Skip to main content
SpringerLink
Log in

SoK: Lessons Learned from SSL/TLS Attacks

  • Conference paper
  • First Online:
Information Security Applications (WISA 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8267))

Included in the following conference series:

Abstract

Since its introduction in 1994 the Secure Socket Layer (SSL) protocol (later renamed to Transport Layer Security (TLS)) evolved to the de facto standard for securing the transport layer. SSL/TLS can be used for ensuring data confidentiality, integrity and authenticity during transport. A main feature of the protocol is flexibility: Modes of operation and security aims can easily be configured through different cipher suites. However, during the evolutionary development several flaws were found. This paper presents an overview on theoretical and practical attacks of the last 17 years, in chronological order and four categories: Attacks on the Handshake protocol, on the Record and Application Data Protocols, on the PKI infrastructure and various other attacks.

We try to give a short “Lesson(s) Learned” at the end of each paragraph.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    http://www.netscape.com

  2. 2.

    http://datatracker.ietf.org/wg/tls/

  3. 3.

    SSL version 1.0 was never published.

  4. 4.

    However, this hash value explicitly excludes messages of the Alert and ChangeCipherSpec protocols, leaving room for future attacks.

  5. 5.

    Ephemeral Diffie-Hellman Key Exchange.

  6. 6.

    Especially error messages are a valuable source for information.

  7. 7.

    Montgomery power ladder [15] (with improvements by López and Dahab [16]).

  8. 8.

    Mostly according to the Cipher Block Chaining Mode (CBC) scheme which chains consecutive blocks so that a subsequent block is influenced by the output of its predecessor.

  9. 9.

    TLS 1.1 follows the first recommendation by introducing an explicit IV field.

  10. 10.

    http://www.openssl.org/~bodo/tls-cbc.txt

  11. 11.

    http://www.weidai.com/ssh2-attack.txt

  12. 12.

    That, in the past, lead to the decline of e.g. WEP [31].

  13. 13.

    http://www.isg.rhul.ac.uk/tls/

  14. 14.

    http://www.win.tue.nl/hashclash/rogue-ca/

  15. 15.

    http://www.thoughtcrime.org/software/sslsniff/

  16. 16.

    https://www.eff.org/observatory

  17. 17.

    http://www.entrust.net/advisories/malaysia.htm

  18. 18.

    http://anonscm.debian.org/viewvc/pkg-openssl/openssl/trunk/rand/md_rand.c?p2=%2Fopenssl%2Ftrunk%2Frand%2Fmd_rand.c&p1=openssl%2Ftrunk%2Frand%2Fmd_rand.c&r1=141&r2=140&view=diff&pathrev=141

  19. 19.

    http://www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html

  20. 20.

    http://www.thoughtcrime.org/software/sslstrip/

  21. 21.

    http://www.thc.org/thc-ssl-dos/

References

  1. Hickman, K.: The SSL Protocol. Internet Draft, April 1995

    Google Scholar 

  2. Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (SSL) protocol version 3.0. RFC 6101, August 2011

    Google Scholar 

  3. Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246 (Proposed Standard), January 1999

    Google Scholar 

  4. Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1. RFC 4346 (Proposed Standard), April 2006

    Google Scholar 

  5. Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246 (Proposed Standard), August 2008

    Google Scholar 

  6. Rescorla, E.: SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, Reading (2001)

    Google Scholar 

  7. Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: The Second USENIX Workshop on Electronic Commerce Proceedings (1996)

    Google Scholar 

  8. Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)

    Google Scholar 

  9. Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)

    Google Scholar 

  10. Davida, G.: Chosen signature cryptanalysis of the RSA (MIT)public key cryptosystem. Technical report (1982)

    Google Scholar 

  11. Brumley, D., Boneh, D.: Remote timing attacks are practical. In: Proceedings of the 12th Conference on USENIX Security Symposium, SSYM’03, vol. 12. USENIX Association, Berkeley, June 2003

    Google Scholar 

  12. Aciicmez, O., Schindler, W., Koc, C.: Improving Brumley and Boneh timing attack on unprotected SSL implementations. In: Proceedings of the 12th ACM conference on Computer and communications security. ACM, November 2005

    Google Scholar 

  13. Klíma, V., Pokorný, O., Rosa, T.: Attacking RSA-based sessions in ssL/TLs. In: Walter, C.D., Koç, C., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 426–440. Springer, Heidelberg (2003)

    Google Scholar 

  14. Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  15. Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comp. 48, 243–264 (1987)

    Article  MATH  MathSciNet  Google Scholar 

  16. López, J., Dahab, R.: Fast multiplication on elliptic curves over GF (2m) without precomputation. In: Koç, C., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 316–327. Springer, Heidelberg (1999)

    Google Scholar 

  17. Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23, 283–290 (2001)

