Vigil@nce - TLS, DTLS: information disclosure in CBC mode, Lucky 13
February 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can inject wrong encrypted messages in a TLS/DTLS
session in mode CBC, and measure the delay before the error
message reception, in order to progressively guess the clear
content of the session.
Impacted products: Bouncy Castle JCE, OpenSSL, Opera, SSL/TLS,
Unix (platform)
Severity: 1/4
Creation date: 05/02/2013
DESCRIPTION OF THE VULNERABILITY
The TLS protocol uses a block encryption algorithm. In CBC (Cipher
Block Chaining) mode, the encryption depends on the previous block.
When an incorrect encrypted message is received, a fatal error
message is sent to the sender. However, the duration of the
generation of this error message depends on the number of valid
bytes, used by a MAC hash.
An attacker can therefore inject wrong encrypted messages in a
TLS/DTLS session in mode CBC, and measure the delay before the
error message reception, in order to progressively guess the clear
content of the session.
In order to guess a clear block, 2^23 TLS sessions are required.
So, to exploit this vulnerability, the TLS client has to
permanently open a new session, as soon as the previous one ended
with a fatal error.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/TLS-DTLS-information-disclosure-in-CBC-mode-Lucky-13-12374