idnits 2.17.1 draft-ietf-uta-tls-attacks-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 27, 2014) is 3676 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) == Outdated reference: A later version (-11) exists of draft-ietf-uta-tls-bcp-00 == Outdated reference: A later version (-02) exists of draft-popov-tls-prohibiting-rc4-01 Summary: 1 error (**), 0 flaws (~~), 3 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 uta Y. Sheffer 3 Internet-Draft Porticor 4 Intended status: Informational R. Holz 5 Expires: September 28, 2014 TUM 6 P. Saint-Andre 7 &yet 8 March 27, 2014 10 Summarizing Current Attacks on TLS and DTLS 11 draft-ietf-uta-tls-attacks-00 13 Abstract 15 Over the last few years there have been several serious attacks on 16 TLS, including attacks on its most commonly used ciphers and modes of 17 operation. This document summarizes these attacks, with the goal of 18 motivating generic and protocol-specific recommendations on the usage 19 of TLS and DTLS. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on September 28, 2014. 38 Copyright Notice 40 Copyright (c) 2014 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. Attacks on TLS . . . . . . . . . . . . . . . . . . . . . . . 2 57 2.1. BEAST . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 58 2.2. Lucky Thirteen . . . . . . . . . . . . . . . . . . . . . . 3 59 2.3. Attacks on RC4 . . . . . . . . . . . . . . . . . . . . . . 3 60 2.4. Compression Attacks: CRIME and BREACH . . . . . . . . . . . 3 61 3. Security Considerations . . . . . . . . . . . . . . . . . . . 4 62 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4 63 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 4 64 6. References . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 6.1. Normative References . . . . . . . . . . . . . . . . . . . 4 66 6.2. Informative References . . . . . . . . . . . . . . . . . . 4 67 Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . 5 68 A.1. draft-ietf-uta-tls-bcp-00 . . . . . . . . . . . . . . . . . 5 69 A.2. draft-sheffer-uta-tls-bcp-00 . . . . . . . . . . . . . . . 6 70 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 72 1. Introduction 74 Over the last few years there have been several major attacks on TLS 75 [RFC5246], including attacks on its most commonly used ciphers and 76 modes of operation. Details are given in Section 2, but suffice it 77 to say that both AES-CBC and RC4, which together make up for most 78 current usage, have been seriously attacked in the context of TLS. 80 This situation motivated the creation of the UTA working group, which 81 is tasked with the creation of generic and protocol-specific 82 recommendation for the use of TLS and DTLS. 84 "Attacks always get better; they never get worse" (ironically, this 85 saying is attributed to the NSA). This list of attacks describes our 86 knowledge as of this writing. It seems likely that new attacks will 87 be invented in the future. 89 For a more detailed discussion of the attacks listed here, the 90 interested reader is referred to [Attacks-iSec]. 92 2. Attacks on TLS 94 This section lists the attacks that motivated the current 95 recommendations. This is not intended to be an extensive survey of 96 TLS's security. 98 While there are widely deployed mitigations for some of the attacks 99 listed below, we believe that their root causes necessitate a more 100 systemic solution. 102 2.1. BEAST 104 The BEAST attack [BEAST] uses issues with the TLS 1.0 implementation 105 of CBC (that is, the predictable initialization vector) to decrypt 106 parts of a packet, and specifically shows how this can be used to 107 decrypt HTTP cookies when run over TLS. 109 2.2. Lucky Thirteen 111 A consequence of the MAC-then-encrypt design in all current versions 112 of TLS is the existence of padding oracle attacks [Padding-Oracle]. 113 A recent incarnation of these attacks is the Lucky Thirteen attack 114 [CBC-Attack], a timing side-channel attack that allows the attacker 115 to decrypt arbitrary ciphertext. 117 2.3. Attacks on RC4 119 The RC4 algorithm [RC4] has been used with TLS (and previously, SSL) 120 for many years. Attacks have also been known for a long time, e.g. 121 [RC4-Attack-FMS]. But recent attacks ([RC4-Attack], 122 [RC4-Attack-AlF]) have weakened this algorithm even more. See 123 [I-D.popov-tls-prohibiting-rc4] for more details. 125 2.4. Compression Attacks: CRIME and BREACH 127 The CRIME attack [CRIME] allows an active attacker to decrypt 128 cyphertext (specifically, cookies) when TLS is used with protocol- 129 level compression. 131 The TIME attack [TIME] and the later BREACH attack [BREACH] both make 132 similar use of HTTP-level compression to decrypt secret data passed 133 in the HTTP response. We note that compression of the HTTP message 134 body is much more prevalent than compression at the TLS level. 136 The former attack can be mitigated by disabling TLS compression, as 137 recommended below. We are not aware of mitigations at the protocol 138 level to the latter attack, and so application-level mitigations are 139 needed (see [BREACH]). For example, implementations of HTTP that use 140 CSRF tokens will need to randomize them even when the recommendations 141 of [I-D.ietf-uta-tls-bcp] are adopted. 143 3. Security Considerations 145 This document describes protocol attacks in an informational manner, 146 and in itself does not have any security implications. Its companion 147 documents certainly do. 149 4. IANA Considerations 151 This document requires no IANA actions. 153 5. Acknowledgements 155 We would like to thank Stephen Farrell, Simon Josefsson, Yoav Nir, 156 Kenny Paterson, Patrick Pelletier, and Rich Salz for their review of 157 a previous version of this document. 159 The document was prepared using the lyx2rfc tool, created by Nico 160 Williams. 162 6. References 164 6.1. Normative References 166 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 167 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 169 6.2. Informative References 171 [I-D.ietf-uta-tls-bcp] 172 Sheffer, Y., Holz, R., and P. Saint-Andre, 173 "Recommendations for Secure Use of TLS and DTLS", draft- 174 ietf-uta-tls-bcp-00 (work in progress), March 2014. 176 [I-D.popov-tls-prohibiting-rc4] 177 Popov, A., "Prohibiting RC4 Cipher Suites", draft-popov- 178 tls-prohibiting-rc4-01 (work in progress), October 2013. 180 [CBC-Attack] 181 AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking 182 the TLS and DTLS Record Protocols", IEEE Symposium on 183 Security and Privacy , 2013. 185 [BEAST] Rizzo, J. and T. Duong, "Browser Exploit Against SSL/TLS", 186 2011, . 189 [CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", EKOparty 190 Security Conference 2012, 2012. 192 [BREACH] Prado, A., Harris, N., and Y. Gluck, "The BREACH Attack", 193 2013, . 195 [TIME] Be'ery, T. and A. Shulman, "A Perfect CRIME? Only TIME 196 Will Tell", Black Hat Europe 2013, 2013, . 200 [RC4] Schneier, B., "Applied Cryptography: Protocols, 201 Algorithms, and Source Code in C, 2nd Ed.", 1996. 203 [RC4-Attack-FMS] 204 Fluhrer, S., Mantin, I., and A. Shamir, "Weaknesses in the 205 Key Scheduling Algorithm of RC4", Selected Areas in 206 Cryptography , 2001. 208 [RC4-Attack] 209 ISOBE, T., OHIGASHI, T., WATANABE, Y., and M. MORII, "Full 210 Plaintext Recovery Attack on Broadcast RC4", International 211 Workshop on Fast Software Encryption , 2013. 213 [RC4-Attack-AlF] 214 AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., 215 and J. Schuldt, "On the Security of RC4 in TLS", Usenix 216 Security Symposium 2013, 2013, . 219 [Attacks-iSec] 220 Sarkar, P. and S. Fitzgerald, "Attacks on SSL, a 221 comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky13 222 and RC4 biases", 8 2013, . 225 [Padding-Oracle] 226 Vaudenay, S., "Security Flaws Induced by CBC Padding 227 Applications to SSL, IPSEC, WTLS...", EUROCRYPT 2002, 228 2002, . 231 Appendix A. Appendix: Change Log 233 Note to RFC Editor: please remove this section before publication. 235 A.1. draft-ietf-uta-tls-bcp-00 237 o Initial WG version, with only updated references. 239 A.2. draft-sheffer-uta-tls-bcp-00 241 o Initial version, extracted from draft-sheffer-tls-bcp-01. 243 Authors' Addresses 245 Yaron Sheffer 246 Porticor 247 29 HaHarash St. 248 Hod HaSharon 4501303 249 Israel 251 Email: yaronf.ietf@gmail.com 253 Ralph Holz 254 Technische Universitaet Muenchen 255 Boltzmannstr. 3 256 Garching 85748 257 Germany 259 Email: holz@net.in.tum.de 261 Peter Saint-Andre 262 &yet 264 Email: ietf@stpeter.im