Securityasp

BarMitzvahAttackBreakingSSLwitha13-yearoldRC4WeaknessAbstractRC4isthemostpopularstreamcipherintheworld.
Infact,asofMarch2015,RC4isestimatedtoprotectasmuchas30%ofSSLtraffic,likelyamountingtobillionsofTLSconnectionseveryday.
Yetitsuffersacritical–andlongknown–weaknessknownastheInvarianceWeakness.
InthispaperwewillrevisittheInvarianceWeakness–a13-yearoldvulnerabilityofRC4thatisbasedonhugeclassesofRC4weakkeys,whichwasfirstpublishedintheFMSpaperin2001.
WewillshowhowthisvulnerabilitycanbeusedtomountpartialplaintextrecoveryattacksonSSL-protecteddata,whenRC4isthecipherofchoice,forrecoveringtheLSBsofasmanyas100bytesfromtheencryptedstream.
AsopposedtoBEAST,POODLE,CRIMEandotherattacksonSSLthatwerepublishedinrecentyears,includingtheRoyalHollowayAttackontheusageofRC4,anewattackbasedupontheInvarianceWeaknessdoesnotrelyonaggregationofsmallfragmentsofplaintextinformation,butona"hit",arareeventthatcausesasignificantleakagetooccur.
WeshowhowthisuniquecharacteristiccanbeusedtoattackSSLinnewscenarios,includingthefirstpracticalattackonSSLthatdoesnotrequireanactiveMan-in-the-Middle.
Furthermore,thenewattackisnotlimitedtorecoveryoftemporalsessiontokens,butcanbeusedtostealpartsofpermanentsecretdatasuchasaccountcredentialsandcreditcardnumberswhendeliveredoverHTTPS.
Anothervariantoftheattackrecoversasignificantpartofasecretwithsmallbutnon-negligibleprobability,evenifthatwastransmittedonlyonceovertheSSLconnection.
ThispaperwilldescribetheInvarianceWeaknessindetail,explainitsimpacts,andrecommendsomemitigatingactions.
IntroductionTLSTheProtocolTLSisthemostwidelyusedsecurecommunicationsprotocolontheInternettoday.
StartinglifeasSSL,theprotocolwasadoptedbytheIETFandspecifiedasanRFCstandardunderthenameofTLS1.
0[1].
IthassinceevolvedthroughTLS1.
1[2]tothecurrentversionTLS1.
2[3].
TLS1.
3is,asofMarch2015,indraft[4].
VariousotherRFCsdefineadditionalTLScryptographicalgorithmsandextensions.
SSLiscurrentlyusedforsecuringawidevarietyofapplication-leveltraffic:Itserves,forexample,asthebasisoftheHTTPSprotocolforencryptedwebbrowsing,itisusedinconjunctionwithIMAPorSMTPtocryptographicallyprotectemailtraffic,anditisapopulartooltosecurecommunicationwithembeddedsystems,mobiledevices,andinpaymentsystems.
SSLstrivestofulfilltwomajorgoals:1)allowtwopartiestoauthenticateeachother,and2)securethecommunicationbetweenthetwo.
InmanySSLdeployments,particularsecurewebbrowsing,theauthenticationisone-way,meaningthatonlytheclient(browser)authenticatestheserver(webapplication),butnotviceversa.
SSLsessionsconsistoftwophases:IntheSSLHandshakingProtocoltheclientauthenticatestheserver,theserver(optionally)authenticatestheclientandbothestablishcryptographicsessionkeys,readytoprotectthecommunication.
IntheRecordProtocolthepartiesusetheestablishedsessionkeysandsymmetrickeycryptographytoencrypt(e.
g.
,usingAESblockcipherorRC4streamcipher)andauthenticate(e.
g.
,usingHMACalgorithms)tobuildasecurechannelforapplication-layerdata.
ThepartiescanchoosebetweenmanydifferentauthenticationandencryptionalgorithmsfortheRecordProtocol,essentiallydividedintothefollowingclasses:BlockCipher(CBCmodeofoperation)+HMACStreamCipher(RC4)+HMACAuthenticated-Encryptionusingblockcipher(GCM/CCMmodeofoperation)SSLProtocolWeaknessesInthelastcoupleofyearsseveralsignificantvulnerabilitieshavebeendiscoveredintheSSLprotocol,particularlyinthemostcommonlyusedvariants,AES-CBCandRC4.
