Lucky 13


Lucky 13 is an attack on cryptographic timing exploit against implementations of the Transport Layer Security (TLS) protocol that use the CBC mode of operation, first reported in February 2013

Lucky 13 attacks arise from a vulnerability in the TLS specification rather than as a vulnerability in specific implementations.[2]

Lucky 13 apply to all TLS and DTLS implementations that are compliant with TLS 1.1 or TLS 1.2, or with DTLS 1.0 or 1.2. They also apply to implementations of SSLv3 and TLS 1.0 that incorporate countermeasures to previous Padding bit oracle attacks.

What are the countermeasures? #

There are several possible countermeasures against Lucky 13 attacks, some of which are more effective than others:

Why are the attacks called "Lucky 13"?[2]#

In Western culture, 13 is considered an unlucky number. However, the fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible. So, in the context of our attacks, 13 is lucky - from the attacker's perspective at least. This is what passes for humour amongst cryptographers.

More Information#

There might be more information for this subject on one of the following: