Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS

Despite recent high-profile attacks on the RC4 algorithm in TLS, its usage is still running at about 30% of all TLS traffic. We provide new attacks against RC4 in TLS that are focussed on recovering user passwords, still the pre-eminent means of user authentication on the Internet today. Our new attacks use a generally applicable Bayesian inference approach to transform a priori information about passwords in combination with gathered ciphertexts into a posteriori likelihoods for passwords. We report on extensive simulations of the attacks. We also report on a "proof of concept" implementation of the attacks for a specific application layer protocol, namely BasicAuth. Our work validates the truism that attacks only get better with time: we obtain good success rates in recovering user passwords with 226 encryptions, whereas the previous generation of attacks required around 234 encryptions to recover an HTTP session cookie.

[1]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[2]  Joseph Bonneau,et al.  The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords , 2012, 2012 IEEE Symposium on Security and Privacy.

[3]  Goutam Paul,et al.  RC4: (Non-)Random Words from (Non-)Random Permutations , 2011, IACR Cryptology ePrint Archive.

[4]  Joseph Bonneau,et al.  The Password Thicket: Technical and Market Failures in Human Authentication on the Web , 2010, WEIS.

[5]  Itsik Mantin,et al.  Predicting and Distinguishing Attacks on RC4 Keystream Generator , 2005, EUROCRYPT.

[6]  John G. Myers IMAP4 Authentication Mechanisms , 1994, RFC.

[7]  Sudhir Aggarwal,et al.  Testing metrics for password creation policies by attacking large sets of revealed passwords , 2010, CCS '10.

[8]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[9]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[10]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[11]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[12]  Masakatu Morii,et al.  How to Recover Any Byte of Plaintext on RC4 , 2013, Selected Areas in Cryptography.

[13]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[14]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[15]  Cormac Herley,et al.  A large-scale study of web password habits , 2007, WWW '07.

[16]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[17]  Goutam Paul,et al.  Proving TLS-attack related open biases of RC4 , 2015, IACR Cryptol. ePrint Arch..

[18]  Masakatu Morii,et al.  Full Plaintext Recovery Attack on Broadcast RC4 , 2013, FSE.

[19]  J. Yan,et al.  Password memorability and security: empirical results , 2004, IEEE Security & Privacy Magazine.

[20]  Hao Zhou,et al.  Transport Layer Security (TLS) Session Resumption without Server-Side State , 2008, RFC.

[21]  Arnt Gulbrandsen,et al.  IMAP Extension for Simple Authentication and Security Layer (SASL) Initial Client Response , 2007, RFC.

[22]  Barry Leiba IMAP4 IDLE command , 1997, RFC.

[23]  Scott R. Fluhrer,et al.  Statistical Analysis of the Alleged RC4 Keystream Generator , 2000, FSE.

[24]  Moshe Zviran,et al.  Password Security: An Empirical Study , 1999, J. Manag. Inf. Syst..

[25]  Goutam Paul,et al.  (Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher , 2012, Journal of Cryptology.

[26]  Mark R. Crispin Internet Message Access Protocol - Version 4rev1 , 1996, RFC.

[27]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.