Search code examples
securityssltls1.2dtlspadding-oracle-attack

What is the meaning of the name Lucky Thirteen?

From the article Lucky thirteen: Breaking the TLS and DTLS record protocols‏:

The details of which specific attacks are possible depends on the exact size of MAC tags output by the MAC algorithm negotiated by the Handshake Protocol, and also on the fact that the exactly 13 bytes of header data are incorporated in the MAC calculation (hence our title).

In addition, I read on the site of The Royal Holloway, University of London:

The fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible.

As I understand, the attack is based on the padding mechanism, on the fact that CBC mode of operation is used and on the difference in the times of MAC calculation (and the compression function). I could not figure out how the size of the MAC header affects.

Can anyone please explain what is the meaning of the name Lucky Thirteen?

Thank you.

Solution

  • META: this is not a programming question and would fit much better on security.SX where we already have Qs on related attacks like BEAST and POODLE. I thought I remembered seeing one on Lucky-Thirteen but can't find any on searching, so I suggest migrating this.

    Calling it 'lucky' is as they say 'what passes for humour amongst cryptographers' but the importance of the pseudoheader being 13 bytes is outlined in the paragraph before the one you quoted:

    for certain carefully chosen message lengths and when the HMAC-SHA1 MAC algorithm is used, then TLS messages containing at least two bytes of correct padding will be processed slightly faster than TLS messages containing one byte of correct padding or padding that is incorrectly formatted.

    and detailed in section 4.2 of the paper: when using a CBC+HMAC-SHA1 ciphersuite if the attacker systematically tampers a 64-byte (not including IV) ciphertext:

    • when the (tampered) decryption ends with valid 2-byte or larger padding, HMAC is performed on data consisting of 64-2-20+13=55 bytes or less (and >2 padding -> <55 HMAC quickly becomes very unlikely);

    • otherwise HMAC is performed on 56 or 57 bytes.

    Because of the MD-padding done by SHA-1 (see 2.1) the latter requires one more compression function than the former, and it is the time for that additional compression function they statistically enhance and detect. This gives a padding oracle from which plaintext can be recovered.

    The 'luckiness' of 13 here is that 13 plus 9 is only slightly more than 20. As they note in 4.3, 12 would be even luckier, if SSL/TLS had been designed differently.