BarMitzvahAttackBreakingSSLwitha13-yearoldRC4WeaknessAbstractRC4isthemostpopularstreamcipherintheworld.
Infact,asofMarch2015,RC4isestimatedtoprotectasmuchas30%ofSSLtraffic,likelyamountingtobillionsofTLSconnectionseveryday.
Yetitsuffersacritical–andlongknown–weaknessknownastheInvarianceWeakness.
InthispaperwewillrevisittheInvarianceWeakness–a13-yearoldvulnerabilityofRC4thatisbasedonhugeclassesofRC4weakkeys,whichwasfirstpublishedintheFMSpaperin2001.
WewillshowhowthisvulnerabilitycanbeusedtomountpartialplaintextrecoveryattacksonSSL-protecteddata,whenRC4isthecipherofchoice,forrecoveringtheLSBsofasmanyas100bytesfromtheencryptedstream.
AsopposedtoBEAST,POODLE,CRIMEandotherattacksonSSLthatwerepublishedinrecentyears,includingtheRoyalHollowayAttackontheusageofRC4,anewattackbasedupontheInvarianceWeaknessdoesnotrelyonaggregationofsmallfragmentsofplaintextinformation,butona"hit",arareeventthatcausesasignificantleakagetooccur.
WeshowhowthisuniquecharacteristiccanbeusedtoattackSSLinnewscenarios,includingthefirstpracticalattackonSSLthatdoesnotrequireanactiveMan-in-the-Middle.
Furthermore,thenewattackisnotlimitedtorecoveryoftemporalsessiontokens,butcanbeusedtostealpartsofpermanentsecretdatasuchasaccountcredentialsandcreditcardnumberswhendeliveredoverHTTPS.
Anothervariantoftheattackrecoversasignificantpartofasecretwithsmallbutnon-negligibleprobability,evenifthatwastransmittedonlyonceovertheSSLconnection.
ThispaperwilldescribetheInvarianceWeaknessindetail,explainitsimpacts,andrecommendsomemitigatingactions.
IntroductionTLSTheProtocolTLSisthemostwidelyusedsecurecommunicationsprotocolontheInternettoday.
StartinglifeasSSL,theprotocolwasadoptedbytheIETFandspecifiedasanRFCstandardunderthenameofTLS1.
0[1].
IthassinceevolvedthroughTLS1.
1[2]tothecurrentversionTLS1.
2[3].
TLS1.
3is,asofMarch2015,indraft[4].
VariousotherRFCsdefineadditionalTLScryptographicalgorithmsandextensions.
SSLiscurrentlyusedforsecuringawidevarietyofapplication-leveltraffic:Itserves,forexample,asthebasisoftheHTTPSprotocolforencryptedwebbrowsing,itisusedinconjunctionwithIMAPorSMTPtocryptographicallyprotectemailtraffic,anditisapopulartooltosecurecommunicationwithembeddedsystems,mobiledevices,andinpaymentsystems.
SSLstrivestofulfilltwomajorgoals:1)allowtwopartiestoauthenticateeachother,and2)securethecommunicationbetweenthetwo.
InmanySSLdeployments,particularsecurewebbrowsing,theauthenticationisone-way,meaningthatonlytheclient(browser)authenticatestheserver(webapplication),butnotviceversa.
SSLsessionsconsistoftwophases:IntheSSLHandshakingProtocoltheclientauthenticatestheserver,theserver(optionally)authenticatestheclientandbothestablishcryptographicsessionkeys,readytoprotectthecommunication.
IntheRecordProtocolthepartiesusetheestablishedsessionkeysandsymmetrickeycryptographytoencrypt(e.
g.
,usingAESblockcipherorRC4streamcipher)andauthenticate(e.
g.
,usingHMACalgorithms)tobuildasecurechannelforapplication-layerdata.
ThepartiescanchoosebetweenmanydifferentauthenticationandencryptionalgorithmsfortheRecordProtocol,essentiallydividedintothefollowingclasses:BlockCipher(CBCmodeofoperation)+HMACStreamCipher(RC4)+HMACAuthenticated-Encryptionusingblockcipher(GCM/CCMmodeofoperation)SSLProtocolWeaknessesInthelastcoupleofyearsseveralsignificantvulnerabilitieshavebeendiscoveredintheSSLprotocol,particularlyinthemostcommonlyusedvariants,AES-CBCandRC4.
