Sites Inria

Version française



FREAK vulnerability detection

Portrait de Karthikeyan Bhargavan Karthikeyan Bhargavan

Last November, the Prosecco research team led by Karthikeyan Bhargavan discovered a vulnerability in the TLS protocol used to secure internet communications. Interview with Antoine Delignat-Lavaud , doctoral researcher and member of the Prosecco research team.

Who discovered the FREAK vulnerability?

The vulnerability was discovered by the Prosecco, research team, at INRIA Paris Rocquencourt, led by Karthikeyan Bhargavan . We were working on the detection and exploitation of TLS vulnerabilities using test software developed by Alfredo Pironti with the assistance of Benjamin Beurdouche , at the time an intern in our team. The research project began in the summer of 2014 and was concluded in November.

Is it true, as has been written, that the FREAK vulnerability is due to neglect?

It should be kept in mind that testing security protocol implementations is not an easy task. Our goal was to exhaustively test the conformance of TLS implementations with respect to the message sequences associated with the various supported cipher suites, something which had never been done before.

Our approach consisted of testing TSL implementations with incorrect message sequences, to see which were accepted. However, sending incorrect yet consistent message sequences is not easy, since the content of each message depends on that of previously sent messages.

For example, with standard RSA cipher suites, the session encryption key is generated by the client and sent encrypted with the public key contained in the server certificate. In the case of export-grade RSA cipher suites, it's a bit different: the server sends a short (512-bit) RSA key signed with the private key contained in the certificate. In yet another example, that of Diffie-Hellman messages, the server chooses a group, signs the group parameters with its public key, and sends the key to the client.

In the case of the FREAK vulnerability, the same code is used to handle standard and export-grade RSA key exchanges. In this case, the server negotiates a standard RSA key exchange (encrypted by the client with the server's public key), but if an attacker also injects a weak export key signed as in the export sequence, a vulnerable client will use this weak export key to encrypt the session key. There lies the vulnerability.

How can the persistence of this vulnerability be explained?

It is a characteristic problem in the design of encryption protocols. Significant efforts are made to test whether an implementation is compliant with protocol standards and allows for interoperability (positive testing). However, insufficient attention is often given to negative testing, which consists of verifying that incorrect instances are properly rejected. Testing all invalid behaviour is an essential component of genuine research, particularly for such a complex protocol. We focus on testing message sequences combining messages used in different cipher suites, since it is impossible to test the infinite number of potential situations.

We observe the same vulnerabilities appearing in different TLS implementations, demonstrating a widespread lack of assessment of how such implementations respond to incorrect message sequences.

QWhat are the next steps for Prosecco?

We consider our work on the FREAK vulnerability as a breakthrough, and we intend to publish a paper during the next IEEE Conference on Security and Privacy to be held in May. A draft version of this paper is already available at our web site:

This is not the first TLS vulnerability discovered by our team. Over the past two years, we have identified a total of fifteen vulnerabilities in various browsers. We are interested in security vulnerabilities, but a significant part of our research is devoted to formally testing of TLS implementations, including our own miTLS implementation, jointly developed with Microsoft Research and Spain's IMDEA research institute. We are also working on a new version of the TLS protocol (TLS 1.3), currently undergoing standardization by the Internet Engineering Task Force (IETF).

Scientific challenges

A large portion of our IT research is devoted to securing private and confidential data transmissions (e-mail, administrative procedures, bank transactions) and protecting them against malicious actions (hacking, phishing). Approximately fifty Inria research teams are currently investigating a variety of topics related to IT security, with fifteen of these teams focusing their efforts on IT security issues (cryptography, communication protocols, etc.).

Keywords: Security TLS Protocol PROSECCO project-team FREAK Vulnerability