In association with heise online

15 March 2013, 09:53

Another crypto-attack on SSL/TLS encryption

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

RC4 screenshot
Zoom Many popular pages like Google use RC4 encryption for their services

SSL/TLS is the foundation of secure internet connections, with RC4, designed by Ron Rivest in 1987, often used for encryption. Researchers have now come up with an attack against the algorithm that can decrypt at least the beginning of a secure transmission. The attack is still mostly theoretical, but it clearly demonstrates that there are some issues that need to be solved.

A huge number of servers use RC4, including Google, Facebook, and Microsoft's web servers. The method has a number of advantages – it's very fast, which means that it's easier for servers to handle, and it's not vulnerable to some of the recent attacks on SSL/TLS like BEAST and Lucky13 and has therefore often been recommended as an alternative. At the same time, however, RC4 is old and has its fair share of problems.

The RC4 algorithm is what is known as a stream cipher, with, basically, a pseudo-random number generator spitting out practically random numbers that are then used to link texts that need to be encrypted or decrypted with XOR. The password determines the generator's initialisation value, with the same value making the generator produce the same stream of numbers every time. If the numbers were truly random, this method would, in fact, create uncrackable encryption, known as a one-time pad. But, as the name says, the pseudo-random numbers are merely almost random, and Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt have found a way to use the minimal deviations from a purely statistical distribution to crack the encryption and decrypt at least 220 bytes of a connection.

They need – for now, at least – an almost ludicrous number of connections that encrypt the same text: 230, or about one billion. But that figure is not as out there as it seems, since the large number of connections can be made automatically with, say, JavaScript code that has been injected into a regular web page and calls up the same HTTPS URL over and over. Among other data, all those connections get the valid session cookie every time, which the user – or the attacker – can use to, for example, sign into Google Mail without entering a password. Matthew Green explains the problem in more detail in his helpful blog post "Attack of the week: RC4 is kind of broken in TLS".

The attack cannot yet be actually implemented in practice, but, as everyone knows, attacks are improving all the time. These findings should be considered a warning shot, and those using RC4 encryption should start looking for an alternative. One of the researchers' recommendations is CBC block cipher methods that have been updated to block BEAST and Lucky 13; another option is TLS 1.2, which is not yet widely used but offers better encryption methods.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit