Security News for Mobile, Apps & IoT

Plaintext “Lucky 13″ Flaw Affects Open-Source TLS/DTLS/SSL

A new attack exposes some long-standing weaknesses in TLS, DTLS, and some versions of SSL 3.0.

In a paper, Nadhem AlFardan of the Information Security Group at Royal Holloway, University of London, and Kenny Paterson, a Professor of Information Security and an EPSRC Leadership Fellow in the Information Security Group, detail how the attack works.

They state that “In their simplest form, our attacks can reliably recover a complete block of TLS-encrypted plaintext using about 2 23 TLS sessions, assuming the attacker is located on the same LAN as the machine being attacked and HMAC-SHA1 is used as TLS’s MAC algorithm. This can be reduced to 2 19 TLS sessions if the plaintext is known to be base64 encoded. This can be further reduced to 2 13 sessions per byte if a byte of plaintext in one of the last two positions in a block is already known.”

As for the name of the attack, “Lucky 13.” “In Western culture,” the researchers write, “13 is considered an unlucky number. However, for our attack, the fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible. So, in the context of our attacks, 13 is lucky – from the attacker’s perspective at least. This is what passes for humour amongst cryptographers.”

Tags: , , , , ,

1 Comment

  1. Audio Tosell says:

    Does anyone vet these papers before reporting the hysteria. For example, he had to disable required RFC functionality of DTLS to exploit it. Making a falacious claim that it is ‘optional’. Folks should vet this type of research before reporting on it. (note too, he refuses to provide source code to prove his claim).

Leave a Comment