Hacker News new | past | comments | ask | show | jobs | submit login
Practical attack against TLS/SSL and RC4 (rc4nomore.com)
111 points by tomvangoethem on July 15, 2015 | hide | past | favorite | 42 comments

It's fairly likely that rumors of the NSA's ability to 'decrypt SSL' refers to RC4 vulnerabilities.

Are you sure about that? This attack requires a js exec in browser to generate lots of traffic containing the cookie. It's a little impractical to use in a SIGINT capacity. My bet is still on precalculated DH like logjam attack.

Still the quote from @ioerror is: "RC4 is broken in real time" so that's either hyperbole or there is an attack better than 75 hours still out there.

NSA has been ahead of the state of art in cryptography, as the past has shown. So perhaps they already have an even more practical attack on RC4 for a long time.

I'd also lean toward Logjam, but I'm biased. :)

While I agree that RC4 should die in a fire, this attack seems impractical to me.

> To successfully decrypt a 16-character cookie with a success probability of 94%, roughly 9x2^27 encryptions of the cookie need to be captured. Since we can make the client transmit 4450 requests per seconds, this amount can be collected in merely 75 hours.

How likely would that amount of network traffic and energy consumption cue the potential victim that something malicious is going on?

Colleague of the author here.

I guess that 4450 requests/s to one IP, or even spread across multiple IPs, could trigger some alarms if the victim is alert. Unfortunately, I'm not that familiar with IDS/IPS's to answer that with much confidence.

In any case, an attacker has a lot of options. The requests do not need to be made sequentially, so an attacker could basically start and resume his attack whenever he wants, e.g. when the victim is away from keyboard (which he can estimate based on the network traffic someone usually generates). An attacker could also simply slow down the number of requests/s, although this results in a larger number of hours required for a successful attack.

As for energy/CPU consumption, I don't think that'd be a big concern. When the practical attack was performed, the CPU usage went up to around 75%, still allowing one to visit other websites without noticing anything. So unless one would closely monitor the CPU/network usage, I don't think the average victim would notice it.

> As for energy/CPU consumption, I don't think that'd be a big concern.

What if this attack targeted a phone or laptop? Battery would die faster, device would get warmer, and fans spin up.

If your last line of defense in encryption/network security is noticing that the fan spins up more often then you already lost the game.

Why even bring it up?

It's not a line of defense. I'm thinking about less computer literate people. Do you know a friend or family member that would call you and say "My laptop's really hot, loud, and slow, but it's not doing anything!" and ask for advice?

Do you really think they're the kind of people who'll be targeted by this attack instead of some refined version in the future?

Do you really think this scenario is realistic and worthy of consideration at all?

Honestly, the vast majority of people will not notice an increase in traffic, no matter how big it is (this is what, a 285kb/s increase in net traffic?).

I think the bigger issue with this exploit is just the fact that so many submissions need to be sent. I don't really see someone sitting there for 75 hours while this takes place without closing the browser/window/tab.

EDIT: If you're already injecting JS, you're probably better off just phishing the user for their credentials. Faster, easier, and will work more often than relying on the user staying active enough to send traffic for the next 75h.

EDIT 2: Not saying this isn't a valid vulnerability, just not one that can be practically executed currently without much simpler alternatives.

> I don't really see someone sitting there for 75 hours while this takes place without closing the browser/window/tab.

But that's not a problem. If the user closes the browser or tab, the attack can continue at a later point in time. It doesn't need to be collected all at once. As a concrete example, if you leave your computer at work running during the weekend, the attacker has enough time. Or if you leave it running during the night, the attack can be spread out over a few nights. I'm sure there are even more scenarios than just these two examples: there's room for quite some flexibility when performing the attack.

Correct me if I'm wrong here, but:

That's assuming the attacker regains control, so you'd have to visit a malicious page every time the attack needs to be re-initiated. EDIT: I'm dumb, somehow I managed to forget mid conversation that this was assuming MitM and not a compromised site. Disregard this point.

Also, while this method can be used for other, static data, pretty much all of the stuff you would want / have access to through doing this will be time-sensitive. Even a straight 72h most "secure" things such as cookies will be changed, forcing a restart of this process. Extending this even longer just gives a bigger window for the cookie/whatever to timeout.

EDIT: though I guess if the cookie you're trying to crack doesn't expire, then this could be an issue. I still think there are vastly easier methods if you can arbitrarily inject into http pages though.

Note that the "malicious page" could also be embedded / injected in another page. Basically any non-https page opened over public WiFi would be enough. And conveniently users on public wifi are also the easiest to sniff, so the group on which breaking encryption makes most sense.

> That's assuming the attacker regains control, so you'd have to visit a malicious page every time the attack needs to be re-initiated.

Every non-HTTPS page can be considered malicious, if the attacker can do a MITM.

Since the attacker can capture the encrypted traffic, he most probably is in the middle and can do a MITM.

Therefore, if you are under this attack, every non-HTTPS page is malicious.

