idnits 2.17.1 draft-sheffer-uta-tls-attacks-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document doesn't use any RFC 2119 keywords, yet seems to have RFC 2119 boilerplate text. -- The document date (February 7, 2014) is 3725 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'TBD' is mentioned on line 148, but not defined ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) == Outdated reference: A later version (-02) exists of draft-popov-tls-prohibiting-rc4-01 Summary: 1 error (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 uta Y. Sheffer 3 Internet-Draft Porticor 4 Intended status: Informational R. Holz 5 Expires: August 11, 2014 TUM 6 P. Saint-Andre 7 &yet 8 February 7, 2014 10 Summarizing Current Attacks on TLS and DTLS 11 draft-sheffer-uta-tls-attacks-00 13 Abstract 15 Over the last few years there have been several serious attacks on 16 TLS, including attacks on its most commonly used ciphers and modes of 17 operation. This document summarizes these attacks, with the goal of 18 motivating generic and protocol-specific recommendations on the usage 19 of TLS and DTLS. 21 Status of this Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at http://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on August 11, 2014. 38 Copyright Notice 40 Copyright (c) 2014 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (http://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . 3 56 1.1. Conventions used in this document . . . . . . . . . . . 3 57 2. Attacks on TLS . . . . . . . . . . . . . . . . . . . . 3 58 2.1. BEAST . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 2.2. Lucky Thirteen . . . . . . . . . . . . . . . . . . . . 3 60 2.3. Attacks on RC4 . . . . . . . . . . . . . . . . . . . . 4 61 2.4. Compression Attacks: CRIME and BREACH . . . . . . . . . 4 62 3. Security Considerations . . . . . . . . . . . . . . . . 4 63 4. IANA Considerations . . . . . . . . . . . . . . . . . . 4 64 5. Acknowledgements . . . . . . . . . . . . . . . . . . . 4 65 6. References . . . . . . . . . . . . . . . . . . . . . . 5 66 6.1. Normative References . . . . . . . . . . . . . . . . . 5 67 6.2. Informative References . . . . . . . . . . . . . . . . 5 68 Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . . 6 69 A.1. -00 . . . . . . . . . . . . . . . . . . . . . . . . . . 6 70 Authors' Addresses . . . . . . . . . . . . . . . . . . 6 72 1. Introduction 74 Over the last few years there have been several major attacks on TLS 75 [RFC5246], including attacks on its most commonly used ciphers and 76 modes of operation. Details are given in Section 2, but suffice it 77 to say that both AES-CBC and RC4, which together make up for most 78 current usage, have been seriously attacked in the context of TLS. 80 This situation motivated the creation of the UTA working group, which 81 is tasked with the creation of generic and protocol-specific 82 recommendation for the use of TLS and DTLS. 84 "Attacks always get better; they never get worse" (ironically, this 85 saying is attributed to the NSA). This list of attacks describes our 86 knowledge as of this writing. It seems likely that new attacks will 87 be invented in the future. 89 For a more detailed discussion of the attacks listed here, the 90 interested reader is referred to [Attacks-iSec]. 92 1.1. Conventions used in this document 94 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 95 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 96 document are to be interpreted as described in [RFC2119]. 98 2. Attacks on TLS 100 This section lists the attacks that motivated the current 101 recommendations. This is not intended to be an extensive survey of 102 TLS's security. 104 While there are widely deployed mitigations for some of the attacks 105 listed below, we believe that their root causes necessitate a more 106 systemic solution. 108 2.1. BEAST 110 The BEAST attack [BEAST] uses issues with the TLS 1.0 implementation 111 of CBC (that is, the predictable initialization vector) to decrypt 112 parts of a packet, and specifically shows how this can be used to 113 decrypt HTTP cookies when run over TLS. 115 2.2. Lucky Thirteen 117 A consequence of the MAC-then-encrypt design in all current versions 118 of TLS is the existence of padding oracle attacks [Padding-Oracle]. 120 A recent incarnation of these attacks is the Lucky Thirteen attack 121 [CBC-Attack], a timing side-channel attack that allows the attacker 122 to decrypt arbitrary ciphertext. 124 2.3. Attacks on RC4 126 The RC4 algorithm [RC4] has been used with TLS (and previously, SSL) 127 for many years. Attacks have also been known for a long time, e.g. 128 [RC4-Attack-FMS]. But recent attacks ([RC4-Attack], 129 [RC4-Attack-AlF]) have weakened this algorithm even more. See 130 [I-D.popov-tls-prohibiting-rc4] for more details. 132 2.4. Compression Attacks: CRIME and BREACH 134 The CRIME attack [CRIME] allows an active attacker to decrypt 135 cyphertext (specifically, cookies) when TLS is used with protocol- 136 level compression. 138 The TIME attack [TIME] and the later BREACH attack [BREACH] both make 139 similar use of HTTP-level compression to decrypt secret data passed 140 in the HTTP response. We note that compression of the HTTP message 141 body is much more prevalent than compression at the TLS level. 143 The former attack can be mitigated by disabling TLS compression, as 144 recommended below. We are not aware of mitigations at the protocol 145 level to the latter attack, and so application-level mitigations are 146 needed (see [BREACH]). For example, implementations of HTTP that use 147 CSRF tokens will need to randomize them even when the recommendations 148 of [TBD] are adopted. 150 3. Security Considerations 152 This document describes protocol attacks in an informational manner, 153 and in itself does not have any security implications. Its companion 154 documents certainly do. 156 4. IANA Considerations 158 [Note to RFC Editor: please remove this section before publication.] 160 This document requires no IANA actions. 162 5. Acknowledgements 164 We would like to thank Stephen Farrell, Simon Josefsson, Yoav Nir, 165 Kenny Paterson, Patrick Pelletier, and Rich Salz for their review of 166 a previous version of this document. 168 The document was prepared using the lyx2rfc tool, created by Nico 169 Williams. 171 6. References 173 6.1. Normative References 175 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 176 Requirement Levels", BCP 14, RFC 2119, March 1997. 178 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 179 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 181 6.2. Informative References 183 [I-D.popov-tls-prohibiting-rc4] 184 Popov, A., "Prohibiting RC4 Cipher Suites", 185 draft-popov-tls-prohibiting-rc4-01 (work in progress), 186 October 2013. 188 [CBC-Attack] 189 AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking 190 the TLS and DTLS Record Protocols", IEEE Symposium on 191 Security and Privacy , 2013. 193 [BEAST] Rizzo, J. and T. Duong, "Browser Exploit Against SSL/TLS", 194 2011, . 197 [CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", EKOparty 198 Security Conference 2012, 2012. 200 [BREACH] Prado, A., Harris, N., and Y. Gluck, "The BREACH Attack", 201 2013, . 203 [TIME] Be'ery, T. and A. Shulman, "A Perfect CRIME? Only TIME 204 Will Tell", Black Hat Europe 2013, 2013, . 208 [RC4] Schneier, B., "Applied Cryptography: Protocols, 209 Algorithms, and Source Code in C, 2nd Ed.", 1996. 211 [RC4-Attack-FMS] 212 Fluhrer, S., Mantin, I., and A. Shamir, "Weaknesses in the 213 Key Scheduling Algorithm of RC4", Selected Areas in 214 Cryptography , 2001. 216 [RC4-Attack] 217 ISOBE, T., OHIGASHI, T., WATANABE, Y., and M. MORII, "Full 218 Plaintext Recovery Attack on Broadcast RC4", International 219 Workshop on Fast Software Encryption , 2013. 221 [RC4-Attack-AlF] 222 AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., 223 and J. Schuldt, "On the Security of RC4 in TLS", Usenix 224 Security Symposium 2013, 2013, . 227 [Attacks-iSec] 228 Sarkar, P. and S. Fitzgerald, "Attacks on SSL, a 229 comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky13 230 and RC4 biases", 8 2013, . 233 [Padding-Oracle] 234 Vaudenay, S., "Security Flaws Induced by CBC Padding 235 Applications to SSL, IPSEC, WTLS...", EUROCRYPT 2002, 236 2002, . 239 Appendix A. Appendix: Change Log 241 Note to RFC Editor: please remove this section before publication. 243 A.1. -00 245 o Initial version, extracted from draft-sheffer-tls-bcp-01. 247 Authors' Addresses 249 Yaron Sheffer 250 Porticor 251 29 HaHarash St. 252 Hod HaSharon 4501303 253 Israel 255 Email: yaronf.ietf@gmail.com 256 Ralph Holz 257 Technische Universitaet Muenchen 258 Boltzmannstr. 3 259 Garching 85748 260 Germany 262 Email: holz@net.in.tum.de 264 Peter Saint-Andre 265 &yet 267 Email: ietf@stpeter.im