Bar mitzvah attack

The bar mitzvah attack is an attack on the SSL/TLS protocols that exploits the use of the RC4 cipher with weak keys for that cipher.^[1]^[2] While this affects only the first hundred or so bytes of only the very small fraction of connections that happen to use weak keys, it allows significant compromise of user security, for example by allowing the interception of password information^[2] which could then be used for long-term exploitation.

The attack uses a vulnerability in RC4 described as the invariance weakness by Fluhrer et al. in their 2001 paper on RC4 weaknesses.^[2]^[3]

The attack is named after the bar mitzvah ceremony which is held at 13 years of age, because the vulnerability exploited is 13 years old.^[1]

References

1 2 Kelly Jackson Higgins (26 March 2015). "SSL/TLS Suffers 'Bar Mitzvah Attack'". Dark Reading.
1 2 3 Dan Goodin (27 March 2015). "Noose around Internet's TLS system tightens with 2 new decryption attacks". Ars Technica.
↑ Fluhrer, S., Mantin, I., and A. Shamir, "Weaknesses in the Key Scheduling Algorithm of RC4", Selected Areas of Cryptography: SAC 2001, Lecture Notes in Computer Science Vol. 2259, pp 1–24, 2001.

External links

"Attacking SSL when using RC4: Breaking SSL with a 13-year-old RC4 Weakness" (PDF). Imperva. 2015. Retrieved 27 March 2015.

TLS and SSL

Protocols and technologies

Transport Layer Security / Secure Sockets Layer (TLS/SSL)
Datagram Transport Layer Security (DTLS)
DNS Certification Authority Authorization (CAA)
DNS-based Authentication of Named Entities (DANE)
HTTPS
HTTP Public Key Pinning (HPKP)
HTTP Strict Transport Security (HSTS)
OCSP stapling
Perfect forward secrecy
Server Name Indication (SNI)
STARTTLS
Application-Layer Protocol Negotiation (ALPN)

Public-key infrastructure

Automated Certificate Management Environment (ACME)
Certificate authority (CA)
CA/Browser Forum
Certificate policy
Certificate revocation list (CRL)
Domain-validated certificate (DV)
Extended Validation Certificate (EV)
Online Certificate Status Protocol (OCSP)
Public key certificate
Public-key cryptography
Public key infrastructure (PKI)
Root certificate
Self-signed certificate

See also

Domain Name System Security Extensions (DNSSEC)
Internet Protocol Security (IPsec)
Secure Shell (SSH)

History

Implementations

Notaries

Vulnerabilities

Theory	Man-in-the-middle attack Padding oracle attack Lucky Thirteen attack

Cipher	Bar mitzvah attack

Protocol	BEAST BREACH CRIME DROWN Logjam POODLE (in regards to SSL 3.0)

Implementation	Certificate authority compromise Random number generator attacks FREAK goto fail Heartbleed POODLE (in regards to TLS 1.0)

This article is issued from Wikipedia - version of the 5/3/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.