Watch Out For Those Pesky Cyber Raccoons …

Why I love about cybersecurity, is that it is every changing, and every day bring a new threat to analyse. In the latest one defines the…
https://en.wikipedia.org/wiki/Raccoon

Watch Out For Those Pesky Cyber Raccoons …

What I love about cybersecurity is that it is ever-changing, and every day brings a new threat to analyse. For me, it is a chance to twiddle bits and try out some code. The latest one defines the Raccoon Attack [here]:

And it’s those pesky time attacks that can be exploited in TLS. While it’s difficult to exploit, it does show another weakness of TLS. Overall it exploits the Diffie-Hellman (DH) key exchange and where Bob sends g^a (mod N), and Alice sends g^b (mod N), and then the shared key is g^{ab} (mod N). This shared key is known as the premaster key, and which is then used to generate each of the sessions keys using a key derivation function.

In the attack, the researchers define that preceding zeros in the premaster key are stripped off, it is possible to observe the length of the key being used. For this Eve could listen to Alice sending g^a (mod N) to Bob, and then replays that back to Bob, and observes if there are preceding zeros, or not. Next Eve sends:

g^{r_i} g^a

and which gives a preshared key of g^{ri*b}*g^{ab}. Eve then keeps trying until there is a premaster secret starting with zero. This results in a possible solution using the Hidden Number Problem (HNP) to determine the original premaster secret established between Bob and Alice:

The Hidden Number Problem uses lattice methods in order to solve the Closest Vector Problem [1]. Dan Boneh outlined how it was possible to take the most significant bits (MSB) of a Diffie-Hellman secret and generate the preshared secret for the Diffie-Hellman method. It has since been used to crack DSA and ECDSA signatures, but the Raccoon paper is the first to apply to TLS-DH(E). The (E) part stands for “ephemeral”, and supports forward secrecy, and where a breach of the long term secret does not reveal other derived keys:

Ephemeral Diffie-Hellman with RSA (DHE-RSA)
Cryptography is going to the top of the agenda within many areas of our lives, and it is being targeted by the EU…medium.com

Conclusions

It’s not an easy attack, but it’s a vector and shows another weakness in the Diffie-Hellman key exchange method for TLS.

References

[1] Dan Boneh and Ramarathnam Venkatesan. Hardness of com-puting the most significant bits of secret keys in diffie-hellman and related schemes. In Advances in Cryptology — CRYPTO ’96, pages 129–142. Springer Berlin Heidelberg, 1996