TheAES-CBCvarianthasseensignificantcryptanalysis(paddingoracleattacks[5],BEAST[6],Lucky13[7],TIME[16],andPOODLE[15]).
Andin2013AlFardanet-alpublishedananalysis[8]oftheRC4mode,whichshowedhowtomountanattackthatrecoversdatatransmittedoveraSSL/RC4connection.
TheattackwasbasedonsomeofthemanyknowweaknessesofRC4,inparticularthesignificantstatisticalbiasesinitsfirstoutputbytes,andtheweakerstatisticalbiasesintheRC4keystream.
ImplementationWeaknessesInrecentyearsSSLimplementationshavereceivedsignificantattentionandscrutinyfromsecurityresearchers,andthishasresultedinsteadydiscoveryofnewvulnerabilities(andpatching,withorwithoutdisclosure).
In2014severaldozenvulnerabilitieswerediscoveredintheOpenSSLlibrary(themostpopularimplementationofSSL),HeartbleedbeingthemostsevereoneinthatitallowsanattackertodumpmemorysegmentsfromtheSSLserver,inmanycasesexposingsecretkeyinformation.
Vulnerabilitiesinseveralotherimplementationswerepublishedaswell(e.
g.
,CVE-2014-6321inMicrosoftSChannel).
OnRC4TheStreamCipherThe4-lineStreamCipherRivestCipher4(RC4)isoneofthesimplestcryptographicalgorithms,implementingapseudo-randomgeneratorthatisusedtoimplementastreamcipher.
TheinternalstateofRC4includesapermutationSof[0,1,.
.
,255]andtwoindicesiandjinthispermutation.
Inthekeyschedulingphase(KSA)anL-bytelongRC4key(forLvaryingbetween5and256)isusedtoconstructtheinitialstatepermutationS0.
Intheencryptionphase,RC4PRGA,whichisinitializedwiththeresultantS0isusedtogenerateastreamofpseudo-randombytes,denotedasthekeystream.
LikemostoftheStreamCiphers,thesepseudo-randombytesareXOR-edwiththeplaintextbytestogeneratetheciphertextbytes.
ThebuildingblocksofRC4aredescribedbelow.
KSA(K)PRGA(S0)j=0S=[0,1,2,…,255]fori=0.
.
255j=(j+S[i]+K[imodeL])S[i]S[j]Alloperationsaredonemod256i,j=0,0S=S0whilebytesareneeded:i=i+1j=j+S[i]S[i]S[j]EmitS[S[i]+S[j]]Knownforitssimplicityandforitsrespectedauthor,RC4gainedconsiderablepopularity.
Andgivenitsimpressiveperformance,beingabletoencryptanddecryptalmosttwotimesfasterthanAES,formanyyearsitwasconsideredtobethedefaultstreamcipher.
SecurityofRC4RC4isnotasecurecipher.
Backinthe90s,whenRC4wasatradesecretofRSAanditsdetailswhereknownbutnotformallyapproved,RC4wasbelievedtobesecure.
However,inthefollowingdecade,RC4hadundergonesignificantscrutinybycryptographyexperts,whichshowedstatisticalbiasesinthepseudo-randomstreamthatallowanattackertodistinguishRC4fromrandom([9],[10])andtopredictitsallegedlypseudo-randombitswithhighprobability([10]).
WhilethisstatisticalanalysisrequiresmanymillionsofRC4keystreambytes,tworesearchesin2001ontheinitializationofRC4hadswitchedthefocusofRC4analysistoitspoorinitializationmechanisms.
Thefirst[11]hadshownthatthesecondbyteofRC4hashugestatisticalbias,havingtwicetheexpectedprobabilitytobezero.
Thesecond[12],laterknownastheFMSresearch,hadcompletelybrokenRC4inthewayitwasusedintheWEPprotocol.
TheseresultshadinitiatedawaveofresearcheffortsandanalysisresultsonRC4initialization,awavewhoseendisyettobeseen.
Correlationbetweenkeybytesandstatebytes(e.
g.
,[13]),correlationbetweenkeybytesandfirstoutputbytes(e.
g.
,[12]),andbetweenkeybytesandfurtheroutputbytes([14]),significantstatisticalbiasesinthefirst256outputbytes[17],andmanyotherresults.
Interestingly,theseriesofsuccessfulattacksdidn'thaveasignificantimpactonthepopularityofRC4,andinfactduringthewaveofCBCattacksonSSLin2012,someexpertsrecommendedswitchingtoRC4.
TheInvarianceWeaknessTheFMSresearch[12]detailstwosignificantRC4weaknesses.
TheIVweakness,resultinginapracticalkeyrecoveryattackandcompletebreakofRC4intheWEPprotocol,receivedmostoftheattention,leavingtheotherweakness-denotedinthepaperastheInvarianceWeakness-intheshadowsfor13years.
TheInvarianceWeakness,isanL-shapekeypatterninRC4keys,whichonceitexistsinanRC4key,preservespartofthestatepermutationintactthroughouttheinitializationprocess.
Thisintactpartincludestheleastsignificantbitsofthepermutation,whenprocessedbythePRGAalgorithm,determinestheleastsignificantbitsoftheallegedlypseudo-randomoutputstreamalongalongprefixofthestream.
Thesepatterns,andadetailedexplanationofhowtheyarepreserved,aredescribedindetailin[12]and[13].
ThesebiasedstreambytesareXOR-edwiththeplaintextbytes,resultinginsignificantleakageofplaintextbytesfromtheciphertextbytes.
ThesepatternsoccurfordifferentnumberofLSBs,asingleLSB,2LSBs,3LSBsto7LSBs,resultingwithdifferentclassesofweakRC4keys.
Duetothestructureoftheseclasses,eachclasscontainsthesucceedingclassesandthusthefirstclassisthelargest,denotedbelowastheMainClass.
Theportionofq-classforL-bytekeys(whichistheprobabilityofarandomkeytobeintheclass)is2-(qL+(9-q)).
For16-bytekeytheportionoftheMainClass(1-class)is2-24(1in16million)andtheportionof2-classis2-39(veryrare).
Thesenumbersareshowninthefollowingtable.
#LSBsApplicabilityClassProbability(8-bytekey)ClassProbability(16-bytekey)1Keyswithevennumberofbytes2-162-242Keyswithnumberofbytesthatisamultipleof42-232-393Keyswithnumberofbytesthatisamultipleof82-302-544Keyswithnumberofbytesthatisamultipleof162-372-69Whenakeyfromaq-classisused,thefollowingthingshappen:TheinitializationphaseofRC4failstomixthestatewithkeymaterialproperly,andpreservestheKleastsignificantbitsofitsinternalstateAsaresult,theinitialstateofRC4hasfixednon-mixedqLSBsqleastsignificantbitsofthefirst30-50bytesstreambytescomplywithadeterministicpatternwithsignificantprobabilityqleastsignificantbitsofthefirst30-50plaintextbytesareexposedwithsignificantprobabilityTheprobabilityoftheqLSBstocomplywiththepatterndropswiththestream.
ThisprobabilityisdemonstratedinthefollowingdiagramsforasingleLSB,2LSBsand3LSBs.
Figure1:SingleLSB(advantageover0.
5)Figure2:2LSBs(advantageover0.
25)Figure3:3LSBs(advantageover0.
125)Thereasonforthedecreasingprobabilityisthestatepatterngetting"ruined"withthestreamgenerationandafter50bytesemittedbyRC4PRGA,thepatternfadesout.
However,subsequentanalysisweranonRC4streamswhenusingweakkeysshowedadifferencepatternbetweenstreamLSBs,whichislesssensitivetothis"ruining"effect,andmanagestosurviveforasmanyas100bytesofthekeystream.
ThesurvivalprobabilityofdifferencepatternsisdemonstratedinthefollowingdiagramsforasingleLSB,2LSBsand3LSBs,withreferencetothevaluepatterns(thediffpatternisinredandthevaluepatternremainsinblue).
Figure4:SingleLSB(diffpattern;advantageover0.
5)Figure5:2LSBs(diffpattern;advantageover0.
25)Figure6:3LSBs(diffpattern;advantageover0.
125)ApplicationsoftheInvarianceWeaknessTheInvarianceWeaknessofRC4hasseveralcryptanalyticapplications,describedindetailin[12]and[13],includingstatisticalbiasesintheRC4pseudo-randomstreamthatallowanattackertodistinguishRC4streamsfromrandomnessandenhancementoftradeoffattacksonRC4.
AnotherapplicationoftheInvarianceWeakness,whichweuseforourattack,istheleakageofplaintextdataintotheciphertextwhenq-classkeysareused.
Theauthorsof[8]hadtranslatedstatisticalbiasesinthekeystreamintoplaintextleakageattacks.
Wefollow[8]anduseourstatisticalbiastorecoverplaintextinformation.
TheInvarianceWeaknessbiasesarenotasstrongasthebiasesusedin[8].
However,thesebiaseshaveuniquecharacteristics,ononehandoccurringrarely,butontheotherhandeffectivein100keystreambyteswithextremelyhighprobability,openingthedoortoplaintextleakageattacksinseveralcircumstancesthatwerebelievedtobecompletelysecure.
UsingtheInvarianceWeaknesstoAttackSSLSSLUsageofRC4SSLRecordProtocolusesRC4forencryptioninmanySSLciphersuites.
IntheHandshakingprotocol,RC4encryptionkeysaregeneratedforupstreamanddownstreamcommunication.
IntheRecordprotocol,theupstreamkeyisusedforencryptionofclient-to-servercommunication,whereasthedownstreamkeyisusedforencryptionofserver-to-clientcommunication.
Itisimportanttonotethattheencryptionsarestatefull,usingthefirstkeystreambytesforencryptingthefirstmessage,thesucceedingkeystreambytesforencryptingthenextmessage,etc.
GiventhattheInvarianceweaknessisexpressedonlyinthefirst100bytesofthekeystream,itcanbeusedonlyforthefirst100bytesoftheprotectedupstreamtrafficandthefirst100bytesoftheprotecteddownstreamtraffic.
GiventhatthefirstencryptedmessageineachdirectionistheSSLHandshakeFinishedmessage(36-bytesintypicalusageofSSL),about64bytesofsecretplaintextdataareleftfortheattack.
Thisflowisdepictedinthefollowingdiagram.
Thefirst36bytesoftheupstreamkeystreamareusedforencryptingtheFinishedmessage.
Thenextbytesareusedtoencrypttheactualapplicationdata.
TheAttackScenarioOurattacksarebasedonthefollowingscenario:theattackersniffsalargenumberofSSLconnectionsencryptedwithRC4,waitingfora"hit";thatisthearrivalofaweakkey.
Onceaweakkeyarrives,theattackerpredictstheLSBsofthekeystreambytes,andusesthesetoextracttheLSBsoftheplaintextbytesfromtheciphertextwithsignificantadvantage.
Inordertofulfillthisscenario,theattackerneedstodeterminewhichSSLsessionsaretheonesinwhichweakkeyswereused.
ForthisisolationtheattackercanusethefactthatthefirstencryptedbytesincludetheSSL"Finished"messageandHTTPrequest,bothhavingpredictableinformation.
Thus,whenaweakkeyisused,theplaintextpatternsareXOR-edwithkeystreampatterns,generatingciphertextpatternsvisibletotheattacker.
[7],[8]andotherpreviousattacksonSSL,usetinystatisticalbiasestoaggregatetinypiecesofplaintextinformation.
Inordertomakethisaggregationpossible,thetargetobjectmustbeencryptedmanytimes,withthesamekeyin[7andwithdifferentkeysinabroadcastscenarioin[8].
Asopposedtotheseattacks,ourattackscenario,whenaweakkeyarrives,getsatonceasignificantamountofdataonthetargetobject,providingimmediatepartialplaintextrecovery.
Ontheotherhand,thispartialplaintextrecoverycannotbeextendedintofullplaintextrecoverybycontinuingtheattackandlisteningtomoresessions.
WhatcanyoudowithLSBsTheabovescenarioallowstheattackertorecovertheleastsignificantbitsofuptoahundredsecretbytes.
Whenthetargetobjectisasessioncookie,theattackerreducestheeffectivesizeofthecookie,allowingaccelerationofbruteforceattackonthesessioncookieforthesakeofSessionHijacking.
Forexample,learningtheLSBsofASPsessioncookies,whichcontain16charactersof5-bitentropyeach,reduces16bitsofthecookieentropyandthuscanbeusedforfasterbruteforceattackonthesessioncookievalue.
ForPHPsessioncookiesthisaccelerationcanincreasetouptoafactorof232.
Whenthetargetobjectisann-characterpassword,anattackerpossessingthepasswordLSBscanaccelerateadictionaryattackwithafactorof2n,reducingthesecurityofan8-charpasswordbyafactorof256.
Furthermore,anattackerwhorunsabruteforceattackonaloginAPI,canscanadatabaseofknownpopularpasswords,extractthepasswordsthatcomplywiththeLSBpatternandtryonlythese,reducingthenumberofattemptsbyafactorof2n.
