DS ThreatAnalysis-BEAST TLS Attack Analysis-2011!09!28

7/31/2019 DS ThreatAnalysis-BEAST TLS Attack Analysis-2011!09!28

1/8

Threat Analysis September 28, 2011 Copyright 2011 Symantec Page 1

BEAST TLS 1.0 Attack AnalysisVersion 1: September 28, 2011, 18:00 GMT

Analysts: Sean Hittel

Executive summary

On September 23, 2011, Juliano Rizzo and Thai Duong spoke at

the ekoparty Security Conference. The two researchers

introduced and demonstrated a practical exploitation of a knownvulnerability in SSL/TLS. The researchers dubbed their methodBEAST,which is an acronym for browser exploit againstSSL/TLS.The following is an analysis of the characteristics and

techniques used by BEAST.

Action items

Control the transmission mechanism. Although one of themain goals of SSL is to permit the use of untrustedcommunication gateways, until the BEAST attack is betterunderstood and mitigated we recommended only accessing

SSL sites and VPNs over trusted mediums as opposed towireless and public Ethernet connections.

Upgrade to TLS 1.1/SSL 3.2 or later. Use two-factor authentication or TANs.

DeepSight Threat Management SystemThreat Analysis

UrgencyModerate

Associated vulnerabilities

None

Associated Bugtraq IDNone

Ease of exploitDifficult

Affected systemsCommunications using TLS 1.0


2/8


Technical description

On September 23, 2011, a practical implementation of an exploit for a long-known vulnerability in SSLwas released at the ekoparty Security Conference by Juliano Rizzo and Thai Duong. Theirimplementation, known as a browser exploit against SSL/TLS (BEAST), is very similar to one released in2006 (http://eprint.iacr.org/2006/136.pdf), although BEAST does offer at least two innovations.

Cryptographically, the biggest refinement is in controlling the chosen plaintext/unknown messageboundary when implementing a blockwise-adaptive chosen-plaintext attack. The authors of BEAST callthis attack refinement a blockwise chosen-boundary attack (BCBA).

In this refinement of the blockwise-adaptive chosen-plaintext attack, the attacker inserts sufficient

chosen plaintext into each block such that only one byte is unknown at any given time. Because of thislevel of control, each byte requires a maximum of 256 guesses to learn the single target byte. Becausethe target of this attack is the HTTP sessionid, this attack needs only be repeated for each byte in the

sessionid.

BEASTs second refinement is in finding a set ofWeb technologies that permits it to violate the same-origin principle and send requests via the victim's browser. BEASTs authors suggest the HTML5WebSocket API, the Java URLConnection API, and the Silverlight WebClient API for this reason, althoughthey concede this is not likely to be a complete list. These technologies permit the attacker to opencookie-bearing HTTP (over SSL) requests to the HTTPS site and to control the format of the HTTPrequest method, both of which are requirements for this attack to be successful.

A BEAST attack would work like this:

1. A victim visits an HTTP site that is under the attackers control.At this point, the BEAST applet isinstalled on the victims browser.2. The victim browses to HTTPS://financial-institution.com

3. While this HTTPS connection is open, the attacker begins the BEAST attack using the installedJava applet.

(The order of steps 1 and 2 is not important as long as the HTTPS connection is open for the duration ofthe BEAST attack.)

Figure 1. BEAST attack underway
http://eprint.iacr.org/2006/136.pdfhttp://eprint.iacr.org/2006/136.pdfhttp://eprint.iacr.org/2006/136.pdfhttp://eprint.iacr.org/2006/136.pdf


3/8


The goal is to decrypt the HTTP sessionid, which is encrypted in SSL. Once the attacker has this, they areable to impersonate the authenticated victim and perform fraudulent transactions. The underlyingcryptographic vulnerability used in the BEAST attack is a limitation in SSL known as a blockwise-adaptivechosen-plaintext attack (BACPA), itself a subset of a classical chosen plaintext attack.