TheAES-CBCvarianthasseensignificantcryptanalysis(paddingoracleattacks[5],BEAST[6],Lucky13[7],TIME[16],andPOODLE[15]).
Andin2013AlFardanet-alpublishedananalysis[8]oftheRC4mode,whichshowedhowtomountanattackthatrecoversdatatransmittedoveraSSL/RC4connection.
TheattackwasbasedonsomeofthemanyknowweaknessesofRC4,inparticularthesignificantstatisticalbiasesinitsfirstoutputbytes,andtheweakerstatisticalbiasesintheRC4keystream.
ImplementationWeaknessesInrecentyearsSSLimplementationshavereceivedsignificantattentionandscrutinyfromsecurityresearchers,andthishasresultedinsteadydiscoveryofnewvulnerabilities(andpatching,withorwithoutdisclosure).
In2014severaldozenvulnerabilitieswerediscoveredintheOpenSSLlibrary(themostpopularimplementationofSSL),HeartbleedbeingthemostsevereoneinthatitallowsanattackertodumpmemorysegmentsfromtheSSLserver,inmanycasesexposingsecretkeyinformation.
Vulnerabilitiesinseveralotherimplementationswerepublishedaswell(e.
g.
,CVE-2014-6321inMicrosoftSChannel).
OnRC4TheStreamCipherThe4-lineStreamCipherRivestCipher4(RC4)isoneofthesimplestcryptographicalgorithms,implementingapseudo-randomgeneratorthatisusedtoimplementastreamcipher.
TheinternalstateofRC4includesapermutationSof[0,1,.
.
,255]andtwoindicesiandjinthispermutation.
Inthekeyschedulingphase(KSA)anL-bytelongRC4key(forLvaryingbetween5and256)isusedtoconstructtheinitialstatepermutationS0.
Intheencryptionphase,RC4PRGA,whichisinitializedwiththeresultantS0isusedtogenerateastreamofpseudo-randombytes,denotedasthekeystream.
LikemostoftheStreamCiphers,thesepseudo-randombytesareXOR-edwiththeplaintextbytestogeneratetheciphertextbytes.
ThebuildingblocksofRC4aredescribedbelow.
KSA(K)PRGA(S0)j=0S=[0,1,2,…,255]fori=0.
.
255j=(j+S[i]+K[imodeL])S[i]S[j]Alloperationsaredonemod256i,j=0,0S=S0whilebytesareneeded:i=i+1j=j+S[i]S[i]S[j]EmitS[S[i]+S[j]]Knownforitssimplicityandforitsrespectedauthor,RC4gainedconsiderablepopularity.
Andgivenitsimpressiveperformance,beingabletoencryptanddecryptalmosttwotimesfasterthanAES,formanyyearsitwasconsideredtobethedefaultstreamcipher.
SecurityofRC4RC4isnotasecurecipher.
Backinthe90s,whenRC4wasatradesecretofRSAanditsdetailswhereknownbutnotformallyapproved,RC4wasbelievedtobesecure.
However,inthefollowingdecade,RC4hadundergonesignificantscrutinybycryptographyexperts,whichshowedstatisticalbiasesinthepseudo-randomstreamthatallowanattackertodistinguishRC4fromrandom([9],[10])andtopredictitsallegedlypseudo-randombitswithhighprobability([10]).
WhilethisstatisticalanalysisrequiresmanymillionsofRC4keystreambytes,tworesearchesin2001ontheinitializationofRC4hadswitchedthefocusofRC4analysistoitspoorinitializationmechanisms.
Thefirst[11]hadshownthatthesecondbyteofRC4hashugestatisticalbias,havingtwicetheexpectedprobabilitytobezero.
Thesecond[12],laterknownastheFMSresearch,hadcompletelybrokenRC4inthewayitwasusedintheWEPprotocol.
TheseresultshadinitiatedawaveofresearcheffortsandanalysisresultsonRC4initialization,awavewhoseendisyettobeseen.
Correlationbetweenkeybytesandstatebytes(e.
g.
,[13]),correlationbetweenkeybytesandfirstoutputbytes(e.
g.
,[12]),andbetweenkeybytesandfurtheroutputbytes([14]),significantstatisticalbiasesinthefirst256outputbytes[17],andmanyotherresults.
Interestingly,theseriesofsuccessfulattacksdidn'thaveasignificantimpactonthepopularityofRC4,andinfactduringthewaveofCBCattacksonSSLin2012,someexpertsrecommendedswitchingtoRC4.
TheInvarianceWeaknessTheFMSresearch[12]detailstwosignificantRC4weaknesses.
TheIVweakness,resultinginapracticalkeyrecoveryattackandcompletebreakofRC4intheWEPprotocol,receivedmostoftheattention,leavingtheotherweakness-denotedinthepaperastheInvarianceWeakness-intheshadowsfor13years.
TheInvarianceWeakness,isanL-shapekeypatterninRC4keys,whichonceitexistsinanRC4key,preservespartofthestatepermutationintactthroughouttheinitializationprocess.
Thisintactpartincludestheleastsignificantbitsofthepermutation,whenprocessedbythePRGAalgorithm,determinestheleastsignificantbitsoftheallegedlypseudo-randomoutputstreamalongalongprefixofthestream.
Thesepatterns,andadetailedexplanationofhowtheyarepreserved,aredescribedindetailin[12]and[13].
ThesebiasedstreambytesareXOR-edwiththeplaintextbytes,resultinginsignificantleakageofplaintextbytesfromtheciphertextbytes.
ThesepatternsoccurfordifferentnumberofLSBs,asingleLSB,2LSBs,3LSBsto7LSBs,resultingwithdifferentclassesofweakRC4keys.
Duetothestructureoftheseclasses,eachclasscontainsthesucceedingclassesandthusthefirstclassisthelargest,denotedbelowastheMainClass.
Theportionofq-classforL-bytekeys(whichistheprobabilityofarandomkeytobeintheclass)is2-(qL+(9-q)).
For16-bytekeytheportionoftheMainClass(1-class)is2-24(1in16million)andtheportionof2-classis2-39(veryrare).
Thesenumbersareshowninthefollowingtable.
#LSBsApplicabilityClassProbability(8-bytekey)ClassProbability(16-bytekey)1Keyswithevennumberofbytes2-162-242Keyswithnumberofbytesthatisamultipleof42-232-393Keyswithnumberofbytesthatisamultipleof82-302-544Keyswithnumberofbytesthatisamultipleof162-372-69Whenakeyfromaq-classisused,thefollowingthingshappen:TheinitializationphaseofRC4failstomixthestatewithkeymaterialproperly,andpreservestheKleastsignificantbitsofitsinternalstateAsaresult,theinitialstateofRC4hasfixednon-mixedqLSBsqleastsignificantbitsofthefirst30-50bytesstreambytescomplywithadeterministicpatternwithsignificantprobabilityqleastsignificantbitsofthefirst30-50plaintextbytesareexposedwithsignificantprobabilityTheprobabilityoftheqLSBstocomplywiththepatterndropswiththestream.
ThisprobabilityisdemonstratedinthefollowingdiagramsforasingleLSB,2LSBsand3LSBs.
Figure1:SingleLSB(advantageover0.
5)Figure2:2LSBs(advantageover0.
25)Figure3:3LSBs(advantageover0.
125)Thereasonforthedecreasingprobabilityisthestatepatterngetting"ruined"withthestreamgenerationandafter50bytesemittedbyRC4PRGA,thepatternfadesout.
However,subsequentanalysisweranonRC4streamswhenusingweakkeysshowedadifferencepatternbetweenstreamLSBs,whichislesssensitivetothis"ruining"effect,andmanagestosurviveforasmanyas100bytesofthekeystream.
ThesurvivalprobabilityofdifferencepatternsisdemonstratedinthefollowingdiagramsforasingleLSB,2LSBsand3LSBs,withreferencetothevaluepatterns(thediffpatternisinredandthevaluepatternremainsinblue).
Figure4:SingleLSB(diffpattern;advantageover0.
5)Figure5:2LSBs(diffpattern;advantageover0.
25)Figure6:3LSBs(diffpattern;advantageover0.
125)ApplicationsoftheInvarianceWeaknessTheInvarianceWeaknessofRC4hasseveralcryptanalyticapplications,describedindetailin[12]and[13],includingstatisticalbiasesintheRC4pseudo-randomstreamthatallowanattackertodistinguishRC4streamsfromrandomnessandenhancementoftradeoffattacksonRC4.
AnotherapplicationoftheInvarianceWeakness,whichweuseforourattack,istheleakageofplaintextdataintotheciphertextwhenq-classkeysareused.
Theauthorsof[8]hadtranslatedstatisticalbiasesinthekeystreamintoplaintextleakageattacks.
Wefollow[8]anduseourstatisticalbiastorecoverplaintextinformation.
TheInvarianceWeaknessbiasesarenotasstrongasthebiasesusedin[8].
However,thesebiaseshaveuniquecharacteristics,ononehandoccurringrarely,butontheotherhandeffectivein100keystreambyteswithextremelyhighprobability,openingthedoortoplaintextleakageattacksinseveralcircumstancesthatwerebelievedtobecompletelysecure.
UsingtheInvarianceWeaknesstoAttackSSLSSLUsageofRC4SSLRecordProtocolusesRC4forencryptioninmanySSLciphersuites.
IntheHandshakingprotocol,RC4encryptionkeysaregeneratedforupstreamanddownstreamcommunication.
IntheRecordprotocol,theupstreamkeyisusedforencryptionofclient-to-servercommunication,whereasthedownstreamkeyisusedforencryptionofserver-to-clientcommunication.
Itisimportanttonotethattheencryptionsarestatefull,usingthefirstkeystreambytesforencryptingthefirstmessage,thesucceedingkeystreambytesforencryptingthenextmessage,etc.
GiventhattheInvarianceweaknessisexpressedonlyinthefirst100bytesofthekeystream,itcanbeusedonlyforthefirst100bytesoftheprotectedupstreamtrafficandthefirst100bytesoftheprotecteddownstreamtraffic.
GiventhatthefirstencryptedmessageineachdirectionistheSSLHandshakeFinishedmessage(36-bytesintypicalusageofSSL),about64bytesofsecretplaintextdataareleftfortheattack.
Thisflowisdepictedinthefollowingdiagram.
Thefirst36bytesoftheupstreamkeystreamareusedforencryptingtheFinishedmessage.
Thenextbytesareusedtoencrypttheactualapplicationdata.
TheAttackScenarioOurattacksarebasedonthefollowingscenario:theattackersniffsalargenumberofSSLconnectionsencryptedwithRC4,waitingfora"hit";thatisthearrivalofaweakkey.
Onceaweakkeyarrives,theattackerpredictstheLSBsofthekeystreambytes,andusesthesetoextracttheLSBsoftheplaintextbytesfromtheciphertextwithsignificantadvantage.
Inordertofulfillthisscenario,theattackerneedstodeterminewhichSSLsessionsaretheonesinwhichweakkeyswereused.
ForthisisolationtheattackercanusethefactthatthefirstencryptedbytesincludetheSSL"Finished"messageandHTTPrequest,bothhavingpredictableinformation.
Thus,whenaweakkeyisused,theplaintextpatternsareXOR-edwithkeystreampatterns,generatingciphertextpatternsvisibletotheattacker.
[7],[8]andotherpreviousattacksonSSL,usetinystatisticalbiasestoaggregatetinypiecesofplaintextinformation.
Inordertomakethisaggregationpossible,thetargetobjectmustbeencryptedmanytimes,withthesamekeyin[7andwithdifferentkeysinabroadcastscenarioin[8].
Asopposedtotheseattacks,ourattackscenario,whenaweakkeyarrives,getsatonceasignificantamountofdataonthetargetobject,providingimmediatepartialplaintextrecovery.
Ontheotherhand,thispartialplaintextrecoverycannotbeextendedintofullplaintextrecoverybycontinuingtheattackandlisteningtomoresessions.
WhatcanyoudowithLSBsTheabovescenarioallowstheattackertorecovertheleastsignificantbitsofuptoahundredsecretbytes.