Werananexperimentonadatabaseofmostcommonlyusedpasswords,wherewegrouppasswordsaccordingtotheirleastsignificantbits.
ForasingleLSBthemostcommon1000passwordsweregroupedinto252sets,leavingthebruteforceattackeranaverageofonly4attempts,belowthebarrierformostbruteforceprotectionpolicies.
Theestimationforthenumberofwebaccountsthatareprotectedwithoneofthetop1000mostcommonly-usedpasswordsvariesbetween10-15percent,settingthestageforanattackthatusestheInvarianceWeaknesstoextracttheLSBsofthepasswordinhopethattheuserisoneofthecareless10%.
Weusedapasswordspopularityanalysisfrom[18]toestimatethenumberofbruteforceattemptsanattackerneedstomakeoncehehastheLSBsofapasswordknowntobeinthetop100,1000and10,000(wetookthenumbersfrom[18]asis).
PortionofwebaccountsNumberofLSBgroupsBruteforceworstcase(#Attempts)Bruteforceaveragecase(#Attempts)Top1004.
4%6861.
5Top100013.
2%252244Top10,00030%55720118Theentropyofa16-digitcreditcardnumberisusuallyconsideredtobe5digits,sincethefirst6digitsarenon-secret,thelast4digitsarefreelyexposedonreceiptsandforvalidationpurposes,andthereisa1-bytechecksum(Luhnalgorithm).
AnattackerpossessingtheLSBsofacreditcardnumber,reducesthesearchdomainfrom100,000intoonly1500.
These1500candidatenumberscanbetestedbymakingattemptsforsmallamountpaymentsinretailwebapplicationstofindthevalidoneafter750attemptsonaverage.
Thusthereductioninthecreditcardentropyfrom100,000potentialnumbersinto1500potentialnumbersissignificant,andincreasesthepracticalityofattacks.
AMan-in-the-MiddleAttackThefirstattackwedescriberesemblestheRC4attackfrom[8],withtheattackerusingalargenumberofencryptionsofsecretdata,e.
g.
,asessioncookie,inordertorecoverpartsofthiscookie.
OnewaytoobtainthislargenumberofencryptionsisthroughtheBEASTscenario,whereJavaScriptmalwareisdownloadedfromanattacker-controlledwebsiteandrunsinthevictim'sbrowser,repeatedlysendingHTTPSrequeststothevictimwebserver.
Sessioncookiesareautomaticallyincludedineachoftheserequestsinapredictablelocation,andcanthusbetargetedintheattack.
Theattacker,whoneedsnewSSLconnectionsfornewRC4keystreamprefixes,canenforceterminationoftheSSLsessionafterthetargetencryptedcookieissent;thebrowserwillautomaticallyestablishanewSSLsessionwhenthenextHTTPSrequestissent.
Theattackin[8]recoversthesessioncookiewithprobabilityof50%after226sessions.
Ourattackisexpectedtohaveahit–1-classkeybeingused–every224connections.
Sincesuchahitistranslatedtolongkeystreampatternwithprobabilityof1%-5%,severaldozenhitsarerequiredtocompleteasuccessfulpartialplaintextrecovery.
Forthesakeofsimplicity,intherestofthediscussionweuseasinglenumberof1billionasthenumberofattemptsrequiredtomounttheattack,reflectingthenumberofencryptionstheattackerisexpectedtoseeuntilbeingabletorecoverthedata.
AsopposedtotheBEASTattack,thecurrentattackdoesnotrequirethatthesamekeyisusedinallencryptions,butfollows[8]inrequiringthatthekeybechangedbetweenencryptions.
Moreover,asopposedtotheattackin[8],whichishighlysensitivetosituationswhereinthesessioncookieexpiresorthebrowserisclosedbytheuser(inwhichcasetheattackhastobeginfromthestart),ourattackiscompletelyinsensitivetothesecases.
Whenaweakkeyisused,thelearntinformationisonthesessioncookiefromthatparticularrequest,regardlessofanythingthathappenedbeforethehit,andanythingthatwillhappenafterthehit.
ANon-TargetedPassiveAttackThenatureoftheInvarianceWeakness,allowingtheattackertolearnsignificantplaintextdatafromasinglehit(thatisasinglemessagethatwasencryptedwithaweakkey)opensthedoortonewattackscenarioswhichwerenotpossibleinanyofthepreviousattacks.