    Article  MATH  MathSciNet  Google Scholar 

  18. Bardou, R., Focardi, R., Kawamoto, Y., Simionato, L., Steel, G., Tsay, J.-K.: Efficient padding oracle attacks on cryptographic hardware. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 608–625. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  19. Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., Preneel, B.: A Cross-protocol attack on the TLS protocol. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12. ACM, October 2012

    Google Scholar 

  20. Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002)

    Chapter  Google Scholar 

  21. Kelsey, J.: Compression and information leakage of plaintext. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 263–276. Springer, Heidelberg (2002)

    Google Scholar 

  22. Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  23. Bard, G.V.: The vulnerability of SSL to chosen plaintext attack. IACR Cryptology ePrint Archive 2004, May 2004

    Google Scholar 

  24. Bard, G.V.: A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL. In: SECRYPT 2006, Proceedings of the International Conference on Security and Cryptography, INSTICC Press, August 2006

    Google Scholar 

  25. Danezis, G.: Traffic analysis of the HTTP protocol over TLS (Unpublished manuscript)

    Google Scholar 

  26. Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP ’10. IEEE Computer Society, May 2010

    Google Scholar 

  27. Rizzo, J., Duong, T.: Here come the XOR ninjas, May 2011

    Google Scholar 

  28. Paterson, K.G., Schuldt, J.C.N., Stam, M., Thomson, S.: On the joint security of encryption and signature, revisited. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 161–178. Springer, Heidelberg (2011)

    Chapter  Google Scholar 

  29. AlFardan, N., Paterson, K.: Plaintext-recovery attacks against datagram TLS. In: Network and Distributed System Security Symposium (NDSS 2012), February 2012

    Google Scholar 

  30. AlFardan, N., Paterson, K.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP ’13. IEEE Computer Society, February 2013

    Google Scholar 

  31. Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)

    Google Scholar 

  32. Ohigashi, T., Isobe, T., Watanabe, Y., Morii, M.: Full plaintext recovery attack on broadcast RC4. In: Proceedings of the 20th International Workshop on Fast Software Encryption (FSE 2013), March 2013

    Google Scholar 

  33. Lenstra, A., Wang, X., de Weger, B.: Colliding X.509 certificates. Cryptology ePrint Archive, Report 2005/067, March 2005

    Google Scholar 

  34. Rosenfeld, M.: Internet explorer SSL vulnerability, May 2008

    Google Scholar 

  35. Rosenfeld, M.: Null prefix attacks against SSL/TLS certificates, February 2009

    Google Scholar 

  36. Rosenfeld, M.: Defeating OCSP with the character ‘3’, July 2009

    Google Scholar 

  37. Moore, R., Ward, S.: Multiple browser wildcard certificate validation weakness, July 2010

    Google Scholar 

  38. Rescorla, E.: HTTP over TLS. RFC 2818, May 2000

    Google Scholar 

  39. Comodo CA Ltd.: Comodo report of incident - comodo detected and thwarted an intrusion on 26-MAR-2011. Technical report, March 2011

    Google Scholar 

  40. Asghari, H.: Fox-IT: Black Tulip - Report of the investigation into the digiNotar. Certificate Authority Breach. Technical report, August 2012

    Google Scholar 

  41. Palmer, C.: Unqualified names in the SSL observatory, April 2011

    Google Scholar 

  42. Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the World: Validating SSL certificates in non-browser software. In: ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  43. Langley, A.: Enhancing digital certificate security, January 2013

    Google Scholar 

  44. Goldberg, W.: Randomness and the netscape browser. Dr. Dobb’s Journal, January 1996

    Google Scholar 

  45. Weimer, F.: DSA-1571-1 openssl - predictable random number generator, May 2008

    Google Scholar 

  46. Zhao, Y., Vemuri, S., Chen, J., Chen, Y., Zhou, H., Fu, Z.: Exception triggered DoS attacks on wireless networks. In: Proceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009, June 2009

    Google Scholar 

  47. Ray, M., Dispensa, S.: Renegotiating TLS. PhoneFactor, Inc. Technical report, November 2009

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Bochum, Germany

    Christopher Meyer & Jörg Schwenk

Authors
  1. Christopher Meyer
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jörg Schwenk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Christopher Meyer .

Editor information

Editors and Affiliations

  1. KAIST, Daejeon, Korea, Republic of (South Korea)

    Yongdae Kim

  2. Korea University, Seoul, Korea, Republic of (South Korea)

    Heejo Lee

  3. CyLab Carnegie Mellon University, Pittsburgh, Pennsylvania, USA

    Adrian Perrig

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Meyer, C., Schwenk, J. (2014). SoK: Lessons Learned from SSL/TLS Attacks. In: Kim, Y., Lee, H., Perrig, A. (eds) Information Security Applications. WISA 2013. Lecture Notes in Computer Science(), vol 8267. Springer, Cham. https://doi.org/10.1007/978-3-319-05149-9_12

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-05149-9_12

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-05148-2

  • Online ISBN: 978-3-319-05149-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation