According to a research team from Royal Holloway University London (RHUL) and the University of Illinois at Chicago, when RC4 encryption (long known to be weak) is used as part of TLS/SSL (that is, HTTPS on the web), TLS is theoretically breakable. Not all TLS implementations use RC4 internally, but “Around 50% of all TLS traffic is currently protected using the RC4 algorithm,” says the team. That means, in crypto terms, half of all the internet traffic ‘protected’ as HTTPS is vulnerable to the attack developed by the team – and the exploitable vulnerability has already been assigned a number by the US NIST National Vulnerability Database: CVE-2013-2566.
In practical terms for the security administrator this is probably not an issue yet. Paul Ducklin has written an overview of the attack in the Sophos NakedSecurity blog. “It requires,” he explains, “you to capture somewhere between millions and billions of connections that all contain the same plaintext; and it only works well for the first 200 bytes or so of the transmitted data.” But to cryptographers, that’s not an issue. The reality is that it is possible. “Nevertheless,” confirms Ducklin, “it reveals a deep-rooted problem in using the RC4 encryption algorithm to secure your TLS traffic.”
The researchers describe it as a multi-session attack, which means that “we require a target plaintext to be repeatedly sent in the same position in the plaintext stream in multiple TLS sessions.” Those multiple sessions could be generated in several ways. “The attacker could cause the TLS session to be terminated, and some applications running over TLS then automatically reconnect and retransmit a cookie or password. In a web environment, the sessions may also be generated by client-side malware, in a similar way to the BEAST attack.” But to achieve this, “The number of sessions needed to reliably recover these plaintext bytes is around 230, but already with only 224 sessions, certain bytes can be recovered reliably.”
The attack is known as the AlFardan-Bernstein-Paterson-Poettering-Schuldt (AlFBPPS) attack; that is, the authors' names in alphabetical order. (“In Western culture, naming one's attacks after obscure Neil Young albums [cf, Lucky Thirteen] is now considered passé’ explain the authors.) Full details have not yet been published. “We are working with the IETF TLS Working Group and affected vendors to prepare and test patches. We will update the information here as this process continues,” explain the authors.
If such an attack is so difficult, should administrators be worried? Perhaps not yet, but they should remain aware and implement any patches as they become available. “The attacks can only be carried out by a determined attacker,” say the researchers. “They recover a limited amount of plaintext. In this sense, the attacks do not pose a significant danger to ordinary users of TLS in their current form. However,” and this is the point, “it is a truism that attacks only get better with time, and we anticipate significant further improvements to our attack.”