Attacks/Breaches

3/26/2015
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

SSL/TLS Suffers 'Bar Mitzvah Attack'

Researcher at Black Hat Asia shows how attackers could abuse a known-weak crypto algorithm to steal credentials and other data from encrypted communications.

SSL/TLS encryption once again is being haunted by an outdated and weak feature long past its prime:  a newly discovered attack exploits a weakness in the older, less secure RC4 encryption algorithm option in SSL/TLS that's still supported in many browsers and servers.

Itsik Mantin, director of security research with Imperva, at Black Hat Asia in Singapore today will detail how an attacker could sniff credentials and other information during an SSL session in an attack he named the "Bar Mitzvah Attack" after 13-year-old weaknesses in the algorithm it abuses. The attack is a glaring reminder that the RC4 algorithm, long known to be breakable, should be put to rest once and for all, according to Mantin.

Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, Mantin says. But MITM could be used as well, though, for hijacking a session, he says.

Using a sniffer, the attacker can passively spy on the SSL sessions of a targeted organization, for instance, or an application. He then can ferret out the keys being used in the encrypted session of a user logging on to his Facebook account, or a ecommerce transaction. The attacker sees "parts of the encrypted message" that can be used to wage an attack, Mantin says. "He can recover part of the random key stored in plain text … and recover parts of the plain text" prior to its being encrypted, he says. "When a weak key is used, part of the plain text can be recovered from the cipher text."

It's basically an algorithm problem, according to Mantin, who notes that most browsers still include support for RC4 and more than half of servers support it. He says some 30% of TLS sessions still use RC4, which for more than a decade has been superseded by the stronger AES algorithm.

Client machines and servers running SSL/TLS negotiate which algorithm to use for encrypted sessions, he explains. "Today, many still have RC4 in this negotiation process," he says. RC4 in some cases gets selected for performance reasons, he says.

The result: if RC4 is an option and gets selected, an attacker can potentially wage the Bar Mitzvah Attack.

But don't panic: Mantin says it's not an imminent threat per se, and fixing it merely requires removing the RC4 algorithm from the mix.

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

This isn't the first attack demonstrating RC4's woes:  in 2013, researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt, showed how RC4 is basically broken.  "RC4 has been known to be weak for quite many years," says Mantin, who notes that the main difference with his attack and previous RC4 research is that his focuses on the use of the class of weak keys used by RC4.

He says while there's been a gradual trend to phase out RC4 altogether, the process has dragged on.

RC4's troubles have long been in the spotlight, he says, which is frustrating. "This is very odd to me. These things were known in the crypto community for more than a decade, old vulnerabilities in RC4 and in some sense, (they) were ignored by the security industry," Mantin says. 

Outdated Features Add Risk

The Bar Mitzvah Attack is yet another in a series of vulnerabilities in SSL/TLS encryption exposed over the past year due to old, outdated options in the encryption implementation. The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, for example, allowed an attacker to downgrade to the older, less secure SSL Version 3 encryption standard.

More recently, some SSL/TLS client and server implementations were found vulnerable to being forced to employ the weak, old-school 512-bit encryption option long abandoned as easily cracked. Some one-fourth of SSL-encrypted websites were found to be potentially vulnerable to the so-called Factoring RSA Export Keys (FREAK) attack, including FBI.gov and Whitehouse.gov. Microsoft Windows also was found vulnerable to FREAK, and since has been patched for the flaw.

Meanwhile, the Internet Engineering Task (IETF) is well aware of the problem of too many options in the crypto standards, so the new version of TLS currently under development, TLS 1.3, trims the fat in the specification, eliminating older encryption algorithms and other outdated features.

Mantin has now published a white paper with technical details of the attack, available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SgS125
50%
50%
SgS125,
User Rank: Ninja
3/30/2015 | 9:58:24 AM
RC4
It is easy to not use it.

You simply remove it as an option from your list of availeable cyphers.

The troubling part is that to exploit alot of these weakneses in the past you would have been a nation state player or had access to MITM data points.  Now you just need access to the data stream and some gear to do some computing.  So as the playing field levels down to the criminals ability to have nation state capabilities we finally decide we have to fix the problem so we don't get robbed and lose some real money.

 

Sadly we did not care if we were spied on, now we care that we can be robbed.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/27/2015 | 2:04:44 PM
Re: Legacy Uses?
What's most interesting here is how these outdated -- and weak -- options continue to be included in SSL/TLS implementations. There may be a legacy or backwards-compatibility reason, but the bottom line is that it leaves users and companies vulnerable. The good news is the next version of TLS aims to be a leaner, meaner spec that doesn't carry this type of baggage. Of course, in the meantime, older versions remain vulnerable. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/27/2015 | 1:52:34 PM
Legacy Uses?
What still uses RC4 (business case)? If its no longer needed I don't see why an update shouldn't be sought out to remove it?
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9978
PUBLISHED: 2019-03-24
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
CVE-2019-9977
PUBLISHED: 2019-03-24
The renderer process in the entertainment system on Tesla Model 3 vehicles mishandles JIT compilation, which allows attackers to trigger firmware code execution, and display a crafted message to vehicle occupants.
CVE-2019-9962
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
CVE-2019-9963
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
CVE-2019-9964
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.