The Prosecco and Secret project teams demonstrate the vulnerability of certain Internet security protocols
The highlighted flaw, concerning major Internet security protocols - notably OpenVPN and TLS - was already known from a theoretical point of view, but two Inria researchers, Karthik Bhargavan (PROSECCO project team) and Gaëtan Leurent (SECRET project team) have just demonstrated that an attack where it is used as a point of entry is indeed possible.
How does it work in practice?
In order to prevent sensitive data from being intercepted or modified by an attacker, connections across the Internet are typically encrypted. A popular encryption scheme is to use a block cipher in CBC mode - the data is cut into blocks (generally 64 bits or 128 bits), which are encrypted one by one, with a chaining rule.
Unfortunately, such commonly-used encryption modes are secure only if a limited volume of data is encrypted with the same key. For a 64-bit block cipher, this security limit is just 32 GB, which is easily reached in practice with current networks. Modern block ciphers such as AES are based on 128-bit blocks, giving a limit of 256 EB - which is still far from being practical - an exabyte (EB) corresponds to a billion gigabytes (GB). When the volume of data encrypted gets close to the limit, whatever it may be, security begins to break down.
Many 64-bit block ciphers - Triple DES, Blowfish - are still widely used, and are therefore called into question today. The Inria researchers estimate that connection to 1-2% of HTTPS websites – including security-critical e-commerce platforms - could be affected since they still use this type of encryption.
This problem had already been identified by cryptographers, but was often ignored by practitioners since known attacks only gave access to a small amount of information and did not seem to apply on a large scale.
Today, in a web context, it can be shown that these attacks enable the recuperation of login information, and therefore the appropriation of a user's identity on a secure site. This a real risk and, in order for it to be contained, 64-bit block cipher algorithms need to be disabled rapidly.
Which sites and systems are concerned?
De nombreux systèmes utilisent encore des blocs de 64 bits pour le chiffrement, avec une grande quantité de données encryptées avec une même clé, comme par exemple :
- la téléphonie 3G chiffrée avec KASUMI ;
- OpenVPN, qui utilise Blowfish comme algorithme de chiffrement par défaut ;
- de nombreux protocoles internet, comme TLS, IPSec et SSH proposant d'utiliser Triple-DES.
Sur tous ces systèmes, 32Go de données peuvent être transférés en moins d’une heure avec une connexion rapide.
What are the risks?
The attack was demonstrated in the laboratory against encrypted HTTP connections, and its feasibility was unequivocally proven; even if the attack would inevitably be more complex to implement on the Internet, it can be done. The attacks that were simulated would have enabled the recuperation of the authentication cookie or password of a user in under 40 hours, with around 800 GB of data. They impact the majority of OpenVPN connections, and the researchers who carried out this simulation estimate that 0.6% of HTTPS connections would be vulnerable.
What are the solutions?
The aim is to raise awareness about the vulnerability of encryption algorithms where the block is too short, to replace them with algorithms on longer blocks, or to change the way in which they are used.
In concrete terms, our researchers' recommendations are as follows:
- for users: update your software (which will soon incorporate countermeasures);
- for administrators: configure systems to use 128-bit block cipher algorithms, or stream cipher algorithms; if this is not possible, limit the volume of data that is encrypted with each key.