research-article

A cross-protocol attack on the TLS protocol

Authors:

Nikos Mavrogiannopoulos,

Frederik Vercauteren,

Vesselin Velichkov, and

Bart PreneelAuthors Info & Claims

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

Pages 62 - 72

https://doi.org/10.1145/2382196.2382206

Published: 16 October 2012 Publication History

Abstract

This paper describes a cross-protocol attack on all versions of TLS; it can be seen as an extension of the Wagner and Schneier attack on SSL 3.0. The attack presents valid explicit elliptic curve Diffie-Hellman parameters signed by a server to a client that incorrectly interprets these parameters as valid plain Diffie-Hellman parameters. Our attack enables an adversary to successfully impersonate a server to a random client after obtaining 2⁴⁰ signed elliptic curve keys from the original server. While attacking a specific client is improbable due to the high number of signed keys required during the lifetime of one TLS handshake, it is not completely unrealistic for a setting where the server has high computational power and the attacker contents itself with recovering one out of many session keys. We remark that popular open-source server implementations are not susceptible to this attack, since they typically do not support the explicit curve option. Finally we propose a fix that renders the protocol immune to this family of cross-protocol attacks.

References

[1]

R. J. Anderson and R. M. Needham. Robustness principles for public key protocols. In CRYPTO 1995, volume 963 of Lecture Notes in Computer Science, pages 236--247. Springer, 1995.

Digital Library

[2]

G. V. Bard. A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL. In SECRYPT 2006, pages 99--109. INSTICC Press, 2006.

[3]

S. Blake-Wilson, N. Bolyard, V. Gupta, C. Hawk, and B. Moeller. Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS). RFC 4492 (Informational), 2006.

[4]

D. Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1. In CRYPTO 1998, volume 1462 of Lecture Notes in Computer Science, pages 1--12. Springer, 1998.

Digital Library

[5]

J. Bos, T. Kleinjung, A. Lenstra, and P. Montgomery. This is a tasty factor. Email on NMBRTHRY-list. 8 Mar 2010.

[6]

Certicom Research. SEC 2: Recommended elliptic curve domain parameters, September 2000.

[7]

C. J. F. Cremers. Feasibility of multi-protocol attacks. In ARES 2006, pages 287--294. IEEE Computer Society, 2006.

Digital Library

[8]

K. Dickman. On the frequency of numbers containing prime factors of a certain relative magnitude. Arkiv for Matematik, Astronomi och Fysik, 22:1--14, 1930.

[9]

T. Dierks and C. Allen. The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard), 1999.

Digital Library

[10]

T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard), 2006.

[11]

T. Dierks and E. Rescorla. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard), 2008.

[12]

D. Dolev and A. C.-C. Yao. On the security of public key protocols. IEEE Transactions on Information Theory, 29(2):198--207, 1983.

Digital Library

[13]

P. Eronen and H. Tschofenig. Pre-Shared Key Ciphersuites for Transport Layer Security (TLS). RFC 4279 (Proposed Standard), 2005.

[14]

A. Freier, P. Karlton, and P. Kocher. The Secure Sockets Layer (SSL) Protocol Version 3.0. RFC 6101 (Historic), 2011.

[15]

T. Kleinjung. Discrete logarithms in GF(p) -- 160 digits. Email on NMBRTHRY-list. 5 Feb 2007.

[16]

V. Kl1ma, O. Pokorny, and T. Rosa. Attacking RSA-Based Sessions in SSL/TLS. In CHES 2003, volume 2779 of Lecture Notes in Computer Science, pages 426--440. Springer, 2003.

[17]

H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational), Feb. 1997.

Digital Library

[18]

A. Langley, N. Modadugu, and B. Moeller. Transport Layer Security (TLS) False Start. Internet Draft, 2010.

[19]

A. K. Lenstra and H. W. Lenstra, Jr., editors. The development of the number field sieve, volume 1554 of Lecture Notes in Mathematics. Springer-Verlag, Berlin, 1993.

[20]

H. W. Lenstra, Jr. Factoring integers with elliptic curves. Annals of Mathematics (2), 126(3):649--673, 1987.

[21]

R Development Core Team. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria, 2012. ISBN 3-900051-07-0.

[22]

J.-F. Raymond and A. Stiglic. Security issues in the Diffie-Hellman key agreement protocol. IEEE Transactions on Information Theory, 22:1--17, 2000.

[23]

E. Rescorla, M. Ray, S. Dispensa, and N. Oskov. Transport Layer Security (TLS) Renegotiation Indication Extension. RFC 5746 (Proposed Standard), 2010.

[24]

I. Ristic. Internet SSL Survey, 2011. https://www.ssllabs.com/projects/ssl-survey/.

[25]

D. Taylor, T. Wu, N. Mavrogiannopoulos, and T. Perrin. Using the Secure Remote Password (SRP) Protocol for TLS Authentication. RFC 5054 (Informational), 2007.

[26]

S. Vaudenay. Security Flaws Induced by CBC Padding--Applications to SSL, IPSEC, WTLS ... In EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 534--546. Springer, 2002.

Digital Library

[27]

D. Wagner and B. Schneier. Analysis of the SSL 3.0 protocol. In Proceedings of the 2nd USENIX Workshop on Electronic Commerce, volume 2 of WOEC, pages 29--40. USENIX Association, 1996.

