Skip to content
Biz & IT

“Lucky Thirteen” attack snarfs cookies protected by SSL encryption

Exploit is the latest to subvert crypto used to secure Web transactions.

Dan Goodin | 18
A representation of how TLS works. Credit: Nadhem J. AlFardan and Kenneth G. Paterson
A representation of how TLS works. Credit: Nadhem J. AlFardan and Kenneth G. Paterson
Story text

Software developers are racing to patch a recently discovered vulnerability that allows attackers to recover the plaintext of authentication cookies and other encrypted data as they travel over the Internet and other unsecured networks.

The discovery is significant because in many cases it makes it possible for attackers to completely subvert the protection provided by the secure sockets layer and transport layer protocols. Together, SSL, TLS, and a close TLS relative known as Datagram Transport Layer Security are the sole cryptographic means for websites to prove their authenticity and to encrypt data as it travels between end users and Web servers. The so-called "Lucky Thirteen" attacks devised by computer scientists to exploit the weaknesses work against virtually all open-source TLS implementations, and possibly implementations supported by Apple and Cisco Systems as well. (Microsoft told the researchers it has determined its software isn't susceptible.)

The attacks are extremely complex, so for the time being, average end users are probably more susceptible to attacks that use phishing e-mails or rely on fraudulently issued digital certificates to defeat the Web encryption protection. Nonetheless, the success of the cryptographers' exploits—including the full plaintext recovery of data protected by the widely used OpenSSL implementation—has clearly gotten the attention of the developers who maintain those programs. Already, the Opera browser and PolarSSL have been patched to plug the hole, and developers for OpenSSL, NSS, and CyaSSL are expected to issue updates soon.

"The attacks can only be carried out by a determined attacker who is located close to the machine being attacked and who can generate sufficient sessions for the attacks," Nadhem J. AlFardan and Kenneth G. Paterson researchers wrote in a Web post that accompanied their research. "In this sense, the attacks do not pose a significant danger to ordinary users of TLS in their current form. However, it is a truism that attacks only get better with time, and we cannot anticipate what improvements to our attacks, or entirely new attacks, may yet be discovered."

A PDF of their paper is here.

How it works

Lucky Thirteen uses a technique known as a padding oracle that works against the main cryptographic engine in TLS that performs encryption and ensures the integrity of data. It processes data into 16-byte chunks using a routine known as MEE, which runs data through a MAC (Message Authentication Code) algorithm, then encodes and encrypts it. The routine adds "padding" data to the ciphertext so the resulting data can be neatly aligned in 8- or 16-byte boundaries. The padding is later removed when TLS decrypts the ciphertext.

The attacks start by capturing the ciphertext as it travels over the Internet. Using a long-discovered weakness in TLS's CBC, or cipher block chaining, mode, attackers replace the last several blocks with chosen blocks and observe the amount of time it takes for the server to respond. TLS messages that contain the correct padding will take less time to process. A mechanism in TLS causes the transaction to fail each time the application encounters a TLS message that contains tampered data, requiring attackers to repeatedly send malformed messages in a new session following each previous failure. By sending large numbers of TLS messages and statistically sampling the server response time for each one, the scientists were able to eventually correctly guess the contents of the ciphertext.

It took the scientists as little 223 sessions to extract the entire contents of a TLS-encrypted authentication cookie. They were able to improve their results when they knew details of a the ciphertext they were trying to decrypt. Cookies formatted in base 64 encoding, for example, could be extracted in 219 TLS sessions. The researchers required 213 sessions when a byte of plaintext in one of the last two positions in a block was already known.

To make the attacks more efficient, they can incorporate methods unveiled two years ago in a separate TLS attack dubbed BEAST. That attack used JavaScript in the browser to open multiple sessions. By combining it with the padding oracle exploit, attackers required 213 sessions to extract each byte without needing to know one of the last two positions in a block.

The Lucky Thirteen attacks are only the latest exploits to subvert TLS, which along with SSL is intended to safeguard bank transactions, login sessions, and other sensitive activities carried out over unsecured networks. One of the most serious recent attacks used a universal wildcard certificate to spoof the credentials of virtually any website on the Internet. The previously mentioned BEAST attack was able to decrypt an eBay authentication cookie, although the technique required the attackers to first subvert something known as the same origin policy. Late last year, the same researchers behind BEAST devised CRIME, an attack that used Web compression to subvert TLS/SSL.

TLS remains vulnerable to such attacks largely because of design decisions engineers made in the mid-1990s when SSL was first devised, Johns Hopkins University professor Matthew Green observed in a blog post published Monday that explains how Lucky Thirteen works. Since then, engineers have applied a series of "band-aids" to the protocols rather than fixing the problems outright.

The attacks apply to all implementations that conform to version 1.1 or 1.2 or version 1.0 or 1.1 of TLS or DTLS respectively. They also apply to implementations that conform to version 3.0 of SSL or version 1.0 of TLS when they have been tweaked to incorporate countermeasures designed to defeat a previous padding oracle attack discovered several years ago.

It's not the first time SSL and TLS have been brought down using a padding Oracle attack. The protocols were later patched to prevent attacks that used subtle differences in timing to ferret out details about the encrypted plaintext. At the time, some cryptographers acknowledged a tiny window that could still permit that type of exploit.

The scientists dubbed their exploit "Lucky Thirteen" because it's made possible by  the TLS MAC calculation including 13 bytes of header information.

"So, in the context of our attacks, 13 is lucky—from the attacker's perspective at least," the researchers wrote in their Web post. "This is what passes for humor amongst cryptographers."

Story updated to add detail about Microsoft in the second paragraph.

Listing image: Barbara K

Photo of Dan Goodin
Dan Goodin Senior Security Editor
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
18 Comments
Prev story
Next story