Whenthetargetobjectisasessioncookie,theattackerreducestheeffectivesizeofthecookie,allowingaccelerationofbruteforceattackonthesessioncookieforthesakeofSessionHijacking.
Forexample,learningtheLSBsofASPsessioncookies,whichcontain16charactersof5-bitentropyeach,reduces16bitsofthecookieentropyandthuscanbeusedforfasterbruteforceattackonthesessioncookievalue.
ForPHPsessioncookiesthisaccelerationcanincreasetouptoafactorof232.
Whenthetargetobjectisann-characterpassword,anattackerpossessingthepasswordLSBscanaccelerateadictionaryattackwithafactorof2n,reducingthesecurityofan8-charpasswordbyafactorof256.
Furthermore,anattackerwhorunsabruteforceattackonaloginAPI,canscanadatabaseofknownpopularpasswords,extractthepasswordsthatcomplywiththeLSBpatternandtryonlythese,reducingthenumberofattemptsbyafactorof2n.
Werananexperimentonadatabaseofmostcommonlyusedpasswords,wherewegrouppasswordsaccordingtotheirleastsignificantbits.
ForasingleLSBthemostcommon1000passwordsweregroupedinto252sets,leavingthebruteforceattackeranaverageofonly4attempts,belowthebarrierformostbruteforceprotectionpolicies.
Theestimationforthenumberofwebaccountsthatareprotectedwithoneofthetop1000mostcommonly-usedpasswordsvariesbetween10-15percent,settingthestageforanattackthatusestheInvarianceWeaknesstoextracttheLSBsofthepasswordinhopethattheuserisoneofthecareless10%.
Weusedapasswordspopularityanalysisfrom[18]toestimatethenumberofbruteforceattemptsanattackerneedstomakeoncehehastheLSBsofapasswordknowntobeinthetop100,1000and10,000(wetookthenumbersfrom[18]asis).
PortionofwebaccountsNumberofLSBgroupsBruteforceworstcase(#Attempts)Bruteforceaveragecase(#Attempts)Top1004.
4%6861.
5Top100013.
2%252244Top10,00030%55720118Theentropyofa16-digitcreditcardnumberisusuallyconsideredtobe5digits,sincethefirst6digitsarenon-secret,thelast4digitsarefreelyexposedonreceiptsandforvalidationpurposes,andthereisa1-bytechecksum(Luhnalgorithm).
AnattackerpossessingtheLSBsofacreditcardnumber,reducesthesearchdomainfrom100,000intoonly1500.
These1500candidatenumberscanbetestedbymakingattemptsforsmallamountpaymentsinretailwebapplicationstofindthevalidoneafter750attemptsonaverage.
Thusthereductioninthecreditcardentropyfrom100,000potentialnumbersinto1500potentialnumbersissignificant,andincreasesthepracticalityofattacks.
AMan-in-the-MiddleAttackThefirstattackwedescriberesemblestheRC4attackfrom[8],withtheattackerusingalargenumberofencryptionsofsecretdata,e.
g.
,asessioncookie,inordertorecoverpartsofthiscookie.
OnewaytoobtainthislargenumberofencryptionsisthroughtheBEASTscenario,whereJavaScriptmalwareisdownloadedfromanattacker-controlledwebsiteandrunsinthevictim'sbrowser,repeatedlysendingHTTPSrequeststothevictimwebserver.
Sessioncookiesareautomaticallyincludedineachoftheserequestsinapredictablelocation,andcanthusbetargetedintheattack.
Theattacker,whoneedsnewSSLconnectionsfornewRC4keystreamprefixes,canenforceterminationoftheSSLsessionafterthetargetencryptedcookieissent;thebrowserwillautomaticallyestablishanewSSLsessionwhenthenextHTTPSrequestissent.
Theattackin[8]recoversthesessioncookiewithprobabilityof50%after226sessions.
Ourattackisexpectedtohaveahit–1-classkeybeingused–every224connections.
Sincesuchahitistranslatedtolongkeystreampatternwithprobabilityof1%-5%,severaldozenhitsarerequiredtocompleteasuccessfulpartialplaintextrecovery.
Forthesakeofsimplicity,intherestofthediscussionweuseasinglenumberof1billionasthenumberofattemptsrequiredtomounttheattack,reflectingthenumberofencryptionstheattackerisexpectedtoseeuntilbeingabletorecoverthedata.
AsopposedtotheBEASTattack,thecurrentattackdoesnotrequirethatthesamekeyisusedinallencryptions,butfollows[8]inrequiringthatthekeybechangedbetweenencryptions.
Moreover,asopposedtotheattackin[8],whichishighlysensitivetosituationswhereinthesessioncookieexpiresorthebrowserisclosedbytheuser(inwhichcasetheattackhastobeginfromthestart),ourattackiscompletelyinsensitivetothesecases.
Whenaweakkeyisused,thelearntinformationisonthesessioncookiefromthatparticularrequest,regardlessofanythingthathappenedbeforethehit,andanythingthatwillhappenafterthehit.
ANon-TargetedPassiveAttackThenatureoftheInvarianceWeakness,allowingtheattackertolearnsignificantplaintextdatafromasinglehit(thatisasinglemessagethatwasencryptedwithaweakkey)opensthedoortonewattackscenarioswhichwerenotpossibleinanyofthepreviousattacks.
Thenextattackwe'lldescribeisapassivevariantoftheaforementionedattack.
Init,theattackereavesdropsontheinboundtraffictoapopularretailorfinancialwebapplication,aimingtostealcreditcardnumberinfo(asimilarattackworksonpasswords).
Theattackerisrequiredtowait1billionconnectionsforaweakkeyusageevent,thiseventbeingvisiblethroughfixedorstructureddatainthisapplication,propagatingthroughthekeystreampatternsintotheciphertext.
TheattackerthenusestheInvarianceWeaknesstopredictkeystreamLSBs,andusesthesetocalculateplaintextLSBsfromciphertextLSBs.
Itisimportanttonotethatthecompromisedcreditcardnumberorpasswordisofarandomvictim,withtheattackernothavinganycontroloveritsidentity.
AccordingtoFacebookuserstatistics,thenumberofdailyactiveusersinFacebookiscloseto1billion.
Thenumberoftimeseachoftheseusersexecutesalogin,eithervisitingFacebookseveraltimes,orpressingaLikebuttoninanotherapplication,canberoughlyestimatedas4.
ThusapassiveeavesdroppersniffingonFacebookinboundlineswaitingforhits,willsee256weakkeysonthedaily4billionlogins,4ofwhichareexpectedtogeneratealongstreampatternandexposethepasswordLSBs.
LuckilyFacebookhadrecentlyremovedRC4fromitslistofSSLsupportedciphers.
GroupAttacksIntheBEAST-likevarianttheattackerisrequiredtogenerate1billionconnectionsfromthevictim'sbrowser.
Ontheotherhand,inthepassivevarianttheattackerneedstosniffon1billionconnectionstothesamewebapplication.
Inanothervariantoftheattack,combiningthetwo,theattackerobtainsthese1billionconnectionsactivelyfromagroupofvictimusers.
TheattackerneedstogetGroupMan-in-the-Middlesetup,beingamaninthemiddleforagroupofusers.
Sincethemostnaturalmethodsofestablishingman-in-the-middleareDNSpoisoningandmakingusersconnecttoamalicioushotspot(eitherofwhichwillestablishtheattackerasMan-in-the-Middleforagroupofusers),thisGroupMan-in-the-Middlesituationispractical.
TheattackerthenrunstheBEAST-likeattackwitheachofthepotentialvictims,terminatingtheirconnectionsimmediatelyafterthesessioncookiebeingsent,untiloneofthemgetsasuccessfulhit,aweakkeythatpropagatessuccessfullyintoalongpattern.
Thiseventisexpectedtooccurafteratotalnumberof1billionSSLconnectionsfromallusersaltogether.
Thisattackscenarioisunique,andstemsfromtheuniquenatureofthisattack,witheveryhitleakingalargequantityofsecretinformation.
One-TimeEncryptionFromtheperspectiveofavictim,theseverityofanattackisproportionaltothedamageoftheattackandtoitslikelihood.
