TLS 1.3 vulnerability enables hackers to eavesdrop on encrypted traffic

News by Rene Millman

Researchers have demonstrated how to break the TLS 1.3 encryption protocol using a variation of the Bleichenbacher attack.

Academics have found a vulnerability in TLS1.3 which allows hackers to intercept encrypted traffic to steal data which was thought to be safe and secure.

According to a research paper published by academics at Tel Aviv University, University of Adelaide, University of Michigan and the Weizmann Institute, as well as the NCC Group and Data61, the latest attack is a variation of the original Bleichenbacher oracle attack that was able to decrypt an RSA encrypted message using the Public-Key Cryptography Standards.

The new attack works against the latest version of the TLS protocol, TLS 1.3, released last spring and believed to be secure.

"The attack leverages a side-channel leak via cache access timings of these implementations in order to break the RSA key exchanges of TLS implementations," the researchers said.

TLS 1.3 does not offer an RSA key exchange, so researchers started with downgrading to an older version of TLS (TLS 1.2) for the use of the attack. 

The downgrade attack bypasses a number of downgrade mitigations, such as one server-side and two client-side.

"We tested nine different TLS implementations against cache attacks and seven were found to be vulnerable: OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL, and GnuTLS," researchers said. Two implementations that were not vulnerable were  BearSSL and Google's BoringSSL.

"As it stands, RSA is the only known downgrade attack on TLS 1.3, which we are the first to successfully exploit in this research", said David Wong, security consultant at NCC Group.

Researchers said that using larger RSA keys could mitigate such attacks as well as shortening the handshake timeout.

Broderick Perelli-Harris, senior director at professional services at Venafi, told SC Media UK that variations of the Bleichenbacher attack have been cropping up since 1998, so it shouldn’t be surprising that TLS 1.3 has been found to be vulnerable as well.

"Nonetheless, TLS 1.3 is the newest flavour of this cryptographic protocol and the fact that this vulnerability still exists is more than a little concerning," he said.

"Unfortunately, many enterprises are still unaware how many TLS certificates they have, where they are or how they are being used – making it impossible to quickly find and remediate against such vulnerabilities when a crypto-event such as this happens. This makes answering easy questions, such as how many servers will be affected by this vulnerability, virtually impossible."

Jake Moore, cyber-security specialist at ESET UK, told SC that this new cryptographic attack isn't the first and probably won’t be the last variation.

"The failure is in the original make up of TLS encryption protocol which seems to be like playing a game of Whac-A-Mole with security – every time it’s patched, another vulnerability seems to pop up," he said.

"Sadly, due to the nature of the design, patching it is the best you can do. This means that keeping on top of updates has never been more important. However, moving forward, security by design in encryption protocols is naturally the more secure way of creating a better protected future."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews