Security researchers Nadhem AlFardan and Kenny Paterson have identified a way to launch man-in-the-middle attacks against the Transport Layer Security (TLS) and the Datagram TLS (DTLS) protocols used by many websites to secure sensitive information.
The attack has been dubbed “Lucky 13” because the TLS MAC calculation includes 13 bytes of header information. This is one of the reasons that the attack is possible.
The Lucky 13 attack could allow cybercriminals to recover plaintext data from a TLS or a DTLS connection when the CBC-mode encryption is used.
The experts have demonstrated their attack method on the OpenSSL and the GnuTLS implementations, but they highlight the fact that the vulnerability exists in the TLS specification, not in specific implementations.
In the case of OpenSSL, a full plaintext recovery attack is possible, while for GnuTLS, only a partial plaintext recovery attack could be performed.
“For TLS, our attacks are multi-session attacks, which means that we require the target plaintext to be repeatedly sent in the same position in the plaintext stream in multiple TLS sessions,” the researchers explained.
They added, “For DTLS, the attacks can be carried out in a single session, and known amplification techniques can be used to boost the timing signals relative to the noise.”
All TLS and DTLS implementations compliant with TLS 1.1 or 1.2 or with DTLS 1.0 or 1.2 are potentially affected. These include NSS, PolarSSL, yaSSL, BouncyCastle and OpenJDK.
The experts highlight the fact that the attack method they’ve identified is different from BEAST or CRIME.
AlFardan and Paterson have notified all the affected vendors and some of them have already updated their products to address the issue. OpenSSL, NSS and BouncyCastle are still working on the patches.
Here is the research paper in which the attacks and mitigations are described in detail.