Attack Breaks Confidentiality Code

Wednesday, September 21, 2011 @ 04:09 PM gHale


A new attack on TLS 1.0/SSL 3.0 allows an attacker to decrypt client requests on the fly and hijack confidential sessions with sensitive sites such as online banking, e-commerce and payment sites.

The attack breaks the confidentiality model of the protocol and is the first known exploitation of a long-known flaw in TLS, potentially affecting the security of transactions on millions of sites.

RELATED STORIES
Spam Attack Via Bogus Certificates
Oracle Security Holes
Cisco Patches Critical Vulnerabilities
More SCADA Vulnerabilities Hit Industry

Juliano Rizzo and Thai Duong, who developed the attack, will show it at the Ekoparty Conference in Argentina Friday, and, unlike other attacks on TLS and SSL, it has nothing to do with the certificate trust model in the protocol. Instead, the researchers have developed a tool called BEAST that enables them to grab and decrypt HTTPS cookies from active user sessions.

The attack can even decrypt cookies marked HTTPS only from sites that use HTTP Strict Transport Security, which forces browsers to communicate over TLS/SSL when it’s available.

The researchers use a block-wise chosen-plaintext attack against the AES encryption algorithm used in TLS/SSL. In order to execute their attack, Rizzo and Duong use BEAST (Browser Exploit Against SSL/TLS) against a victim who is on a network on which they have a man-in-the-middle position. Once a victim visits a high-value site, such as PayPal, that uses TLS 1.0, and logs in and receives a cookie, they inject the client-side BEAST code into the victim’s browser. This can occur through the use of an iframe ad or just loading the BEAST JavaScript into the victim’s browser.

After the BEAST agent loads, the second part of the tool, a network sniffer, looks for active TLS connections and then grabs and decrypts the HTTPS cookie, enabling the attacker to hijack the victim’s session with that site.

Once there is an encrypted connection with the site, the victim can move off to another tab or do other things on the machine and the attack will still work. The attack forces the browser to load pages from the target site, and the tool then decrypts the first part of the request to the Web server, which includes the secure cookie. The researchers have the ability to decrypt those cookies from within SSL sessions, which essentially negates the confidentiality promise of the protocol.

The decryption process is fast enough that it’s likely imperceptible users, and the researchers said in a targeted attack, they likely could steal the cookie from a specific site within five minutes of loading the tool. Rizzo and Duong said their attack exploits a vulnerability in the TLS 1.0 protocol known for awhile, but experts thought it was unexploitable.

“It is worth noting that the vulnerability that BEAST exploits has been presented since the very first version of SSL. Most people in the crypto and security community have concluded that it is non-exploitable, that’s why it has been largely ignored for many years. Our work has two contributions,” Duong said. “We introduce a practical and efficient plaintext-recovery attack for that vulnerability. It’s an enhancement of something crypto people call ‘block-wise chosen-plaintext attack’. We present one application the attack: BEAST. BEAST focuses on SSL implementations on browsers which is HTTPS. BEAST works for most major browsers and websites.”



Leave a Reply

You must be logged in to post a comment.