Nadhem AlFardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London, announced a new TLS/DTLS attack called Lucky Thirteen. The attack allows a man-in-the-middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode (cipher-block chaining) encryption is used.
The attack exploits a problem with the TLS specification and not a bug in specific implementations. This is not a problem with certification authorities or issued SSL/TLS certificates.
Lucky Thirteen uses a known timing attack previously believed to be impractical. There is a subtle timing bug in the way that TLS data decryption works when using the (standard) CBC-mode ciphersuite. Given the right set of circumstances, an attacker can use this to decrypt sensitive information, such as passwords and cookies.
The attacks apply to all implementations that conform to TLS version 1.1 or 1.2, or DTLS version 1.0 or 1.1. They also apply to implementations of SSL 3.0 and TLS 1.0 that have countermeasures designed to defeat a previous padding oracle attack discovered several years ago. All TLS and DTLS ciphersuites that include CBC-mode encryption are potentially vulnerable.
The attack is borderline practical if you’re using the Datagram version of TLS (DTLS). It’s more on the theoretical side if you’re using standard TLS. However, per the cryptographer’s adage: attacks always get better, they never get worse. As such, it makes sense to implement countermeasures as they become available.
In the short term, a website operator can temporarily set the ciphersuite preferences to RC4. This may have already been done to mitigate BEAST.
The long-term solution will be to deploy patches. The security researchers have worked with a number of TLS and DTLS software developers to allow them to prepare patches and advisories. The researchers provide the following status:
- BouncyCastle: Patch will be included in version 1.48 of the Java library, to be released on or about 05/02/2013. The C# version of BouncyCastle will be fixed in CVS at a similar time, and included in release 1.8 at a later date.
- CyaSSL: Attacks will be addressed in version 2.5.0, to be released on 04/02/2013.
- F5: Have informed us that their TLS dataplane traffic is not vulnerable due to cryptographic offload, but that local management ports and virtual editions may be vulnerable. They also informed us that F5’s hotfix for this issue will follow shortly after OpenSSL issues their patch.
- GnuTLS: Attacks are addressed in versions 2.12.23, 3.0.28 and 3.1.7, released 04/02/13.
- Microsoft: Implementations are not impacted (per research paper)
- NSS: Patch is under development.
- OpenSSL: Patch is under development.
- Opera: Attacks are addressed in Opera version 12.13, released 30/01/2013.
- PolarSSL: Attacks are addressed in version 1.2.5, released 03/02/13.