At the Fast Software Encryption conference in Singapore earlier this week, University of Illinois at Chicago Professor Dan Bernstein presented a method for breaking Transport Layer Security, (TLS) as well as its predecessor, Secure Sockets Layer or SSL. (Slides here.) Specifically, Bernstein showed serious cracks in TLS and SSL when they're combined with another encryption scheme known as RC4, a system invented in 1987 that remains one of the most popular and most widely recommended mechanisms for protecting traffic on banking, email, and other private sites.
"A bunch of us have been sitting in the background scratching our heads, knowing that RC4 is weak in all kinds of ways," says Kenny Paterson, a professor at Royal Holloway, University of London who worked with Bernstein along with three other researchers to develop the new techniques. "But no one has been able to put it all together to break TLS in this kind of setting. Our work shows one way to do that."
Paterson explains that RC4, invented by legendary cryptographer Ron Rivest for the security firm RSA, uses a key value to generate a stream of seemingly random numbers that can be combined, one by one, with bits in a message to scramble them in ways that only someone with access to the same key value can unscramble. The problem: that stream of random numbers isn't as random as it looks. By feeding the same message through the encryption scheme again and again, the cryptographers were able to show that enough non-random "biases" occur in the scrambled data to start picking up on pieces of the actual, unscrambled data. After the same message is fed through the scheme a few tens of millions of times, messages start to become readable, and after close to a billion iterations, an entire message can be decoded.
The gigantic number of identical messages that must be sent to break the scheme might seem reassuring. The attack in its current form takes close to 32 hours to perform. But Paterson points out that an attacker could use a malicious ad, a hijacked portion of a website, or a compromised router to feed the identical message to a user again and again unbeknownst to the victim. If a user spends enough time with their browser open to a malicious page, the attacker could break the encryption on either that site or another site they're connecting to. That would allow him or her to, for instance, steal the user's cookie that allows full access to an account on a banking or email site. Paterson calls the attack "challenging but still feasible."
The real danger for website owners and users is that other hackers may improve the technique, possibly without issuing any helpful public warnings at cryptography conferences. "This is the kind of attack that's tweaked and optimized, and people find better and better ways to do it," says Matthew Green, a cryptography professor at John Hopkins. "The numbers you’re seeing now are high, but they’ll get better. It’s possible it's been optimized to work better already."
The new TLS/RC4 hack is just the latest in a series that have rattled the foundations of web cryptography. Another cracking tool known as BEAST was released by researchers in 2011, followed by an attack last month called Lucky 13, both of which could subvert TLS encryption combined with schemes more recent than RC4 such as the AES or Triple DES ciphers.
But the result of those earlier attacks has been that sites have fled back to the older RC4 scheme as a more secure alternative, despite hints that it was also vulnerable. Close to 60% of encrypted websites now use RC4, according to Paterson. "For silly but valid reasons, people have been moving back to this scheme who should have known better," says Green. "It’s like a trap: you get people moving in one direction, scare them back in the other direction and then pull the rug out from under them. That's what’s happened here."
That means the best solution, for now, may be for site owners to stick with newer encryption schemes and hope that browser manufacturers can solve the issues used in the BEAST and Lucky 13 attacks. Google, Mozilla, and Microsoft all say they've dealt with the BEAST issue, and browser-makers have been scrambling to patch the Lucky 13 attack too.
Regardless, Paterson says his team's research shows that the older refuge of RC4 is no longer safe. "The basic message is that we always suspected RC4 was bad in combination with TLS, but now we’ve demonstrated it," he says. "We’ve served notice that you have to stop using this."
—
Follow me on Twitter, and check out my new book, This Machine Kills Secrets: How WikiLeakers, Cypherpunks and Hacktivists Aim To Free The World’s Information.
