A CHALLENGING BUT FEASIBLE BLOCKWISE-ADAPTIVE CHOSEN-PLAINTEXT ATTACK ON SSL

Gregory V. Bard

Abstract

This paper introduces a chosen-plaintext vulnerability in the Secure Sockets Layer (SSL) and Trasport Layer Security (TLS) protocols which enables recovery of low entropy strings such as can be guessed from a likely set of 2–1000 options. SSL and TLS are widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL and TLS standards mandate the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encrypt. Although the first IV used by SSL is a (pseudo)random string which is generated and shared during the initial handshake phase, subsequent IVs used by SSL are chosen in a deterministic, predictable pattern; in particular, the IV of a message is taken to be the final ciphertext block of the immediately-preceding message, and is therefore known to the adversary. The one-channel nature of web proxies, anonymizers or Virtual Private Networks (VPNs), results in all Internet traffic from one machine traveling over the same SSL channel. We show this provides a feasible “point of entry” for this attack. Moreover, we show that the location of target data among block boundaries can have a profound impact on the number of guesses required to recover that data, especially in the low-entropy case. The attack in this paper is an application of the blockwise-adaptive chosen-plaintext attack paradigm, and is the only feasible attack to use this paradigm with a reasonable probability of success. The attack will work for all versions of SSL, and TLS version 1.0. This vulnerability and others are closed in TLS 1.1 (which is still in draft status) and OpenSSL after 0.9.6d. It is hoped this paper will encourage the deprecation of SSL and speed the adoption of OpenSSL or TLS 1.1/1.2 when they are finially released.

References

  1. Bard, G. (2004). The vulnerability of ssl to chosen-plaintext attack. Cryptology ePrint Archive, Report 2004/111. http://eprint.iacr.org/.
  2. Bellare, M., Boldyreva, A., Knudsen, L., and Namprempre, C. (2001). On-line ciphers and the hash-cbc construction. In Lecture Notes in Computer Science. Advances in Cryptology- CRYPTO'01, Springer-Verlag.
  3. Bellare, M., Desai, A., Jokipii, E., and Rogaway, P. (1997). A concrete security treatment of symmetric encryption: Analysis of the des modes of operation. In
  4. Bellare, M., Kohno, T., and Namprempre, C. (2002). Provably fixing the ssh binary packet protocol. In Conference on Computer and Communications Security (CCS'02). ACM.
  5. Bellare, M. and Namprempre, C. (2000). Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In Lecture Notes in Computer Science. Advances in Cryptology- ASIACRYPT'00, Springer-Verlag.
  6. Boldyreva, A. and Taesombut, N. (2004). On-line encryption schemes: New security notions and constructions. In Cryptographer's Track. RSA Conference.
  7. Dai, W. (2002). An attack against ssh2 protocol. Email to the ietf-ssh@netbsd.org email list.
  8. Dierks, T. and Allen, C. (1999). The tls protocol, version 1.0. Technical Report RFC 2246, Internet Engineering Task Force.
  9. Dierks, T. and Rescorla, E. (2005). The tls protocol, version 1.1. Technical Report RFC 2246-bis-11, Internet Engineering Task Force.
  10. Dierks, T. and Rescorla, E. (2006). The tls protocol, version 1.2. Technical Report RFC 4346-bis-00, Internet Engineering Task Force.
  11. Dworkin, M. (2001). Recommendation for block cipher modes of operation: Methods and techniques. Technical Report NIST Special Publication 800-38A, National Institute of Science and Technology.
  12. Dworkin, M. (2002). Recommendation for block cipher modes of operation: The rmac authentication mode, methods and techniques. Technical Report NIST Special Publication 800-38B, National Institute of Science and Technology.
  13. Fouque, P., Joux, A., and Poupard, G. (2004). Blockwise adversarial model for on-line ciphers and symmetric encryption schemes. In Lecture Notes in Computer Science. Advances in Cryptology- SAC'04, Springer-Verlag.
  14. Fouque, P., Martinet, G., and Poupard, G. (2003). Practical symmetric on-line encryption. In Lecture Notes in Computer Science. Advances in CryptologyFSE'03, Springer-Verlag.
  15. Freier, A., Karlton, P., and Kocher, P. (1996). The ssl protocol, version 3.0. Technical report, Transport Layer Security Working Group Internet Draft.
  16. Gligor, V. and Donescu, P. (2001). Fast encryption and authentication: Xcbc encryption and xecb authentication modes. In 2nd NIST Workshop on AES Modes of Operation. National Institute of Science and Technology.
  17. Goldwasser, S. and Micali, S. (1984). Probabilistic encryption. Journal of Computer and System Sciences.
  18. Gosling, J., Joy, B., Steele, G., and Bracha, G. (2005). The Java(TM) Language Specification. Addison-Wesley Professional, third edition.
  19. Joux, A., Martinet, G., and Valette, F. (2002). Blockwiseadaptive attackers: Revisiting the (in)security of some provably secure encryption models: Cbc, gem, iacbc. In Lecture Notes in Computer Science. Advances in Cryptology- CRYPTO'02, Springer-Verlag.
  20. Kaufman, C., Perlman, R., and Speciner, M. (2002). Network Security: Private Communication in a Public World. Prentice Hall, second edition.
  21. Knudsen, L. (2000). Block chaining modes of operation. In Symmetric Key Block Cipher Modes of Operation Workshop. National Institute of Science and Technology.
  22. Krawczyk, H. (2001). The order of encryption and authentication for protecting communications (or: How secure is ssl?). In Lecture Notes in Computer Science. Advances in Cryptology- CRYPTO'01, SpringerVerlag.
  23. Lipmaa, H., Rogaway, P., and Wagner, D. (2000). Comments to nist concerning aes modes of operation: Ctrmode encryption. In Symmetric Key Block Cipher Modes of Operation Workshop. National Institute of Science and Technology.
  24. Loeffler, S. (1997). Using flows for analysis and measurement of internet traffic. Master's thesis, Institute of Communication Networks and Computer Engineering of the University of Stuttgart. http: //www.mathematik.uni-stuttgart.de/ ~floeff/diplom/report/node62.html.
  25. Modadugu, N. and Rescorla, E. (2004). The design and implementation of datagram tls. In Network Distributed System Security Conference.
  26. Modadugu, N. and Rescorla, E. (2006). Aes counter mode cipher suites for tls and dtls. Technical report, Internet Engineering Task Force.
  27. Rescorla, E. (2002). [ietf-tls] re: Rfc 2246-bis open issues. Email to the ietf-tls@lists.certicom.com email list. http://www.imc.org/ietf-tls/ mail-archive/msg03341.html.
  28. Vaudenay, S. (2001). Security flaw induced by cbc padding applications to ssl, ipsec, wtls, . . . . In Lecture Notes in Computer Science. Advances in Cryptology- EUROCRYPT'02, Springer-Verlag.
Download


Paper Citation


in Harvard Style

V. Bard G. (2006). A CHALLENGING BUT FEASIBLE BLOCKWISE-ADAPTIVE CHOSEN-PLAINTEXT ATTACK ON SSL . In Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006) ISBN 978-972-8865-63-4, pages 99-109. DOI: 10.5220/0002104100990109


in Bibtex Style

@conference{secrypt06,
author={Gregory V. Bard},
title={A CHALLENGING BUT FEASIBLE BLOCKWISE-ADAPTIVE CHOSEN-PLAINTEXT ATTACK ON SSL},
booktitle={Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)},
year={2006},
pages={99-109},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0002104100990109},
isbn={978-972-8865-63-4},
}


in EndNote Style

TY - CONF
JO - Proceedings of the International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2006)
TI - A CHALLENGING BUT FEASIBLE BLOCKWISE-ADAPTIVE CHOSEN-PLAINTEXT ATTACK ON SSL
SN - 978-972-8865-63-4
AU - V. Bard G.
PY - 2006
SP - 99
EP - 109
DO - 10.5220/0002104100990109