Statistical attacks on cookie masking for RC4

AbstractLevillain et al. (Asia CCS 2015) proposed two cookie masking methods, TLS Scramble and MCookies, to counter a class of attacks on SSL/TLS in which the attacker is able to exploit its ability to obtain many encryptions of a target HTTP cookie. In particular, the masking methods potentially make it viable to continue to use the RC4 algorithm in SSL/TLS. In this paper, we provide a detailed analysis of TLS Scramble and MCookies when used in conjunction with RC4 in SSL/TLS. We show that, in fact, both are vulnerable to variants of the known attacks against RC4 in SSL/TLS exploiting the Mantin biases (Mantin, EUROCRYPT 2005): For the TLS Scramble mechanism, we provide a detailed statistical analysis coupled with extensive simulations that show that about 237 encryptions of the cookie are sufficient to enable its recovery.For the MCookies mechanism, our analysis is made more complex by the presence of a Base64 encoding step in the mechanism, which (unintentionally) acts like a classical block cipher S-box in the masking process. Despite this, we are able to develop a maximum likelihood analysis which provides a rigorous statistical procedure for estimating the unknown cookie. Based on simulations, we estimate that 245 encryptions of the cookie are sufficient to enable its recovery.Taken together, our analyses show that the cookie masking mechanisms as proposed by Levillain et al. only moderately increase the security of RC4 in SSL/TLS.

[1]  Pratik Guha Sarkar,et al.  ATTACKS ON SSL A COMPREHENSIVE STUDY OF BEAST , CRIME , TIME , BREACH , LUCKY 13 & RC 4 BIASES , 2013 .

[2]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks Against WPA/TKIP , 2014, FSE.

[3]  Hervé Debar,et al.  TLS Record Protocol: Security Analysis and Defense-in-depth Countermeasures for HTTPS , 2015, AsiaCCS.

[4]  Itsik Mantin,et al.  Predicting and Distinguishing Attacks on RC4 Keystream Generator , 2005, EUROCRYPT.

[5]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[6]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[7]  Andrei Popov,et al.  Prohibiting RC4 Cipher Suites , 2015, RFC.

[8]  Kenneth G. Paterson,et al.  Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS , 2015, USENIX Security Symposium.

[9]  Carl-Erik W. Sundberg,et al.  List Viterbi decoding algorithms with applications , 1994, IEEE Trans. Commun..

[10]  Goutam Paul,et al.  Proving TLS-attack related open biases of RC4 , 2015, IACR Cryptol. ePrint Arch..

[11]  Kenneth G. Paterson,et al.  Big Bias Hunting in Amazonia: Large-Scale Computation and Exploitation of RC4 Biases (Invited Paper) , 2014, ASIACRYPT.

[12]  Adam Barth,et al.  HTTP State Management Mechanism , 2011, RFC.

[13]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[14]  Simon Josefsson,et al.  The Base16, Base32, and Base64 Data Encodings , 2003, RFC.

[15]  Masakatu Morii,et al.  How to Recover Any Byte of Plaintext on RC4 , 2013, Selected Areas in Cryptography.

[16]  Kenneth G. Paterson,et al.  A Practical Attack Against the Use of RC4 in the HIVE Hidden Volume Encryption System , 2015, AsiaCCS.

[17]  Kenneth G. Paterson,et al.  Analysing and exploiting the Mantin biases in RC4 , 2017, Designs, Codes and Cryptography.

[18]  Goutam Paul,et al.  (Non-)Random Sequences from (Non-)Random Permutations—Analysis of RC4 Stream Cipher , 2012, Journal of Cryptology.

[19]  Masakatu Morii,et al.  Full Plaintext Recovery Attack on Broadcast RC4 , 2013, FSE.

[20]  Frank Piessens,et al.  All Your Biases Belong to Us: Breaking RC4 in WPA-TKIP and TLS , 2015, USENIX Annual Technical Conference.