Figure 2. Classic chosen-plaintext attack

Since the discovery of BACPA, the above scenario has been termed a message-wise chosen plaintext

attack (MCPA). BACPA, on the other hand, is an attack against the use of a block cipher (such as AES) inwhich the attacker chooses (or guesses) blocks of plaintext to insert based on previous encrypted blocks.


4/8


Figure 3. Normal operation of a block-cipher based communication channel

Figure 4. Block diagram of a generic blockwise-adaptive chosen-plaintext attack

BEAST further refines this blockwise-adaptive chosen plaintext attack to control the boundary where the

messages are split across blocks. BEASTs attack on SSL occurs as follows:


5/8


1. BEAST computes a URL such that initially only one byte of unknown encrypted message is sent ina target block.

2. This message is continually retransmitted, varying the chosen input byte until it matches theencrypted byte. At most this will take 256 attempts.

3. Once the attackers sniffer detects that the correct byte has been learned, the BEAST applet inthe victims browser is instructed to send another SSL request, but this time shifting theboundary by one byte so that a block will contain the next unknown byte.

This process continues until all interesting bytes are retrieved from the SSL session. It would be anexhausting endeavour to attack each byte in a SSL stream in this fashion. However, the attacker only

needs all of the bytes in the HTTP sessionid cookie to be able to hijack the session and act as theauthenticated user. Because the attacker controls the filename portion of the HTTPS requests, and the

underlying HTTP is so well formatted, the attacker need only attack each byte of the cookie.

POST filename

HTTP/1.1

Cookie: sessionid=********************************

Request body

Where ******************************** is the encrypted cookie to recover.

Assuming 8-byte blocks for this example, this would be sent as follows:

Block end

1 2 3 4 5 6 7 8 9

P O S T f i l

e n a m e H T

T P / 1 . 1 \r \n

C o o k i e :

s e s s i o n i

d = * * * * * *

* * * * * * * *

Etc.


6/8


In the first iteration, filenamewould be chosen to be AAAAAAAAAAAAA to yield a block allocation asfollows:

Block end

1 2 3 4 5 6 7 8 9

P O S T A A A

A A A A A A A A

A A H T T P /

1 . 1 \r \n C o o

k i e : s e s

s i o n i d = *

Etc.

Once * is recovered to N, the next request is generated with a filenamechosen to be AAAAAAAAAAAA,

and the following is sent:

Block end

1 2 3 4 5 6 7 8 9

P O S T A A A

A A A A A A A A

A H T T P / 1

. 1 \r \n C o o k

i e : s e s s

i o n i d = N *

Etc.

Once the sessionid is recovered, the attacker can use BEAST as a gateway to control a session withHTTPS://financial-institution.com while the website treats the attacker as the authenticated victim. Theability to perform blockwise-adaptive chosen-plaintext attacks in this manner was resolved with the

release of TLS 1.1 in 2006. Unfortunately, many sites do not support TLS1.1. In 2010, according to a


7/8


survey by Qualys, only0.1% of HTTPS sites supported TLS1.1 or greater. However, even if websitesupgraded to support TLS1.1, few client browsers actually support TLS1.1 or greater:

Internet Explorer supports TLS1.1 only on Windows 7 or later. Chrome does not support TLS1.1. Firefox does not support TLS1.1. Opera supports TLS1.2.

Additional details or corrections may be added to this paper with further disclosures on BEAST attacks.

Mitigating strategies

Some recommendations that can be employed in the meantime include:

Control the transmission mechanism. Although one of the main goals of SSL is to permit the useof untrusted communication gateways, until the BEAST attack is better understood and mitigated

we recommended only accessing SSL sites and VPNs over trusted mediums as opposed towireless and public Ethernet connections.

Upgrade to TLS 1.1/SSL 3.2 or later. Use two-factor authentication or TANs.

