Researchers at the University of London are going public with a paper that claims to have found a flaw in the specification for Transport Layer Security (TLS) that could leave supposedly secure Web, IM, VoIP and other online sessions exposed to prying eyes.
The researchers, Nadhem Al Fardan and Kenny Patterson of the Information Security Group at Royal Holloway, University of London said that the security hole stem from a flaw in the TLS specification, rather than a bug in how TLS is implemented. The two researchers have developed proof of concept attacks that take advantage of the flaw, and that could be used to recover a complete block of TLS-encrypted plaintext, the researchers said.
Al Fardan is a Ph.D student in the Information Security Group. Patterson is a professor of Information Security there. The two have discovered other, serious holes in TLS before. Notably: the two discovered a critical vulnerability in OpenSSL’s implementation of the DTLS (Datagram Transport Layer Security) protocol that could expose DTLS-encrypted communications to an attacker who did not know the encryption key. Their proof of concept, the so-called “padding oracle attack” was presented in February of last year.
Like that attack, the new proof of concept attack also relies on being able to detect small differences in the time it takes for plaintext to be decrypted during a TLS or DTLS session.
“The attacks involve detecting small differences in the time at which TLS error messages appear on the network in response to attacker-generated ciphertexts,” the researchers wrote.
To break TLS sessions, the proof of concept exploit requires the target text to be sent for deciphering repeatedly in order to chase out “noise” in the transaction caused by network jitter and other causes. For attacks against DTLS implementations, only a single session is needed.
“In their simplest form, our attacks can reliably recover a complete block of TLS-encrypted plaintext using about 223 TLS sessions, assuming the attacker is located on the same LAN as the machine being attacked and HMAC-SHA1 is used as TLS’s MAC algorithm.”
The researchers say that the new attack methods are different from previously known attacks on the integrity of SSL and TLS such as BEAST and CRIME, two attacks developed by researchers Juliano Rizzo and Thai Duong.
“Our attacks are based on analysing how decryption processing is carried out in TLS,” the two wrote. “However, our attacks can be enhanced by combining them with BEAST-style techniques.”
While the initial proof of concept requires an enormous number of TLS sessions to be generated before encrypted plaintext could be decrypted, more efficient attacks are possible under certain circumstances. For example, if the plaintext is known to be base64 encoded or if even a small portion of the plaintext block is known in advance.
Vulnerabilities in SSL and TLS are especially challenging, because the technologies are the foundation for most secure online transactions and because of the sheer number of web sites that deploy them. SSL-Pulse, a service maintained by the security firm Qualys show that 66.7% of surveyed web sites are still vulnerable to the BEAST attack, while 34.7% are still vulnerable to the CRIME attack, more than a year later. (Full disclosure: Qualys is a Security Ledger sponsor.)