Impractical or not, this is still showing a possible attack.

Let's say the client leaves their computer on at work over a long weekend ...

The collision attacks against MD5 were at first also claimed to be impractical...

rc4 has been cryptographically broken before its specification has been public. Its first reference on usenet was a discussion of how to break it. Which OP's attack is fundamentally the same.

It really shouldn't have been considered a proper cryptographic cypher ever.

Yea, I like to mention how it was considered a trade secret of RSA Security.

This is how these attacks work. Someone comes up with numbers like the above and publish. Others improve on it and the amount of work needed reduces. You can see it happen with hash functions as Valerie Aurora shows (also see the reactions table): http://valerieaurora.org/hash.htm

Broken link?

Sorry. There should be a trailing 'l' that got dropped when I copy pasted.

Oops, I thought I'd also tried that correction, but I must have made a typo. :)

How often do you leave a web page open on your computer then leave for a while, I often do. It would probably be prudent that the NSA has ways of doing this with much less effort, perhaps bringing down the number of requests needed to just a few thousand.

4450 requests per second seems like it would only be possible in an intranet setting where the requests resolve basically instantly. I believe browsers are restricted to 8 active XHR per domain which makes it seem even less likely you could achieve this kind of throughput on an actual website with any kind of latency at all.

Do you know if the per-domain concurrent request limit is actually a request limit, or just a socket limit? That is, does it still apply if you're making all those requests using one HTTP/2 carrier socket?

I believe the HTTP spec talks about requests, though I don't know how this was translated into the HTTP/2 spec.

Attacks against crypto only get better, not worse.

As Roy T. Fieldings once said in his research paper, "Cookie-based applications on the Web will never be reliable!" https://www.ics.uci.edu/~fielding/pubs/dissertation/evaluati... Section

Does anyone else find it ironic that not only is this link HTTP, but HTTPS is broken for this domain?


Hopefully the NSA MITMs it with an "RC4 is fffiiinnneee" message.

It's not really their fault - they're hosting on Github, whose infrastructure presents a Github.com cert to HTTPS requests.

https://vanhoefm.github.io/rc4nomore/ is a valid HTTPS address for the site.

They fixed it.

I feel "practical" is too strong of a word here. It's probably a more practical attack than previous attacks, but that doesn't make it practical by a long stretch.

"Only" 75 hours, where you have to force the victim to do make a very large number of encrypted messages. IMO, this wouldn't work when trying to break someone's SSL connection at the local Starbucks.

> ...but that doesn't make it practical...

If I had a dime for every penny of damage caused when people downplay the practicality of attacks against deployed crypto...

75 hours is enough time to attack a laptop left plugged in at the office over a 3-day weekend, and there's no reason why you'd have to attack only one laptop at a time.

The paper also says, "capturing traffic for 52 hours already proved to be sufficient", so it's not like 75 hours is some hard minimum.


"Our attack is not limited to decrypting cookies. Any data or information that is repeatedly encrypted can be recovered."

"We can break a WPA-TKIP network within an hour."

RC4 is dead, dead, dead. As with MD5, the writing's been on the wall for a while now, and attacks are only going to get better.

The attack numbers are under artificially generated network traffic.

Yes, but we present several techniques on how to generate these amounts of data. For TLS and HTTPS you can use JavaScript. For WPA-TKIP you need control of one TCP connection, and that is enough to generate the data. We're not saying it's a point and click attack, but it's a very good reason to start worrying :)

"Attacks always get better; they never get worse." – The NSA[1]

[1] http://tools.ietf.org/html/rfc4270#section-6

I feel like we need a richer vocabulary for the security status of given crypto algorithms/implementations. It's great to be conservative and call everything that isn't perfect "broken", but it'd be nice to have an urgency coefficient to know whether "broken" means "someone will exploit this in a few years" or "the government could attack you with a $50mm cluster" or "your machine could be exploited while you're getting coffee" or even "there's a worm in the wild right now that uses this to spread".

It's hard to predict how crypto can handle against powerful adversaries or in time.

But if a couple guys can break something in 75 hours, knowing crypto attacks only get better, you can already consider this broken.

The keys they used were only 128 bits, whereas RC4 actually supports up to 2048 bits. I wonder how much that affects their results. (AFAIK the 128 bits is an export restriction thing, upgraded from the previous trivially-breakable 40 bits.)

Also, 16 characters seems awfully short for a cookie, especially one meant for authentication purposes.

I don't think SSL/TLS allow key lengths > 128 bits with RC4. Export is 40 or 56 bits. You can see most supported ciphers here: https://www.openssl.org/docs/apps/ciphers.html


    TLS_RSA_WITH_RC4_128_MD5                RC4-MD5
    TLS_RSA_WITH_RC4_128_SHA                RC4-SHA

AFAIK one description of RC4 always expand the key to a 256 byte array by repeating the key. It would be interesting to run keystream bias tests against this full array.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact