A Lucky Thirteen attack is a cryptographic
timing attack
In cryptography, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, and ...
against implementations of the
Transport Layer Security
Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network. The protocol is widely used in applications such as email, instant messaging, and voice over IP, but its use in securi ...
(TLS) protocol that use the
CBC mode of operation, first reported in February 2013 by its developers Nadhem J. AlFardan and Kenny Paterson of the Information Security Group at
Royal Holloway, University of London
Royal Holloway, University of London (RHUL), formally incorporated as Royal Holloway and Bedford New College, is a public research university and a constituent college of the federal University of London. It has six schools, 21 academic departm ...
.
[ Includes list of which software versions are vulnerable.]
Attack
It is a novel variant of
Serge Vaudenay
Serge Vaudenay (born 5 April 1968) is a French cryptographer and professor, director of the Communications Systems Section at the École Polytechnique Fédérale de Lausanne
Serge Vaudenay entered the École Normale Supérieure in Paris as a '' ...
's
padding oracle attack
In cryptography, a padding oracle attack is an attack which uses the Padding (cryptography), padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expa ...
that was previously thought to have been fixed, that uses a
timing side-channel attack
In cryptography, a timing attack is a side-channel attack in which the attacker attempts to compromise a cryptosystem by analyzing the time taken to execute cryptographic algorithms. Every logical operation in a computer takes time to execute, an ...
against the
message authentication code
In cryptography, a message authentication code (MAC), sometimes known as a ''tag'', is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and ...
(MAC) check stage in the TLS algorithm to break the algorithm in a way that was not fixed by previous attempts to mitigate Vaudenay's attack.
"In this sense, the attacks do not pose a significant danger to ordinary users of TLS in their current form. However, it is a truism that attacks only get better with time, and we cannot anticipate what improvements to our attacks, or entirely new attacks, may yet be discovered." — Nadhem J. AlFardan and Kenny Paterson
The researchers only examined Free Software implementations of TLS and found all examined products to be potentially vulnerable to the attack.
They have tested their attacks successfully against OpenSSL and GnuTLS. Because the researchers applied
responsible disclosure
In computer security, coordinated vulnerability disclosure, or "CVD" (formerly known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible partie ...
and worked with the software vendors,
some software updates to mitigate the attacks were available at the time of publication.
[
Martin R. Albrecht and Paterson have since demonstrated a variant Lucky Thirteen attack against Amazon's ]s2n
s2n is an open-source C99 implementation of the Transport Layer Security (TLS) protocol developed by Amazon Web Services (AWS) and released in 2015. It was developed to ensure the code—about 6,000 lines long—would be easier to review than t ...
TLS implementation, even though s2n includes countermeasures intended to prevent timing attacks.
References
External links
Time is money (in CBC ciphersuites)
Nikos Mavrogiannopoulos, 5 February 2013
Cryptographic attacks
Side-channel attacks
2013 in computing
Transport Layer Security
{{crypto-stub