ConsiderauserwhousesSSLtoprotecthismostprecioussecret,andsendsitonlyonceoverSSL.
Interestingly,thisone-timeoperationhasariskofonein64milliontogetaweakRC4keyandoneinabilliontoleakpartsofhisprecioussecret.
Itistruethatoneinabillionisatinyfraction,butstill,itisnotanegligiblefraction.
TheimplicationisthedisturbingfactthateverywebuserisclearlyriskinghisdataeverysingletimehesendsitoveranRC4/SSLconnection.
ConclusionandRecommendationsInthispaperwedemonstratedhowtheInvarianceWeaknesscanbeusedtomountnewattacksonSSLwhenusingRC4.
Weimprovedthesizeoftheprefixforwhichplaintextinfoleaksinto100bytes.
Weshowedhowthe"ResetInsensitivity"oftheInvarianceWeaknesssetsthestagefornewattackscenarios,includingthefirstpassiveattackonSSL.
ThesecurityofRC4hasbeenquestionableformanyyears,inparticularitsinitializationmechanisms.
However,onlyinrecentyearshasthisunderstandingbeguntranslatingintoacalltoretireRC4.
Inthisresearchwefollow[8]andshowthattheimpactofthemanyknownvulnerabilitiesonsystemsusingRC4isclearlyunderestimated.
Whilewaitingforabroad-brushretirementofRC4,specificpartiesshouldconsiderthefollowingactionstoprotectthemselvesfromitsweaknesses:WebapplicationadministratorsshouldstronglyconsiderdisablingRC4itintheirapplications'TLSconfigurations.
Webusers(particularlypowerusers)areencouragedtodisableRC4itintheirbrowser'sTLSconfiguration.
BrowservendorswoulddowelltoconsiderremovingRC4fromtheirTLScipherlists.
OrganizationsleveragingImpervaSecureSpheretoprotecttheirbusiness-criticalwebapplicationsanddata,andwhereinSecureSphereissettohandleTLSconnectionsonbehalfoftheapplications,canconfigureSecureSpheretostopusingtheweakciphersandworkonlywithrobustciphers.
References1.
T.
DierksandC.
Allen.
TheTLSProtocolVersion1.
0.
RFC2246,InternetEngineeringTaskForce,Jan.
1999.
URLhttp://www.
rfc-editor.
org/rfc/rfc2246.
txt.
2.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
1.
RFC4346,InternetEngineeringTaskForce,Apr.
2006.
URLhttp://www.
rfc-editor.
org/rfc/rfc4346.
txt.
3.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
2.
RFC5246,InternetEngineeringTaskForce,Aug.
2008.
URLhttp://www.
rfc-editor.
org/rfc/rfc5246.
txt.
4.
T.
DierksandE.
Rescorla.
TheTransportLayerSecurity(TLS)ProtocolVersion1.
3,http://tools.
ietf.
org/html/draft-ietf-tls-tls13-045.
B.
Canvel,A.
Hiltgen,S.
Vaudenay,andM.
Vuagnoux.
PasswordinterceptioninaSSL/TLSchannel.
AdvancesinCryptology-CRYPTO2003,pages583–599,2003.
6.
T.
DuongandJ.
Rizzo.
HerecometheNinjas.
2011.
http://www.
hit.
bme.
hu/~buttyan/courses/EIT-SEC/abib/04-TLS/BEAST.
pdf7.
N.
AlFardanandK.
G.
Paterson.
Lucky13:BreakingtheTLSandDTLSrecordprotocols.
InIEEESymposiumonSecurityandPrivacy,2013.
URLhttp://www.
isg.
rhul.
ac.
uk/tls/Lucky13.
html.
8.
NadhemJ.
AlFardan,DanielJ.
Bernstein,KennethG.
Paterson,BertramPoettering,JacobC.
N.
Schuldt.
OntheSecurityofRC4inTLSandWPA,USENIXSecuritySymposium20139.
S.
R.
FluhrerandD.
McGrew.
StatisticalanalysisoftheallegedRC4keystreamgenerator.
InB.
Schneier,editor,FSE,volume1978ofLectureNotesinComputerScience,pages19–30.
Springer,2000.
10.
I.
Mantin.
PredictinganddistinguishingattacksonRC4keystreamgenerator.
InR.
Cramer,editor,EUROCRYPT,volume3494ofLectureNotesinComputerScience,pages491–506.
Springer,2005.
11.
I.
MantinandA.
Shamir.
ApracticalattackonbroadcastRC4.
InM.
Matsui,editor,FSE,volume2355ofLectureNotesinComputerScience,pages152–164.
Springer,2001.
12.
S.
R.
Fluhrer,I.
Mantin,andA.
Shamir.
WeaknessesinthekeyschedulingalgorithmofRC4.
InS.
VaudenayandA.
M.
Youssef,editors,SelectedAreasinCryptography,volume2259ofLectureNotesinComputerScience,pages1–24.
Springer,2001.
13.
I.
Mantin.
AnalysisofthestreamcipherRC4.
MasterThesis,theWeizmannInstituteofScience.
14.
I.
Mantin.
APracticalAttackontheFixedRC4intheWEPMode.
InAdvancesinCryptology-ASIACRYPT200515.
ThisPOODLEBites:ExploitingtheSSL3.
0Fallback.
GoogleSecurityAdvisoryhttps://www.
openssl.
org/~bodo/ssl-poodle.
pdf16.
APerfectCRIMEOnlyTIMEWillOnlyTIMEWillTell.
TalBe'ery,AmichaiShulman.
https://media.
blackhat.
com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.
pdf17.
S.
SenGupta,S.
Maitra,G.
Paul,andS.
Sarkar.
(Non-)randomsequencesfrom(non-)randompermutations–analysisofRC4streamcipher.
JournalofCryptology,pages1–42,2012.
18.
10,000TopPasswords.
https://xato.
net/passwords/more-top-worst-passwords/#.
VPiyH_ysVew
melbicom从2015年就开始运作了,在国内也是有一定的粉丝群,站长最早是从2017年开始介绍melbicom。上一次测评melbicom是在2018年,由于期间有不少人持续关注这个品牌,而且站长貌似也听说过路由什么的有变动的迹象。为此,今天重新对莫斯科数据中心的VPS进行一次简单测评,数据仅供参考。官方网站: https://melbicom.net比特币、信用卡、PayPal、支付宝、银联...
如何低价香港服务器购买?想要做一个个人博客,想用香港服务器,避免繁琐备案,性能不需要多高,只是记录一些日常而已,也没啥视频之类的东西,想问问各位大佬有没有低价的香港服务器推荐?香港距大陆近,相比美国服务器最大的优势在于延迟低,ping值低,但是带宽紧张,普遍都是1M,一般戏称其为“毛细血管”。同时价格普遍高,优质稳定的一般价格不菲。大厂云梯队阿里云、腾讯云两家都有香港服务器,要注意的是尽量不要选择...
TmhHost 商家是一家成立于2019年的国人主机品牌。目前主营的是美国VPS以及美国、香港、韩国、菲律宾的独立服务器等,其中VPS业务涵盖香港CN2、香港NTT、美国CN2回程高防、美国CN2 GIA、日本软银、韩国cn2等,均为亚太中国直连优质线路,TmhHost提供全中文界面,支持支付宝付款。 TmhHost黑五优惠活动发布了,全场云服务器、独立服务器提供8折,另有充值返现、特价服务器促销...
asp.net网页制作为你推荐
操作http操作http亿元支付宝sns平台社交网站是啥意思?开启javascript开启 JavaScript,支付宝蜻蜓发布蜻蜓支付可以代理么internetexplorer无法打开Internet Explorer 打不开了本帖隐藏的内容怎么设置本帖隐藏的内容需要回复才可以浏览drupal主题4)Drupal建立的网站是否可以自适配屏幕大小,在PC、iPad、iPhone等各机器的浏览器中是否可以正常显示上传软件怎样蓝牙面对面传软件
怎样注册域名 北京租服务器 东莞电信局 hostmaster cpanel主机 omnis 一元域名 html空间 阿里云浏览器 架设服务器 柚子舍官网 hostloc 美国网站服务器 爱奇艺vip免费领取 上海联通宽带测速 空间登陆首页 云服务器比较 qq金券 电信宽带测速软件 nnt 更多