"The new AlFardan and Paterson result shows that it is indeed possible to distinguish the tiny timing differential caused by invalid padding, at least from a relatively close distance -- e.g., over a LAN," Matthew Green, a cryptographer and research professor at Johns Hopkins University in Baltimore, Maryland, said Monday in a blog post. "This is partly due to advances in computing hardware: most new computers now ship with an easily accessible CPU cycle counter. But it's also thanks to some clever statistical techniques that use many samples to smooth out and overcome the jitter and noise of a network connection."
In addition to being in close proximity to the targeted server, a successful Lucky Thirteen attack would also require a very high number -- millions -- of attempts in order to gather enough data to perform relevant statistical analysis of the timing differences and overcome network noise that might interfere with the process.
The secret plaintext targeted for decryption needs to have a fixed position in the HTTPS stream. This condition is met by authentication (session) cookies -- small strings of random text stored by websites in browsers to remember logged-in users. An authentication cookie can give the attacker access to the user's account on its corresponding website, making it a valuable piece of information worth stealing.
However, the biggest hurdle to be overcome by potential attackers is the fact that TLS kills the session after each failed decryption attempt, so the session needs to be renegotiated with the server. "TLS handshakes aren't fast, and this attack can take tens of thousands (or millions!) of connections per [recovered] byte," Green said. "So in practice the TLS attack would probably take days. In other words: don't panic."
DTLS on the other hand does not kill the session if the server fails to decrypt a record because it was altered, making the Lucky Thirteen attacks borderline practical against this protocol, Green said.
"The attacks can only be carried out by a determined attacker who is located close to the machine being attacked and who can generate sufficient sessions for the attacks," AlFardan and Paterson said. "In this sense, the attacks do not pose a significant danger to ordinary users of TLS in their current form. However, it is a truism that attacks only get better with time, and we cannot anticipate what improvements to our attacks, or entirely new attacks, may yet to be discovered."
Ivan Ristic, director of engineering at security firm Qualys, agrees that the Lucky Thirteen attacks are practical for DTLS, but not practical in their current form for TLS. Nevertheless, the research is significant from an academic standpoint, he said Tuesday via email.
Web server administrators have the option of prioritizing a cipher suite that's not affected by these types of attack in their HTTPS implementations. For many, the only choice is RC4, a stream cipher that dates back to 1987.
"There's a wide dislike of RC4 because of its known flaws (none of which apply or applied to SSL/TLS), but we haven't yet seen a working attack against RC4 as used in TLS," Ristic said. "In that sense, even though RC4 is not ideal, it appears to be stronger than the alternatives currently available in TLS 1.0."
TLS 1.2 supports AES-GCM (AES Galois Counter Mode), a more modern cipher suite that's also not vulnerable to these types of attack. However, the overall adoption of TLS 1.2 is currently low.