Overview[1]#
Lucky 13 is an attack on cryptographic timing exploit against implementations of the Transport Layer Security (TLS) protocol that use the CBC mode of operation, first reported in February 2013Lucky 13 attacks arise from a vulnerability in the TLS specification rather than as a vulnerability in specific implementations.[2]
Lucky 13 apply to all TLS and DTLS implementations that are compliant with TLS 1.1 or TLS 1.2, or with DTLS 1.0 or 1.2. They also apply to implementations of SSLv3 and TLS 1.0 that incorporate countermeasures to previous Padding bit oracle attacks.
What are the countermeasures? #
There are several possible countermeasures against Lucky 13 attacks, some of which are more effective than others:- Switch to using RC4 Cipher Suites. This should only be seen as a temporary measure, since RC4 has significant cryptographic weaknesses when it is used in TLS. This option is not available for DTLS.
- Switch to using AEAD Cipher Suites, such as AES-GCM. Support for AEAD Cipher Suites was specified in TLS 1.2
- for the long term is to avoid using TLS in CBC-mode and to switch to using AEAD algorithms.
Why are the attacks called "Lucky 13"?[2]#
In Western culture, 13 is considered an unlucky number. However, the fact that the TLS MAC calculation includes 13 bytes of header information (5 bytes of TLS header plus 8 bytes of TLS sequence number) is, in part, what makes the attacks possible. So, in the context of our attacks, 13 is lucky - from the attacker's perspective at least. This is what passes for humour amongst cryptographers.More Information#
There might be more information for this subject on one of the following:- [#1] - Lucky_Thirteen_attack
- based on information obtained 2017-06-09-
- [#2] - Lucky Thirteen: Breaking the TLS and DTLS Record Protocols
- based on information obtained 2015-12-07