Advanced Attacks against Internet Security Protocols

We have recently presented DROWN, a novel cross-protocol attack that can decrypt passively collected TLS sessions from up-to-date clients by using a server supporting SSLv2 as a Bleichenbacher RSA padding oracle. We have presented two versions of the attack. The more general form exploits a combination of thus-far unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher attack. A typical scenario requires the attacker to observe 1,000 TLS handshakes, then initiate 40,000 SSLv2 connections and perform 250 offline work to decrypt a 2048-bit RSA TLS ciphertext. (The victim client never initiates SSLv2 connections.) We have implemented the attack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours using Amazon EC2, at a cost of $440. Using Internet-wide scans, we have found that 33% of all HTTPS servers and 22% of those with browser-trusted certificates are vulnerable to this protocol-level attack, due to widespread key and certificate reuse. For an even cheaper attack, we have applied our new techniques together with a newly discovered vulnerability in OpenSSL that was present in releases from 1998 to early 2015. Given an unpatched SSLv2 server to use as an oracle, we can decrypt a TLS ciphertext in one minute on a single CPU— fast enough to enable man-in-the-middle attacks against modern browsers. 26% of HTTPS servers are vulnerable to this attack. We have further observed that the QUIC protocol is vulnerable to a variant of our attack that allows an attacker to impersonate a server indefinitely after performing as few as 2²⁵ SSLv2 connections and 2⁶⁵ offline work. We have concluded that SSLv2 is not only weak, but actively harmful to the TLS ecosystem.

DROWN was covered by, among others, The Guardian, Forbes, and the BBC. We have responsibly disclosed the attack in advance to the Israeli National Cyber Bureau. We now seek to extend the attack to directly target modern cryptographic protocols, even without the presence of a shared RSA key exposed using an obsolete protocol. Worryingly, TLS and similar modern protocols exhibit properties that were used in DROWN, thereby giving us cause for hope, or rather worry, that they can also be targeted directly using this approach. DROWN is in fact the first project to present and formalize the properties which make a protocol vulnerable to a direct-message side-channel Bleichenbacher attack.

Workplan

• Improved anti-Bleichenbacher countermeasure
• More classic Bleichenbacher attacks
• New accelerated handshake mechanism in the Fiat-Shamir model
• New attack against TLS

With those tools in hand, we will try to mount new attacks against modern cryptographic protocols, especially TLS, using the approach in, is significantly different from classical Bleichenbacher attacks.