A Cross-protocol Attack on the TLS Protocol

Nikos Mavrogiannopoulos, Frederik Vercauteren, Vesselin Velichkov, Bart Preneel

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

This paper describes a cross-protocol attack on all versions of TLS; it can be seen as an extension of the Wagner and Schneier attack on SSL 3.0. The attack presents valid explicit elliptic curve Diffie-Hellman parameters signed by a server to a client that incorrectly interprets these parameters as valid plain Diffie-Hellman parameters. Our attack enables an adversary to successfully impersonate a server to a random client after obtaining 240 signed elliptic curve keys from the original server. While attacking a specific client is improbable due to the high number of signed keys required during the lifetime of one TLS handshake, it is not completely unrealistic for a setting where the server has high computational power and the attacker contents itself with recovering one out of many session keys. We remark that popular open-source server implementations are not susceptible to this attack, since they typically do not support the explicit curve option. Finally we propose a fix that renders the protocol immune to this family of cross-protocol attacks.
Original languageEnglish
Title of host publicationProceedings of the 2012 ACM Conference on Computer and Communications Security
Place of PublicationNew York, NY, USA
PublisherACM
Pages62-72
Number of pages11
ISBN (Print)978-1-4503-1651-4
DOIs
Publication statusPublished - 2012
Event19th ACM Conference on Computer and Communications Security - Raleigh, United States
Duration: 16 Oct 201218 Oct 2012
https://www.sigsac.org/ccs/CCS2012/

Publication series

NameCCS '12
PublisherACM

Conference

Conference19th ACM Conference on Computer and Communications Security
Abbreviated titleCCS 2012
Country/TerritoryUnited States
CityRaleigh
Period16/10/1218/10/12
Internet address

Keywords

  • cross-protocol attack, man-in-the-middle, server impersonation attack, ssl, tls

Fingerprint

Dive into the research topics of 'A Cross-protocol Attack on the TLS Protocol'. Together they form a unique fingerprint.

Cite this