Thenextattackwe'lldescribeisapassivevariantoftheaforementionedattack.
Init,theattackereavesdropsontheinboundtraffictoapopularretailorfinancialwebapplication,aimingtostealcreditcardnumberinfo(asimilarattackworksonpasswords).
Theattackerisrequiredtowait1billionconnectionsforaweakkeyusageevent,thiseventbeingvisiblethroughfixedorstructureddatainthisapplication,propagatingthroughthekeystreampatternsintotheciphertext.
TheattackerthenusestheInvarianceWeaknesstopredictkeystreamLSBs,andusesthesetocalculateplaintextLSBsfromciphertextLSBs.
Itisimportanttonotethatthecompromisedcreditcardnumberorpasswordisofarandomvictim,withtheattackernothavinganycontroloveritsidentity.
AccordingtoFacebookuserstatistics,thenumberofdailyactiveusersinFacebookiscloseto1billion.
Thenumberoftimeseachoftheseusersexecutesalogin,eithervisitingFacebookseveraltimes,orpressingaLikebuttoninanotherapplication,canberoughlyestimatedas4.
ThusapassiveeavesdroppersniffingonFacebookinboundlineswaitingforhits,willsee256weakkeysonthedaily4billionlogins,4ofwhichareexpectedtogeneratealongstreampatternandexposethepasswordLSBs.
LuckilyFacebookhadrecentlyremovedRC4fromitslistofSSLsupportedciphers.
GroupAttacksIntheBEAST-likevarianttheattackerisrequiredtogenerate1billionconnectionsfromthevictim'sbrowser.
Ontheotherhand,inthepassivevarianttheattackerneedstosniffon1billionconnectionstothesamewebapplication.
Inanothervariantoftheattack,combiningthetwo,theattackerobtainsthese1billionconnectionsactivelyfromagroupofvictimusers.
TheattackerneedstogetGroupMan-in-the-Middlesetup,beingamaninthemiddleforagroupofusers.
Sincethemostnaturalmethodsofestablishingman-in-the-middleareDNSpoisoningandmakingusersconnecttoamalicioushotspot(eitherofwhichwillestablishtheattackerasMan-in-the-Middleforagroupofusers),thisGroupMan-in-the-Middlesituationispractical.
TheattackerthenrunstheBEAST-likeattackwitheachofthepotentialvictims,terminatingtheirconnectionsimmediatelyafterthesessioncookiebeingsent,untiloneofthemgetsasuccessfulhit,aweakkeythatpropagatessuccessfullyintoalongpattern.
Thiseventisexpectedtooccurafteratotalnumberof1billionSSLconnectionsfromallusersaltogether.
Thisattackscenarioisunique,andstemsfromtheuniquenatureofthisattack,witheveryhitleakingalargequantityofsecretinformation.
One-TimeEncryptionFromtheperspectiveofavictim,theseverityofanattackisproportionaltothedamageoftheattackandtoitslikelihood.
ConsiderauserwhousesSSLtoprotecthismostprecioussecret,andsendsitonlyonceoverSSL.
Interestingly,thisone-timeoperationhasariskofonein64milliontogetaweakRC4keyandoneinabilliontoleakpartsofhisprecioussecret.
Itistruethatoneinabillionisatinyfraction,butstill,itisnotanegligiblefraction.
TheimplicationisthedisturbingfactthateverywebuserisclearlyriskinghisdataeverysingletimehesendsitoveranRC4/SSLconnection.
ConclusionandRecommendationsInthispaperwedemonstratedhowtheInvarianceWeaknesscanbeusedtomountnewattacksonSSLwhenusingRC4.
Weimprovedthesizeoftheprefixforwhichplaintextinfoleaksinto100bytes.
Weshowedhowthe"ResetInsensitivity"oftheInvarianceWeaknesssetsthestagefornewattackscenarios,includingthefirstpassiveattackonSSL.
ThesecurityofRC4hasbeenquestionableformanyyears,inparticularitsinitializationmechanisms.
However,onlyinrecentyearshasthisunderstandingbeguntranslatingintoacalltoretireRC4.
Inthisresearchwefollow[8]andshowthattheimpactofthemanyknownvulnerabilitiesonsystemsusingRC4isclearlyunderestimated.
Whilewaitingforabroad-brushretirementofRC4,specificpartiesshouldconsiderthefollowingactionstoprotectthemselvesfromitsweaknesses:WebapplicationadministratorsshouldstronglyconsiderdisablingRC4itintheirapplications'TLSconfigurations.
Webusers(particularlypowerusers)areencouragedtodisableRC4itintheirbrowser'sTLSconfiguration.
BrowservendorswoulddowelltoconsiderremovingRC4fromtheirTLScipherlists.
OrganizationsleveragingImpervaSecureSpheretoprotecttheirbusiness-criticalwebapplicationsanddata,andwhereinSecureSphereissettohandleTLSconnectionsonbehalfoftheapplications,canconfigureSecureSpheretostopusingtheweakciphersandworkonlywithrobustciphers.
References1.
T.
DierksandC.
Allen.
TheTLSProtocolVersion1.
0.
RFC2246,InternetEngineeringTaskForce,Jan.
1999.
URLhttp://www.
rfc-editor.
org/rfc/rfc2246.
txt.
2.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
1.
RFC4346,InternetEngineeringTaskForce,Apr.
2006.
URLhttp://www.
rfc-editor.
org/rfc/rfc4346.
txt.
3.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
2.
RFC5246,InternetEngineeringTaskForce,Aug.
2008.
URLhttp://www.
rfc-editor.
org/rfc/rfc5246.
txt.
4.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
3,http://tools.
ietf.
org/html/draft-ietf-tls-tls13-045.
B.
Canvel,A.
Hiltgen,S.
Vaudenay,andM.
Vuagnoux.
PasswordinterceptioninaSSL/TLSchannel.
AdvancesinCryptology-CRYPTO2003,pages583–599,2003.
6.
T.
DuongandJ.
Rizzo.
HerecometheNinjas.
2011.
http://www.
hit.
bme.
hu/~buttyan/courses/EIT-SEC/abib/04-TLS/BEAST.
pdf7.
N.
AlFardanandK.
G.
Paterson.
Lucky13:BreakingtheTLSandDTLSrecordprotocols.
InIEEESymposiumonSecurityandPrivacy,2013.
URLhttp://www.
isg.
rhul.
ac.
uk/tls/Lucky13.
html.
8.
NadhemJ.
AlFardan,DanielJ.
Bernstein,KennethG.
Paterson,BertramPoettering,JacobC.
N.
Schuldt.
OntheSecurityofRC4inTLSandWPA,USENIXSecuritySymposium20139.
S.
R.
FluhrerandD.
McGrew.
StatisticalanalysisoftheallegedRC4keystreamgenerator.
InB.
Schneier,editor,FSE,volume1978ofLectureNotesinComputerScience,pages19–30.
Springer,2000.
10.
I.
Mantin.
PredictinganddistinguishingattacksonRC4keystreamgenerator.
InR.
Cramer,editor,EUROCRYPT,volume3494ofLectureNotesinComputerScience,pages491–506.
Springer,2005.
11.
I.
MantinandA.
Shamir.
ApracticalattackonbroadcastRC4.
InM.
Matsui,editor,FSE,volume2355ofLectureNotesinComputerScience,pages152–164.
Springer,2001.
12.
S.
R.
Fluhrer,I.
Mantin,andA.
Shamir.
WeaknessesinthekeyschedulingalgorithmofRC4.
InS.
VaudenayandA.
M.
Youssef,editors,SelectedAreasinCryptography,volume2259ofLectureNotesinComputerScience,pages1–24.
Springer,2001.
13.
I.
Mantin.
AnalysisofthestreamcipherRC4.
MasterThesis,theWeizmannInstituteofScience.
14.
I.
Mantin.
APracticalAttackontheFixedRC4intheWEPMode.
InAdvancesinCryptology-ASIACRYPT200515.
ThisPOODLEBites:ExploitingtheSSL3.
0Fallback.
GoogleSecurityAdvisoryhttps://www.
openssl.
org/~bodo/ssl-poodle.
pdf16.
APerfectCRIMEOnlyTIMEWillOnlyTIMEWillTell.
TalBe'ery,AmichaiShulman.
https://media.
blackhat.
com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.
pdf17.
S.
SenGupta,S.
Maitra,G.
Paul,andS.
Sarkar.
(Non-)randomsequencesfrom(non-)randompermutations–analysisofRC4streamcipher.
JournalofCryptology,pages1–42,2012.
18.
10,000TopPasswords.
https://xato.
net/passwords/more-top-worst-passwords/#.
VPiyH_ysVew