09:00 AM
Connect Directly

SSL/TLS Suffers 'Bar Mitzvah Attack'

Researcher at Black Hat Asia shows how attackers could abuse a known-weak crypto algorithm to steal credentials and other data from encrypted communications.

SSL/TLS encryption once again is being haunted by an outdated and weak feature long past its prime:  a newly discovered attack exploits a weakness in the older, less secure RC4 encryption algorithm option in SSL/TLS that's still supported in many browsers and servers.

Itsik Mantin, director of security research with Imperva, at Black Hat Asia in Singapore today will detail how an attacker could sniff credentials and other information during an SSL session in an attack he named the "Bar Mitzvah Attack" after 13-year-old weaknesses in the algorithm it abuses. The attack is a glaring reminder that the RC4 algorithm, long known to be breakable, should be put to rest once and for all, according to Mantin.

Bar Mitzvah exploits the weak keys used by RC4 and allows an attacker to recover plain text from the encrypted information, potentially exposing account credentials, credit card data, or other sensitive information. And unlike previous SSL hacks, this one doesn't require an active man-in-the-middle session, just passive sniffing or eavesdropping on SSL/TLS-encrypted connections, Mantin says. But MITM could be used as well, though, for hijacking a session, he says.

Using a sniffer, the attacker can passively spy on the SSL sessions of a targeted organization, for instance, or an application. He then can ferret out the keys being used in the encrypted session of a user logging on to his Facebook account, or a ecommerce transaction. The attacker sees "parts of the encrypted message" that can be used to wage an attack, Mantin says. "He can recover part of the random key stored in plain text … and recover parts of the plain text" prior to its being encrypted, he says. "When a weak key is used, part of the plain text can be recovered from the cipher text."

It's basically an algorithm problem, according to Mantin, who notes that most browsers still include support for RC4 and more than half of servers support it. He says some 30% of TLS sessions still use RC4, which for more than a decade has been superseded by the stronger AES algorithm.

Client machines and servers running SSL/TLS negotiate which algorithm to use for encrypted sessions, he explains. "Today, many still have RC4 in this negotiation process," he says. RC4 in some cases gets selected for performance reasons, he says.

The result: if RC4 is an option and gets selected, an attacker can potentially wage the Bar Mitzvah Attack.

But don't panic: Mantin says it's not an imminent threat per se, and fixing it merely requires removing the RC4 algorithm from the mix.

[Everything you need to know about today’s IT security challenges – but were afraid to ask. Register with Discount Code DRBLOG to save $100 for this special one-day event, Dark Reading's Cyber Security Crash Course at Interop on Wednesday, April 29.]

This isn't the first attack demonstrating RC4's woes:  in 2013, researchers Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering and Jacob Schuldt, showed how RC4 is basically broken.  "RC4 has been known to be weak for quite many years," says Mantin, who notes that the main difference with his attack and previous RC4 research is that his focuses on the use of the class of weak keys used by RC4.

He says while there's been a gradual trend to phase out RC4 altogether, the process has dragged on.

RC4's troubles have long been in the spotlight, he says, which is frustrating. "This is very odd to me. These things were known in the crypto community for more than a decade, old vulnerabilities in RC4 and in some sense, (they) were ignored by the security industry," Mantin says. 

Outdated Features Add Risk

The Bar Mitzvah Attack is yet another in a series of vulnerabilities in SSL/TLS encryption exposed over the past year due to old, outdated options in the encryption implementation. The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack, for example, allowed an attacker to downgrade to the older, less secure SSL Version 3 encryption standard.

More recently, some SSL/TLS client and server implementations were found vulnerable to being forced to employ the weak, old-school 512-bit encryption option long abandoned as easily cracked. Some one-fourth of SSL-encrypted websites were found to be potentially vulnerable to the so-called Factoring RSA Export Keys (FREAK) attack, including and Microsoft Windows also was found vulnerable to FREAK, and since has been patched for the flaw.

Meanwhile, the Internet Engineering Task (IETF) is well aware of the problem of too many options in the crypto standards, so the new version of TLS currently under development, TLS 1.3, trims the fat in the specification, eliminating older encryption algorithms and other outdated features.

Mantin has now published a white paper with technical details of the attack, available here.

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
3/30/2015 | 9:58:24 AM
It is easy to not use it.

You simply remove it as an option from your list of availeable cyphers.

The troubling part is that to exploit alot of these weakneses in the past you would have been a nation state player or had access to MITM data points.  Now you just need access to the data stream and some gear to do some computing.  So as the playing field levels down to the criminals ability to have nation state capabilities we finally decide we have to fix the problem so we don't get robbed and lose some real money.


Sadly we did not care if we were spied on, now we care that we can be robbed.
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
3/27/2015 | 2:04:44 PM
Re: Legacy Uses?
What's most interesting here is how these outdated -- and weak -- options continue to be included in SSL/TLS implementations. There may be a legacy or backwards-compatibility reason, but the bottom line is that it leaves users and companies vulnerable. The good news is the next version of TLS aims to be a leaner, meaner spec that doesn't carry this type of baggage. Of course, in the meantime, older versions remain vulnerable. 
User Rank: Ninja
3/27/2015 | 1:52:34 PM
Legacy Uses?
What still uses RC4 (business case)? If its no longer needed I don't see why an update shouldn't be sought out to remove it?
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.