Raccoon 2 – Attacks on TLS Implementations

01/02/202101/02/2021| Vera NeelRaccoon 2 – Attacks on TLS Implementations| 0 Comment| 04:51
Categories :

Truncation attacks show why it is important that both Alice and Bob have the same view of the cryptographic protocol they are executing. If Bob thinks they are both in state x but Alice thinks they are in state y, the security of the whole protocol may be compromised.

The danger of making assumptions about input data – in other words, data that might come from Eve or be manipulated by Mallory – is illustrated by Heartbleed. It is also yet more evidence that programming is inherently hard, and so extra effort must be invested in validating the implementations of cryptographic systems.

Along similar lines, Heartbleed shows that getting the specification right does not guarantee the security of an actual system. Right from the start, RFC 6520 correctly specified that if a TLS peer receives a Heartbeat message where payload˙length is too large, they must silently discard that message; however, that specification was not implemented accordingly.

Cloudbleed, once again, illustrates how sneaky bugs can be and that dormant bugs can exist in source code even if the implementation does not show any vulnerable behavior today. It also shows that software companies with professional developers on their payroll are susceptible to implementation-level security vulnerabilities in the same manner as open source projects with voluntary maintainers and contributors.

Moreover, Cloudbleed is a practical example of security problems caused by switching from one technology to another. On the positive side, it shows that having kill switches to immediately turn off a deployed feature is one of the best patterns for building secure systems.

Implementation bugs degrading the quality of random number generation highlight that entropy is fundamental and, at the same time, hard to test. While a collection of statistical tests might have uncovered the Debian bug, simple tests won’t work. Testing the remaining cryptographic functions, say, block cipher and hash function implementations, with known-answer-tests will not reveal missing entropy.

Insecure encryption invocation illustrates how the use of legacy protocols in conjunction with modern, secure protocols can undermine the system’s security. Raccoon is yet another example of how side channel leakage can be exploited to extract secrets.

Finally, there is a more general insight to be learned from the attacks described in this chapter: while they have nothing to do with cryptography, the financial damage caused by Heartbleed alone very likely exceeds that of all cryptanalytic attacks on TLS taken together.

It thus seems appropriate to close this chapter – and the book – with a quote by Niels Ferguson and Bruce Schneier [65]: Cryptography is fiendishly difficult. Even seasoned experts design systems that are broken a few years later. [At the same time, cryptography] is one of the easy parts of a security system. […] Cryptography is the easy part because there are people who know how to do a reasonably good job. […] The rest of the security system contains problems that we don’t know how to solve.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

BREACH – Attacks on the TLS Record Protocol

09/02/202209/02/2022 Vera NeelBREACH – Attacks on the TLS Record Protocol
21.5.6 BREACH In the second half of 2013, security researchers Yoel Gluck, Neal Harris, and [...]
Read MoreRead More

The timing signal – Attacks on the TLS Record Protocol

02/05/202402/05/2024 Vera NeelThe timing signal – Attacks on the TLS Record Protocol
21.1.2 The timing signal You may be wondering where the timing signal originates from in [...]
Read MoreRead More

FREAK – Attacks on TLS Implementations

03/05/202203/05/2022 Vera NeelFREAK – Attacks on TLS Implementations
22.2 FREAK FREAK stands for Factoring RSA Export Keys. The attack was discovered in 2017 [...]
Read MoreRead More