Abstract
Since its introduction in 1994 the Secure Socket Layer (SSL) protocol (later renamed to Transport Layer Security (TLS)) evolved to the de facto standard for securing the transport layer. SSL/TLS can be used for ensuring data confidentiality, integrity and authenticity during transport. A main feature of the protocol is flexibility: Modes of operation and security aims can easily be configured through different cipher suites. However, during the evolutionary development several flaws were found. This paper presents an overview on theoretical and practical attacks of the last 17 years, in chronological order and four categories: Attacks on the Handshake protocol, on the Record and Application Data Protocols, on the PKI infrastructure and various other attacks.
We try to give a short “Lesson(s) Learned” at the end of each paragraph.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
- 3.
SSL version 1.0 was never published.
- 4.
However, this hash value explicitly excludes messages of the Alert and ChangeCipherSpec protocols, leaving room for future attacks.
- 5.
Ephemeral Diffie-Hellman Key Exchange.
- 6.
Especially error messages are a valuable source for information.
- 7.
- 8.
Mostly according to the Cipher Block Chaining Mode (CBC) scheme which chains consecutive blocks so that a subsequent block is influenced by the output of its predecessor.
- 9.
TLS 1.1 follows the first recommendation by introducing an explicit IV field.
- 10.
- 11.
- 12.
That, in the past, lead to the decline of e.g. WEP [31].
- 13.
- 14.
- 15.
- 16.
- 17.
- 18.
- 19.
- 20.
- 21.
References
Hickman, K.: The SSL Protocol. Internet Draft, April 1995
Freier, A., Karlton, P., Kocher, P.: The secure sockets layer (SSL) protocol version 3.0. RFC 6101, August 2011
Dierks, T., Allen, C.: The TLS protocol version 1.0. RFC 2246 (Proposed Standard), January 1999
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.1. RFC 4346 (Proposed Standard), April 2006
Dierks, T., Rescorla, E.: The transport layer security (TLS) protocol version 1.2. RFC 5246 (Proposed Standard), August 2008
Rescorla, E.: SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, Reading (2001)
Wagner, D., Schneier, B.: Analysis of the SSL 3.0 protocol. In: The Second USENIX Workshop on Electronic Commerce Proceedings (1996)
Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994)
Bleichenbacher, D.: Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)
Davida, G.: Chosen signature cryptanalysis of the RSA (MIT)public key cryptosystem. Technical report (1982)
Brumley, D., Boneh, D.: Remote timing attacks are practical. In: Proceedings of the 12th Conference on USENIX Security Symposium, SSYM’03, vol. 12. USENIX Association, Berkeley, June 2003
Aciicmez, O., Schindler, W., Koc, C.: Improving Brumley and Boneh timing attack on unprotected SSL implementations. In: Proceedings of the 12th ACM conference on Computer and communications security. ACM, November 2005
Klíma, V., Pokorný, O., Rosa, T.: Attacking RSA-based sessions in ssL/TLs. In: Walter, C.D., Koç, C., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 426–440. Springer, Heidelberg (2003)
Brumley, B.B., Tuveri, N.: Remote timing attacks are still practical. In: Atluri, V., Diaz, C. (eds.) ESORICS 2011. LNCS, vol. 6879, pp. 355–371. Springer, Heidelberg (2011)
Montgomery, P.L.: Speeding the Pollard and elliptic curve methods of factorization. Math. Comp. 48, 243–264 (1987)
López, J., Dahab, R.: Fast multiplication on elliptic curves over GF (2m) without precomputation. In: Koç, C., Paar, C. (eds.) CHES 1999. LNCS, vol. 1717, pp. 316–327. Springer, Heidelberg (1999)
Howgrave-Graham, N.A., Smart, N.P.: Lattice attacks on digital signature schemes. Des. Codes Crypt. 23, 283–290 (2001)
Bardou, R., Focardi, R., Kawamoto, Y., Simionato, L., Steel, G., Tsay, J.-K.: Efficient padding oracle attacks on cryptographic hardware. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 608–625. Springer, Heidelberg (2012)
Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., Preneel, B.: A Cross-protocol attack on the TLS protocol. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12. ACM, October 2012
Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002)
Kelsey, J.: Compression and information leakage of plaintext. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 263–276. Springer, Heidelberg (2002)
Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)
Bard, G.V.: The vulnerability of SSL to chosen plaintext attack. IACR Cryptology ePrint Archive 2004, May 2004
Bard, G.V.: A challenging but feasible blockwise-adaptive chosen-plaintext attack on SSL. In: SECRYPT 2006, Proceedings of the International Conference on Security and Cryptography, INSTICC Press, August 2006
Danezis, G.: Traffic analysis of the HTTP protocol over TLS (Unpublished manuscript)
Chen, S., Wang, R., Wang, X., Zhang, K.: Side-channel leaks in web applications: a reality today, a challenge tomorrow. In: Proceedings of the 2010 IEEE Symposium on Security and Privacy, SP ’10. IEEE Computer Society, May 2010
Rizzo, J., Duong, T.: Here come the XOR ninjas, May 2011
Paterson, K.G., Schuldt, J.C.N., Stam, M., Thomson, S.: On the joint security of encryption and signature, revisited. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 161–178. Springer, Heidelberg (2011)
AlFardan, N., Paterson, K.: Plaintext-recovery attacks against datagram TLS. In: Network and Distributed System Security Symposium (NDSS 2012), February 2012
AlFardan, N., Paterson, K.: Lucky thirteen: breaking the TLS and DTLS record protocols. In: Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP ’13. IEEE Computer Society, February 2013
Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)
Ohigashi, T., Isobe, T., Watanabe, Y., Morii, M.: Full plaintext recovery attack on broadcast RC4. In: Proceedings of the 20th International Workshop on Fast Software Encryption (FSE 2013), March 2013
Lenstra, A., Wang, X., de Weger, B.: Colliding X.509 certificates. Cryptology ePrint Archive, Report 2005/067, March 2005
Rosenfeld, M.: Internet explorer SSL vulnerability, May 2008
Rosenfeld, M.: Null prefix attacks against SSL/TLS certificates, February 2009
Rosenfeld, M.: Defeating OCSP with the character ‘3’, July 2009
Moore, R., Ward, S.: Multiple browser wildcard certificate validation weakness, July 2010
Rescorla, E.: HTTP over TLS. RFC 2818, May 2000
Comodo CA Ltd.: Comodo report of incident - comodo detected and thwarted an intrusion on 26-MAR-2011. Technical report, March 2011
Asghari, H.: Fox-IT: Black Tulip - Report of the investigation into the digiNotar. Certificate Authority Breach. Technical report, August 2012
Palmer, C.: Unqualified names in the SSL observatory, April 2011
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, D., Shmatikov, V.: The most dangerous code in the World: Validating SSL certificates in non-browser software. In: ACM Conference on Computer and Communications Security (2012)
Langley, A.: Enhancing digital certificate security, January 2013
Goldberg, W.: Randomness and the netscape browser. Dr. Dobb’s Journal, January 1996
Weimer, F.: DSA-1571-1 openssl - predictable random number generator, May 2008
Zhao, Y., Vemuri, S., Chen, J., Chen, Y., Zhou, H., Fu, Z.: Exception triggered DoS attacks on wireless networks. In: Proceedings of the 2009 IEEE/IFIP International Conference on Dependable Systems and Networks, DSN 2009, June 2009
Ray, M., Dispensa, S.: Renegotiating TLS. PhoneFactor, Inc. Technical report, November 2009
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Meyer, C., Schwenk, J. (2014). SoK: Lessons Learned from SSL/TLS Attacks. In: Kim, Y., Lee, H., Perrig, A. (eds) Information Security Applications. WISA 2013. Lecture Notes in Computer Science(), vol 8267. Springer, Cham. https://doi.org/10.1007/978-3-319-05149-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-319-05149-9_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05148-2
Online ISBN: 978-3-319-05149-9
eBook Packages: Computer ScienceComputer Science (R0)