Digital Library

Cited By

Faridi AAnjum Z(2024)Navigating Zero-Knowledge Authentication in the IoT Landscape: A Comprehensive Survey2024 11th International Conference on Computing for Sustainable Global Development (INDIACom)10.23919/INDIACom61295.2024.10498485(791-795)Online publication date: 28-Feb-2024
https://doi.org/10.23919/INDIACom61295.2024.10498485
Teng YWang WShao JWan HHuang HLiu YLin J(2024)Curveball+: Exploring Curveball-Like Vulnerabilities of Implicit Certificate ValidationComputer Security – ESORICS 202310.1007/978-3-031-51476-0_11(212-234)Online publication date: 11-Jan-2024
https://doi.org/10.1007/978-3-031-51476-0_11
Chen ZJiang YSong XChen L(2023)A Survey on Zero-Knowledge Authentication for Internet of ThingsElectronics10.3390/electronics1205114512:5(1145)Online publication date: 27-Feb-2023
https://doi.org/10.3390/electronics12051145
Show More Cited By

Index Terms

A cross-protocol attack on the TLS protocol

Recommendations

On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Encrypted key transport with RSA-PKCS#1 v1.5 is the most commonly deployed key exchange method in all current versions of the Transport Layer Security (TLS) protocol, including the most recent version 1.2. However, it has several well-known issues, most ...
Read More
TLS man-in-the-middle laboratory exercise for network security education
SIGITE '10: Proceedings of the 2010 ACM conference on Information technology education

A novel laboratory exercise is presented that demonstrates a man-in-the-middle (MITM) attack on web browser sessions that use the "secure" HTTPS protocol. The exercise presents the students with six different scenarios and challenges the student to ...
Read More
A misuse pattern for transport layer security (TLS): triple handshake authentication attack
SugarLoafPLoP '16: Proceedings of the 11th Latin-American Conference on Pattern Languages of Programming

Transport Layer Security (TLS), the successor of the Secure Sockets Layer (SSL) protocol, is a cryptographic protocol that provides a secure communication channel between a client and a server. This secure communication prevents an attacker from ...
Read More

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '12: Proceedings of the 2012 ACM conference on Computer and communications security

October 2012

1088 pages

ISBN:9781450316514

DOI:10.1145/2382196

General Chair:
Ting Yu
North Carolina State University, USA
,
Program Chairs:
George Danezis
Microsoft Research Cambridge, UK
,
Virgil Gligor
Carnegie Mellon University, USA

Copyright © 2012 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 16 October 2012

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

CCS'12

Sponsor:

SIGSAC

CCS'12: the ACM Conference on Computer and Communications Security

October 16 - 18, 2012

North Carolina, Raleigh, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

49
Total Citations
View Citations
1,127
Total Downloads

Downloads (Last 12 months)67
Downloads (Last 6 weeks)6

Other Metrics

View Author Metrics

Citations

Cited By

Faridi AAnjum Z(2024)Navigating Zero-Knowledge Authentication in the IoT Landscape: A Comprehensive Survey2024 11th International Conference on Computing for Sustainable Global Development (INDIACom)10.23919/INDIACom61295.2024.10498485(791-795)Online publication date: 28-Feb-2024
https://doi.org/10.23919/INDIACom61295.2024.10498485
Teng YWang WShao JWan HHuang HLiu YLin J(2024)Curveball+: Exploring Curveball-Like Vulnerabilities of Implicit Certificate ValidationComputer Security – ESORICS 202310.1007/978-3-031-51476-0_11(212-234)Online publication date: 11-Jan-2024
https://doi.org/10.1007/978-3-031-51476-0_11
Chen ZJiang YSong XChen L(2023)A Survey on Zero-Knowledge Authentication for Internet of ThingsElectronics10.3390/electronics1205114512:5(1145)Online publication date: 27-Feb-2023
https://doi.org/10.3390/electronics12051145
Wallez TProtzenko JBhargavan KMeng WJensen CCremers CKirda E(2023)Comparse: Provably Secure Formats for Cryptographic ProtocolsProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623201(564-578)Online publication date: 15-Nov-2023
https://dl.acm.org/doi/10.1145/3576915.3623201
Brzuska CDelignat-Lavaud AEgger CFournet CKohbrok KKohlweiss M(2023)Key-Schedule Security for the TLS 1.3 StandardAdvances in Cryptology – ASIACRYPT 202210.1007/978-3-031-22963-3_21(621-650)Online publication date: 25-Jan-2023
https://doi.org/10.1007/978-3-031-22963-3_21
Schwenk JSchwenk J(2022)Attacks on SSL and TLSGuide to Internet Cryptography10.1007/978-3-031-19439-9_12(267-328)Online publication date: 26-Nov-2022
https://doi.org/10.1007/978-3-031-19439-9_12
Hintaw AManickam SAboalmaaly MKaruppayah S(2021)MQTT Vulnerabilities, Attack Vectors and Solutions in the Internet of Things (IoT)IETE Journal of Research10.1080/03772063.2021.1912651(1-30)Online publication date: 4-May-2021
https://doi.org/10.1080/03772063.2021.1912651
Diemert DJager T(2021)On the Tight Security of TLS 1.3: Theoretically Sound Cryptographic Parameters for Real-World DeploymentsJournal of Cryptology10.1007/s00145-021-09388-x34:3Online publication date: 4-Jun-2021
https://doi.org/10.1007/s00145-021-09388-x
Drucker NGueron S(2021)Selfie: reflections on TLS 1.3 with PSKJournal of Cryptology10.1007/s00145-021-09387-y34:3Online publication date: 25-May-2021
https://doi.org/10.1007/s00145-021-09387-y
Kotha RNarendra Kumar NRamakrishnudu TPurohit SNalam H(2021)An Interactive Tool for Designing End-To-End Secure WorkflowsInformation and Communication Technology for Competitive Strategies (ICTCS 2020)10.1007/978-981-16-0882-7_42(489-498)Online publication date: 6-Jul-2021
https://doi.org/10.1007/978-981-16-0882-7_42
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents