Security this Week: Racoons in My TLS, Bypassing Frontends, and Obscurity September 11, 2020
News

Raccoon is the next flashy security flaw with a name, cute logo, and a website (and a PDF). Raccoon is a flaw in TLS version prior to 1.3, and seems to be a clever bit of work, albeit one with limited real-world application. The central problem is that these older versions of TLS, when using Diffie Hellman (DH), drop leading all-zero bytes in the resulting pre-master key. As that key is part of the input for calculating the master session key, a shortened pre-master key results in a slightly faster calculation of the master key. If an attacker can make fine-grained timing measurements, he can determine when the pre-master key is trimmed.

Let’s review Diffie Hellman, briefly. The client and server agree on two numeric values, a base g and modulus p, and each party generates a secret key, a and b. Each party calculates a public key by raising the shared base to their own private key, mod the shared modulus: A = g^a mod p. These public keys are exchanged, and each party raises the received key to their own secret key: A^b. Exponents have a non-obvious quirk, the power rule. A value raised to a power raised to a power is the same as the value raised to the power of the exponents multiplied together. g^a^b is equal to g^(a*b). By going through this mathematical dance, the server and client have arrived at a shared value that only they know, while preserving the secrecy of their private keys.

On to the attack, which is only exploitable when the server is reusing its DH key for multiple connections. The attack is to capture the target client’s public DH key, which is sent in the clear as part of the TLS handshake. The attacker now initiates a new TLS handshake, but chooses a special value for its own public key: The target’s public key, raised to a random-but-known exponent. Note that this means the attacker can’t actually calculate the new shared key, but can learn something about it. Through carefully measuring the server’s response time, it can be determined if this new DH shared key has a leading zero byte. This isn’t terribly useful on its own, but there is a mathematical trick that changes the game, the Hidden Number Problem.

The Hidden Number Problem (HNP) is an approach to breaking public key cryptography like DH. The math involved is above my pay grade, but we’ll try to get an overview, at least. In the DH exchange, the modulo operator is used to keep the magnitude of the numbers manageable. There is a side effect — the normally one-dimensional number line can be thought of as a two-dimensional number grid. There are some clever algorithms that work on a 2D lattice that don’t work on the normal number line. The result is that when you have enough clues about the hidden number you’re looking for, it can become much easier …read more

Source:: Hackaday