Biz & IT —

Once-theoretical crypto attack against HTTPS now verges on practicality

Certain types of Wi-Fi cypto also threatened by technique attacking RC4 cipher.

Once-theoretical crypto attack against HTTPS now verges on practicality

Almost a third of the world's encrypted Web connections can be cracked using an exploit that's growing increasingly practical, computer scientists warned Wednesday. They said the attack technique on a cryptographic cipher known as RC4 can also be used to break into wireless networks protected by the Wi-Fi Protected Access Temporal Key Integrity Protocol.

Researchers have long known statistical biases in RC4 make it possible for attackers to predict some of the pseudo-random bytes the cipher uses to encode messages. In 2013, a team of scientists devised an attack exploiting the weakness that required about 2,000 hours to correctly guess the characters contained in a typical authentication cookie. Using refinements, a separate team of researchers is now able to carry out the same feat in about 75 hours with a 94 percent accuracy. A similar attack against WPA-TKIP networks takes about an hour to succeed. The researchers said the only reliable countermeasure is to stop using RC4 altogether.

“Very worrisome”

"Our work significantly reduces the execution time of performing an attack, and we consider this improvement very worrisome," the researchers wrote in a blog post. "Considering there are still biases which are unused, that more efficient algorithms can be implemented, and better traffic generation techniques can be explored, we expect further improvements in the future."

The attack could be exploited by attackers with the ability to monitor the connection between a target and an HTTPS-protected website or WPA-TKIP-protected network. In the case of an HTTPS-protected website, the attacker uses a separate non-HTTPS-protected website to inject JavaScript code that induces the targeted computer to repeatedly transmit the encrypted authentication cookie in rapid succession. By observing roughly 9*227 encryptions of the cookie, the attacker can guess the contents with 94 percent accuracy. With the ability to make the target transmit 4,450 Web requests per second, the attack takes about 75 hours, although in some cases, the time required can be shaved down to 52 hours. In the attack from two years ago, researchers required 12*230 encryptions of a cookie to deduce its contents and could generate only about 1,700 requests per second.

The new attack against WPA-TKIP requires an hour to execute, and allows an attacker to inject and decrypt arbitrary packets.

The RC4 NOMORE Attack: Demonstration in Practice

The technique can be used not only to decrypt cookies and Wi-Fi packets, but any type plaintext that is transmitted frequently in the encrypted stream. The technique works by injecting data values that are already known to exist inside the encrypted payload, such as the standard headers that exist in every authentication cookie or Wi-Fi packet. The attack then cycles through every possible combination of characters for the unknown values and uses the statistical biases to figure out which combinations are most likely.

For now, the attack against HTTPS-protected websites remains largely theoretical given the required 75 hours. But given how hard it is to collectively retire widely used technologies, the research should serve as a stern warning that RC4 isn't a safe long-term solution, and that engineers need to act now to ween their wares and users off of the cipher. An estimated 30 percent of HTTPS sessions rely on RC4, down from about half in 2013.

"We consider it surprising this is possible using only known biases, and expect these types of attacks to further improve in the future," the researchers wrote in a research paper scheduled to be presented at next month's 24th Usenix Security Symposium. "Based on these results, we strongly urge people to stop using RC4."

Channel Ars Technica