Attacks/Breaches

3/26/2015
09:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

SSL/TLS Suffers 'Bar Mitzvah Attack'

Researcher at Black Hat Asia shows how attackers could abuse a known-weak crypto algorithm to steal credentials and other data from encrypted communications.

SSL/TLS encryption once again is being haunted by an outdated and weak feature long past its prime:  a newly discovered attack exploits a weakness in the older, less secure RC4 encryption algorithm option in SSL/TLS that's still supported in many browsers and servers.

Itsik Mantin, director of security research with Imperva, at Black Hat Asia in Singapore today will detail how an attacker could sniff credentials and other information during an SSL session in an attack he named the "Bar Mitzvah Attack" after 13-year-old weaknesses in the algorithm it abuses. The attack is a glaring reminder that the RC4 algorithm, long known to be breakable, should be put to rest once and for all, according to Mantin.

Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, Mantin says. But MITM could be used as well, though, for hijacking a session, he says.

Using a sniffer, the attacker can passively spy on the SSL sessions of a targeted organization, for instance, or an application. He then can ferret out the keys being used in the encrypted session of a user logging on to his Facebook account, or a ecommerce transaction. The attacker sees "parts of the encrypted message" that can be used to wage an attack, Mantin says. "He can recover part of the random key stored in plain text … and recover parts of the plain text" prior to its being encrypted, he says. "When a weak key is used, part of the plain text can be recovered from the cipher text."

It's basically an algorithm problem, according to Mantin, who notes that most browsers still include support for RC4 and more than half of servers support it. He says some 30% of TLS sessions still use RC4, which for more than a decade has been superseded by the stronger AES algorithm.

Client machines and servers running SSL/TLS negotiate which algorithm to use for encrypted sessions, he explains. "Today, many still have RC4 in this negotiation process," he says. RC4 in some cases gets selected for performance reasons, he says.

The result: if RC4 is an option and gets selected, an attacker can potentially wage the Bar Mitzvah Attack.

But don't panic: Mantin says it's not an imminent threat per se, and fixing it merely requires removing the RC4 algorithm from the mix.

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

This isn't the first attack demonstrating RC4's woes:  in 2013, researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt, showed how RC4 is basically broken.  "RC4 has been known to be weak for quite many years," says Mantin, who notes that the main difference with his attack and previous RC4 research is that his focuses on the use of the class of weak keys used by RC4.

He says while there's been a gradual trend to phase out RC4 altogether, the process has dragged on.

RC4's troubles have long been in the spotlight, he says, which is frustrating. "This is very odd to me. These things were known in the crypto community for more than a decade, old vulnerabilities in RC4 and in some sense, (they) were ignored by the security industry," Mantin says. 

Outdated Features Add Risk

The Bar Mitzvah Attack is yet another in a series of vulnerabilities in SSL/TLS encryption exposed over the past year due to old, outdated options in the encryption implementation. The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, for example, allowed an attacker to downgrade to the older, less secure SSL Version 3 encryption standard.

More recently, some SSL/TLS client and server implementations were found vulnerable to being forced to employ the weak, old-school 512-bit encryption option long abandoned as easily cracked. Some one-fourth of SSL-encrypted websites were found to be potentially vulnerable to the so-called Factoring RSA Export Keys (FREAK) attack, including FBI.gov and Whitehouse.gov. Microsoft Windows also was found vulnerable to FREAK, and since has been patched for the flaw.

Meanwhile, the Internet Engineering Task (IETF) is well aware of the problem of too many options in the crypto standards, so the new version of TLS currently under development, TLS 1.3, trims the fat in the specification, eliminating older encryption algorithms and other outdated features.

Mantin has now published a white paper with technical details of the attack, available here.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SgS125
50%
50%
SgS125,
User Rank: Ninja
3/30/2015 | 9:58:24 AM
RC4
It is easy to not use it.

You simply remove it as an option from your list of availeable cyphers.

The troubling part is that to exploit alot of these weakneses in the past you would have been a nation state player or had access to MITM data points.  Now you just need access to the data stream and some gear to do some computing.  So as the playing field levels down to the criminals ability to have nation state capabilities we finally decide we have to fix the problem so we don't get robbed and lose some real money.

 

Sadly we did not care if we were spied on, now we care that we can be robbed.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
3/27/2015 | 2:04:44 PM
Re: Legacy Uses?
What's most interesting here is how these outdated -- and weak -- options continue to be included in SSL/TLS implementations. There may be a legacy or backwards-compatibility reason, but the bottom line is that it leaves users and companies vulnerable. The good news is the next version of TLS aims to be a leaner, meaner spec that doesn't carry this type of baggage. Of course, in the meantime, older versions remain vulnerable. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
3/27/2015 | 1:52:34 PM
Legacy Uses?
What still uses RC4 (business case)? If its no longer needed I don't see why an update shouldn't be sought out to remove it?
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He just showed up at my doorstep one day without a geotag."
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.