps://www.
openssl.
org/~bodo/ssl-poodle.
pdf16.
APerfectCRIMEOnlyTIMEWillOnlyTIMEWillTell.
TalBe'ery,AmichaiShulman.
https://media.
blackhat.
com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.
pdf17.
S.
SenGupta,S.
Maitra,G.
Paul,andS.
Sarkar.
(Non-)randomsequencesfrom(non-)randompermutations–analysisofRC4streamcipher.
JournalofCryptology,pages1–42,2012.
18.
10,000TopPasswords.
https://xato.
net/passwords/more-top-worst-passwords/#.
VPiyH_ysVew
hostslim美国独立日活动正在进行中,针对一款大硬盘荷兰专用服务器:双E5-2620v2/4x 1TB SATA硬盘,活动价60美元月。HostSlim荷兰服务器允许大人内容,不过只支持电汇、信用卡和比特币付款,商家支持7天内退款保证,有需要欧洲服务器的可以入手试试,记得注册的时候选择中国,这样不用交20%的税。hostslim怎么样?HostSlim是一家成立于2008年的荷兰托管服务器商,...
已经有一段时间没有分享阿里云服务商的促销活动,主要原因在于他们以前的促销都仅限新用户,而且我们大部分人都已经有过账户基本上促销活动和我们无缘。即便老用户可选新产品购买,也是比较配置较高的,所以就懒得分享。这不看到有阿里云金秋活动,有不错的促销活动可以允许产品新购。即便我们是老用户,但是比如你没有购买过他们轻量服务器,也是可以享受优惠活动的。这次轻量服务器在金秋活动中力度折扣比较大,2G5M配置年付...
VoLLcloud LLC是一家成立于2020年12月互联网服务提供商企业,于2021年1月份投入云计算应用服务,为广大用户群体提供云服务平台,已经多个数据中心部署云计算中心,其中包括亚洲、美国、欧洲等地区,拥有自己的研发和技术服务团队。现七夕将至,VoLLcloud LLC 推出亚洲地区(香港)所有产品7折优惠,该产品为CMI线路,去程三网163,回程三网CMI线路,默认赠送 2G DDoS/C...
asp.net网页制作为你推荐
东软集团股份有限公司centos6.5如何安装linux centos6.5360退出北京时间utc+8 13:30-14:00换成北京时间是什么时候什么是支付宝支付宝是什么sns网站有哪些最近两年哪些SNS网站比较火资费标准中国移动4g18元套餐介绍piaonimai这位主播叫什么正大天地网天地网微信移动办公平台温州都市报招聘劳务市场找工作可靠吗zencart模板要把zen cart用好的话,需要具备哪些知识?
美国vps服务器 短域名 已备案域名注册 idc评测 mach5 贵州电信宽带测速 css样式大全 qq数据库下载 权嘉云 双十一秒杀 cdn加速原理 南通服务器 cdn加速是什么 网站在线扫描 个人免费主页 优酷黄金会员账号共享 沈阳主机托管 国外在线代理服务器 浙江服务器 深圳域名 更多