A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL

This paper introduces a chosen-plaintext vulnerability in the Secure Sockets Layer (SSL) and Trasport Layer Security (TLS) protocols which enables recovery of low entropy strings such as can be guessed from a likely set of 2–1000 options. SSL and TLS are widely used for securing communication over the Internet. When utilizing block ciphers for encryption, the SSL and TLS standards mandate the use of the cipher block chaining (CBC) mode of encryption which requires an initialization vector (IV) in order to encrypt. Although the first IV used by SSL is a (pseudo)random string which is generated and shared during the initial handshake phase, subsequent IVs used by SSL are chosen in a deterministic, predictable pattern; in particular, the IV of a message is taken to be the final ciphertext block of the immediately-preceding message, and is therefore known to the adversary. The one-channel nature of web proxies, anonymizers or Virtual Private Networks (VPNs), results in all Internet traffic from one machine traveling over the same SSL channel. We show this provides a feasible “point of entry” for this attack. Moreover, we show that the location of target data among block boundaries can have a profound impact on the number of guesses required to recover that data, especially in the low-entropy case. The attack in this paper is an application of the blockwise-adaptive chosen-plaintext attack paradigm, and is the only feasible attack to use this paradigm with a reasonable probability of success. The attack will work for all versions of SSL, and TLS version 1.0. This vulnerability and others are closed in TLS 1.1 (which is still in draft status) and OpenSSL after 0.9.6d. It is hoped this paper will encourage the deprecation of SSL and speed the adoption of OpenSSL or TLS 1.1/1.2 when they are finially released.

[1]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[2]  Chanathip Namprempre,et al.  Provably Fixing the SSH Binary Packet Protocol , 2002 .

[3]  Radia J. Perlman,et al.  Network security - private communication in a public world , 2002, Prentice Hall series in computer networking and distributed systems.

[4]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[5]  Antoine Joux,et al.  Blockwise Adversarial Model for On-line Ciphers and Symmetric Encryption Schemes , 2004, Selected Areas in Cryptography.

[6]  Chanathip Namprempre,et al.  Online Ciphers and the Hash-CBC Construction , 2001, CRYPTO.

[7]  Eric Rescorla,et al.  The Design and Implementation of Datagram TLS , 2004, NDSS.

[8]  Guy L. Steele,et al.  Java(TM) Language Specification , 2005 .

[9]  Helger Lipmaa,et al.  Comments to NIST concerning AES Modes of Operations: CTR-Mode Encryption , 2000 .

[10]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[11]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[12]  Virgil D. Gligor,et al.  Fast Encryption and Authentication: XCBC Encryption and XECB Authentication Modes , 2001, FSE.

[13]  Mihir Bellare,et al.  A concrete security treatment of symmet-ric encryption: Analysis of the DES modes of operation , 1997, FOCS 1997.

[14]  Pierre-Alain Fouque,et al.  Practical Symmetric On-Line Encryption , 2003, FSE.

[15]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .

[16]  Silvio Micali,et al.  Probabilistic Encryption , 1984, J. Comput. Syst. Sci..

[17]  Antoine Joux,et al.  Blockwise-Adaptive Attackers: Revisiting the (In)Security of Some Provably Secure Encryption Models: CBC, GEM, IACBC , 2002, CRYPTO.

[18]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[19]  Gregory V. Bard,et al.  The Vulnerability of SSL to Chosen Plaintext Attack , 2004, IACR Cryptol. ePrint Arch..

[20]  Eric Rescorla,et al.  AES Counter Mode Cipher Suites for TLS and DTLS , 2006 .

[21]  Lars R. Knudsen,et al.  Block Chaining Modes of Operation , 2000 .

[22]  Alexandra Boldyreva,et al.  Online Encryption Schemes: New Security Notions and Constructions , 2004, CT-RSA.