DROWN: Brea­king TLS using SSLv2

Nim­rod Avi­ram, Se­bas­ti­an Schin­zel, Juraj So­mo­rovs­ky, Nadia He­nin­ger, Maik Dan­kel, Jens Steu­be, Luke Va­len­ta, David Adri­an, J. Alex Hal­der­man, Vik­tor Duk­ho­v­ni, Emi­lia Käs­per, Shaan­an Coh­ney, Su­san­ne En­gels, Chris­tof Paar, Yuval Shavitt

USE­NIX Se­cu­ri­ty 2016


Ab­stract

We pre­sent DROWN, a novel cross-pro­to­col at­tack on TLS that uses a ser­ver sup­porting SSLv2 as an ora­cle to de­crypt mo­dern TLS con­nec­tions.

We in­tro­du­ce two ver­si­ons of the at­tack. The more ge­ne­ral form ex­ploits mul­ti­ple un­no­ti­ced pro­to­col flaws in SSLv2 to de­ve­lop a new and stron­ger va­ri­ant of the Blei­chen­ba­cher RSA pad­ding-ora­cle at­tack. To de­crypt a 2048-bit RSA TLS ci­pher­text, an at­ta­cker must ob­ser­ve 1,000 TLS hand­shakes, in­itia­te 40,000 SSLv2 con­nec­tions, and per­form 2^50 off­line work. The victim cli­ent never in­itia­tes SSLv2 con­nec­tions. We im­ple­men­ted the at­tack and can de­crypt a TLS 1.2 hand­shake using 2048- bit RSA in under 8 hours, at a cost of $440 on Ama­zon EC2. Using In­ter­net-wi­de scans, we find that 33% of all HTTPS ser­vers and 22% of those with brow­ser-trusted cer­ti­fi­ca­tes are vul­nerable to this pro­to­col-le­vel at­tack due to wi­des­pread key and cer­ti­fi­ca­te reuse.

For an even chea­per at­tack, we apply our new tech­ni­ques to­ge­ther with a newly dis­co­ver­ed vul­nerabi­li­ty in OpenSSL that was pre­sent in re­lea­ses from 1998 to early 2015. Given an un­patched SSLv2 ser­ver to use as an ora­cle, we can de­crypt a TLS ci­pher­text in one mi­nu­te on a sin­gle CPU—fast en­ough to enable man-in-the-midd­le at­tacks against mo­dern brow­sers. We find that 26% of HTTPS ser­vers are vul­nerable to this at­tack.

We fur­ther ob­ser­ve that the QUIC pro­to­col is vul­nerable to a va­ri­ant of our at­tack that al­lows an at­ta­cker to im­per­so­na­te a ser­ver in­de­fi­ni­te­ly after per­for­ming as few as 2^17 SSLv2 con­nec­tions and 2^58 off­line work.

We con­clu­de that SSLv2 is not only weak, but ac­tive­ly harm­ful to the TLS eco­sys­tem.

Awar­ded with Pwnie for Best Cryp­to­gra­phic At­tack 2016

Fi­na­list of the 2016 In­ter­net De­fen­se Prize

[Web­site and paper] [Pwnie Awards] [Face­book Prize]

Tags: back­wards com­pa­ti­bi­li­ty, Blei­chen­ba­cher, SSLv2