Resources

BEAST Paper, and Java Decryptor snippethttp://www.insecure.cl/Beast-SSL.rar

Breaking SSL with BEAST

https://tms.symantec.com/AnalystJournal.aspx?id=19748

Researchers crack a weakness in SSL encryptionhttps://tms.symantec.com/AnalystJournal.aspx?id=19740

Change log

Version 1: September 28, 2011, 18:00 GMT

Initial Threat Analysis released.
http://regmedia.co.uk/2011/09/19/qualys_tls_breakdown.pnghttp://regmedia.co.uk/2011/09/19/qualys_tls_breakdown.pnghttp://regmedia.co.uk/2011/09/19/qualys_tls_breakdown.pnghttp://www.insecure.cl/Beast-SSL.rarhttp://www.insecure.cl/Beast-SSL.rarhttps://tms.symantec.com/AnalystJournal.aspx?id=19748https://tms.symantec.com/AnalystJournal.aspx?id=19748https://tms.symantec.com/AnalystJournal.aspx?id=19740https://tms.symantec.com/AnalystJournal.aspx?id=19740https://tms.symantec.com/AnalystJournal.aspx?id=19740https://tms.symantec.com/AnalystJournal.aspx?id=19748http://www.insecure.cl/Beast-SSL.rarhttp://regmedia.co.uk/2011/09/19/qualys_tls_breakdown.png


8/8


Glossary

If you are unfamiliar with any term this report uses, please visit the SecurityFocus glossary at

http://www.securityfocus.com/glossaryfor more details on information security terminology.

Contact information

World Headquarters

Symantec World Headquarters350 Ellis StreetMountain View, CA 94043Phone: +1 650-527-8000www.symantec.com

About Symantec

Symantec was founded in 1982 by visionary computer scientists. The company has evolved to becomeone of the worlds largest software companies with more than 18,500 employees in more than 50

countries. We provide security, storage and systems management solutions to help our customersfrom consumers and small businesses to the largest global organizations secure and manage theirinformation-driven world against more risks at more points, more completely and efficiently than anyother company.

DeepSight Conditions: NO WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE IMPLIEDWARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, SHALL APPLY TO THEDEEPSIGHT SERVICES OR THE MATERIALS PROVIDED BY SYMANTEC TO USERS OF THE DEEPSIGHT SERVICES. SYMANTECPROVIDES THE SERVICE(S) AND MATERIALS AS IS AND AS AVAILABLE. IN NO EVENT WILL SYMANTEC BE LIABLE FOR THETRUTH, ACCURACY, RELIABILITY OR COMPLETENESS OF THE SERVICE(S) OR MATERIALS. SYMANTEC MAKES NO WARRANTYTHAT THE SERVICE(S) OR MATERIALS WILL BE UNINTERRUPTED OR TIMELY, OR THAT THEY WILL PROTECT AGAINSTCOMPUTER VULNERABILITIES. Please refer to your services agreement or certificate for further information on conditions of use forthe Services and materials.

Trademarks: Symantec, the Symantec logo, and DeepSight are US registered trademarks of Symantec Corporation or itssubsidiaries. DeepSight Analyzer, DeepSight Extractor, and Bugtraq are trademarks of Symantec Corporation or its subsidiaries.Other brands and products are trademarks of their respective holders.

Quoting Symantec Information and Data: Authorized Users of Symantec's Deep Sight Services may use or quote individualsentences and paragraphs from the materials provided as part of the Services, but not large portions or the majority of suchmaterials, solely for purposes of internal communications. Unless otherwise specifically agreed in writing by Symantec, no externalpublication of all or any portion of any materials provided by Symantec is permitted.

Copyright 2011 Symantec Corporation. All rights reserved. Reproduction is forbidden unless authorized.
http://www.securityfocus.com/glossaryhttp://www.securityfocus.com/glossaryhttp://www.symantec.com/http://www.symantec.com/http://www.symantec.com/http://www.securityfocus.com/glossary

Documents

DS ThreatAnalysis-BEAST TLS Attack Analysis-2011!09!28