Password Interception in a SSL/TLS Channel
- 3k Downloads
Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS.
At Eurocrypt’02, Vaudenay presented vulnerabilities in padding schemes used for block ciphers in CBC mode. He used a side channel, namely error information in the padding verification. This attack was not possible against SSL/TLS due to both unavailability of the side channel (errors are encrypted) and premature abortion of the session in case of errors. In this paper we extend the attack and optimize it. We show it is actually applicable against latest and most popular implementations of SSL/TLS (at the time this paper was written) for password interception.
We demonstrate that a password for an IMAP account can be intercepted when the attacker is not too far from the server in less than an hour in a typical setting.
We conclude that these versions of the SSL/TLS implementations are not secure when used with block ciphers in CBC mode and propose ways to strengthen them. We also propose to update the standard protocol.
KeywordsBlock Cipher Error Message Message Authentication Code Data Encryption Standard Dictionary Attack
- 1.ISO/IEC 10116, Information Processing — Modes of Operation for an n-bit Block Cipher Algorithm. International Organization for Standardization, Geneva, Switzerland (1991)Google Scholar
- 2.Wireless Transport Layer Security. Wireless Application Protocol WAP-261-WTLS-20010406-a. Wireless Application Protocol Forum (2001), http://www.wapforum.org/
- 3.FIPS 46-3, Data Encryption Standard (DES). U.S. Department of Commerce — National Institute of Standards and Technology. Federal Information Processing Standard Publication 46-3 (1999)Google Scholar
- 4.FIPS 81, DES Modes of Operation. U.S. Department of Commerce — National Bureau of Standards, National Technical Information Service, Springfield, Virginia. Federal Information Processing Standards 81 (1980)Google Scholar
- 5.English Word List Elcomsoft Co. Ltd, http://www.elcomsoft.com
- 6.Black, J., Urtubia, H.: Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption. In: Proceedings of the 11th Usenix UNIX Security Symposium, San Francisco, California, USA, USENIX (2002)Google Scholar
- 7.Brumley, D., Boneh, D.: Remote Timing Attacks are Practical. To appear in Proceedings of the 12th Usenix UNIX Security Symposium, USENIX (2003)Google Scholar
- 8.Crispin, M.: Internet Message Access Protocol - Version 4. RFC 1730, standard tracks, University of Washington (1994)Google Scholar
- 9.Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246, standard tracks, the Internet Society (1999)Google Scholar
- 10.Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication. Internet standard. RFC 2617, the Internet Society (1999)Google Scholar
- 12.Kocher, P.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
- 13.Möller, B.: Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures (2002), http://www.openssl.org/~bodo/tls-cbc.txt
- 14.Newman, C.: Using TLS with IMAP, POP3 and ACAP. RFC 2595, standard tracks, the Internet Society (1999)Google Scholar
- 16.Ricca, M.: The Denver Projet - A Combination of ARP and DNS Spoofing. Ecole Polytechnique Fédérale de Lausanne, LASEC, Semester Project (2002), http://lasecwww.epfl.ch
- 18.Vuagnoux, M.: CBC PAD Attack against IMAP over TLS. omen. Ecole Polytechnique Fédérale de Lausanne, LASEC, Semester Project (2003), http://omen.vuagnoux.com