LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Security page

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

“Lucky Thirteen” attack snarfs cookies protected by SSL encryption (ars technica)

[Posted February 4, 2013 by jake]

Ars technica reports on a weakness found in various open source (and possibly proprietary) SSL/TLS implementations (e.g. OpenSSL, NSS). Exploiting it is fairly difficult, but it allows attackers to decrypt the ciphertext. "The attacks start by capturing the ciphertext as it travels over the Internet. Using a long-discovered weakness in TLS's CBC, or cipher block chaining, mode, attackers replace the last several blocks with chosen blocks and observe the amount of time it takes for the server to respond. TLS messages that contain the correct padding will take less time to process. A mechanism in TLS causes the transaction to fail each time the application encounters a TLS message that contains tampered data, requiring attackers to repeatedly send malformed messages in a new session following each previous failure. By sending large numbers of TLS messages and statistically sampling the server response time for each one, the scientists were able to eventually correctly guess the contents of the ciphertext."
(Log in to post comments)

“Lucky Thirteen” attack snarfs cookies protected by SSL encryption (ars technica)

Posted Feb 5, 2013 13:59 UTC (Tue) by Homer512 (subscriber, #85295) [Link]

Since this is an attack on the CBC (just like BEAST), am I right to assume that stream ciphers like RC4 are not affected? So if I already took measures against BEAST, I'm still good?

OpenSSL

Posted Feb 5, 2013 15:15 UTC (Tue) by meuh (subscriber, #22042) [Link]

OpenSSL released an updated version regarding to this weakness (CVE-2013-0169)
http://www.openssl.org/news/secadv_20130204.txt

OpenSSL

Posted Feb 6, 2013 9:48 UTC (Wed) by meuh (subscriber, #22042) [Link]

There's another Security Advisory at http://www.openssl.org/news/secadv_20130205.txt but is the same as the previous one. Seems OpenSSL people got the date wrong.

OpenSSL

Posted Feb 7, 2013 2:44 UTC (Thu) by Comet (subscriber, #11646) [Link]

Beware that there appear to be some serious issues with OpenSSL 1.0.1d; if you don't need to actively defend against this attack yet, you might save yourself some frustration and wait for 1.0.1e.

Issues known to affect Apache's interoperability with Firefox, for instance. See the openssl-dev mailing-list for more state.

“Lucky Thirteen” attack snarfs cookies protected by SSL encryption (ars technica)

Posted Feb 6, 2013 7:58 UTC (Wed) by ametlwn (subscriber, #10544) [Link]

This was fixed in GnuTLS on Moday: <http://lists.gnupg.org/pipermail/gnutls-devel/2013-Februa...>
GnuTLS security ID: GNUTLS-SA-2013-1
Lucky 13 is CVE-2013-0169, CVE-2013-1619 is the identifier for the issue specific to the GnuTLS implementation. <http://openwall.com/lists/oss-security/2013/02/05/24>.
Nikos Mavrogiannopoulos has made a nice writeup here: <http://nikmav.blogspot.be/2013/02/time-is-money-for-cbc-c...>.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds