Bulletproof TLS Newsletter #69
Raccoon attack shows design flaw in old TLS
30 Sep 2020
Author: Hanno Böck

This issue was distributed to 55,708 email subscribers.

Bulletproof TLS Newsletter is a free periodic newsletter bringing you commentary and news surrounding SSL/TLS and Internet PKI, designed to keep you informed about the latest developments in this space.

In this issue:

  1. Raccoon attack shows design flaw in old TLS
  2. Short news

Raccoon attack shows design flaw in old TLS

Raccoon is a timing attack that exploits a vulnerability in the Diffie-Hellman specification in TLS 1.2 and older.

In the Diffie-Hellman key exchange in old TLS versions, the protocol stripped leading zeros before calculating the premaster secret with a hash function. This allows for measuring a timing difference and thus learning about the leading zeros.

Performing multiple connections to a server that reuses Diffie-Hellman key shares allows an attack that has some similarities to Bleichenbacher attacks. Doing a calculation involving the so-called hidden number problem subsequently allows decrypting data.

The practical impact is relatively low, as Diffie-Hellman is rarely used these days and the additional requirement of key share reuse makes it even less likely. Previous attacks on key share reuse have caused many implementations to disable it by default.

However, the attack gives some clues for how to avoid further similar attacks in the future. Although the attack does not affect ECDHE, it’s still advisable to avoid key share reuse. The attack also led to a discussion about variable-length secrets in upcoming postquantum key exchanges in TLS that could be vulnerable to similar attacks. Nimrod Aviram, one of the Raccoon finders, proposed a change to a draft for upcoming hybrid key exchanges.

Short news