A new attack exposes some long-standing weaknesses in TLS, DTLS, and some versions of SSL 3.0.
In a paper, Nadhem AlFardan of the Information Security Group at Royal Holloway, University of London, and Kenny Paterson, a Professor of Information Security and an EPSRC Leadership Fellow in the Information Security Group, detail how the attack works.
They state that “In their simplest form, our attacks can reliably recover a complete block of TLS-encrypted plaintext using about 2 23 TLS sessions, assuming the attacker is located on the same LAN as the machine being attacked and HMAC-SHA1 is used as TLS’s MAC algorithm. This can be reduced to 2 19 TLS sessions if the plaintext is known to be base64 encoded. This can be further reduced to 2 13 sessions per byte if a byte of plaintext in one of the last two positions in a block is already known.”
As for the name of the attack, “Lucky 13.” “In Western culture,” the researchers write, “13 is considered an unlucky number. However, for our attack, the fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible. So, in the context of our attacks, 13 is lucky – from the attacker’s perspective at least. This is what passes for humour amongst cryptographers.”