The Telltale Zero

Attacks on the TLS protocol are both rare and highly complex. And yet, the encryption experts at Ruhr University Bochum are constantly tracking down new ones.

The focus of Robert Merget’s research is on the TLS encryption protocol. Copyright: CASA, Michael Schwettmann

The crypto experts at Ruhr University Bochum always keep an eye on network traffic and work on TLS analysis tools. Copyright: CASA, Michael Schwettmann

Tricky calculations: mathematical methods from linear algebra are used for decoding. Copyright: CASA, Michael Schwettmann

The calculations for the RACCOON attack were run on the Chair’s own cloud. Copyright: CASA, Michael Schwettmann

The thick volume that contains all technical details on the TLS encryption protocol has roughly a thousand pages. This means that the TLS standard is as thick as three Harry Potter novels. "It takes a lot of time and crypto know-how to understand and keep track of all of its features," says Dr. Robert Merget from the Chair for Network and Data Security at Ruhr University Bochum, which has been specialising in Transport Layer Security (TLS) for years. This cryptographic encryption protocol ensures that, for example, connections between internet browsers and servers or between different email servers are secure. Merget and his colleagues know the standard pretty much by heart and have consequently mastered every trick and every TLS encryption spell.

They have been developing a TLS analysis tool since 2015. It enables companies to implement TLS with as few errors as possible to ensure that there are no security gaps left for attackers to exploit. Almost every day, the researchers come across vulnerabilities that occur during implementation, so-called bugs. "By contrast, systematic attacks on the TLS standard have become rather rare," points out Merget. But they do still happen. In 2020, the encryption expert discovered a highly specialised attack on a specific TLS algorithm, and alerted the crypto community to the threat of a malicious RACCOON attack.

"We use easy-to-remember names for vulnerabilities that are otherwise quite technical. This makes it easier for us to talk about them in the community," explains Merget. While research institutes are part of the community, it is primarily IT companies such as Google, Microsoft and Cloudflare who have a vested interest in ensuring that TLS is as secure as possible and who are constantly trying to improve it.

TLS, the secret language
The TLS encryption protocol is public and can be viewed by all. "The algorithms are public, but the keys that are used are secret," outlines Merget. "Think of it like a secret language." When using a secret language in the past, it was often done by swapping letters. People who knew the exact code – that is, who knew which letter had to be substituted for another letter – were able to decode the message. However, keeping the method a secret turned out to be quite difficult and insecure. This is why today’s encryption experts choose a different approach. "Modern algorithms are public, but the keys for the algorithms are secret. It’s the same with TLS. The attacker has access to the encryption principle, but the keys are kept secret," explains Merget. The main purpose of TLS cryptography is to prevent third parties from intercepting communications. Moreover, the protocol has two additional properties: firstly, TLS is used for authentication, and secondly for data integrity.

About four billion users worldwide use TLS today. And each of them has different preferences and requirements for the encryption protocol. This explains why so many developers have been refining and tweaking the TLS standard for years – and also why the protocol is today considered secure. This was, after all, not always the case.

"Since 1994, since TLS has been created, the protocol has been the target of numerous attacks. Most notably, there were many attacks between 2011 and 2016," says Merget. But as he points out: "As a rule, this is not an attack that can be carried out by your local neighbourhood hacker. These are difficult high-tech attacks, such as might be executed by secret services. Usually, ordinary users have nothing to fear from them." Since 2018, since the introduction of the modernised TLS 1.3 standard, the number of attacks has decreased significantly. And yet: attacks on the TLS versions introduced between 1996 and 2018 do still take place. In 2020, Robert Merget discovered the vulnerability in question, which he dubbed RACCOON.

A RACCOON attacks
The RACCOON attack targets the so-called Diffie-Hellman key exchange protocol, i.e. a very specific algorithm that can be used in TLS to ensure that, for example, a bank and its client can exchange a shared secret, a shared key.

In very concrete terms, the attacker exploits a timing vulnerability in the key derivation when the Diffie-Hellman algorithm is used: the duration of the key derivation and with it the cryptographic processing of the secret gives the attacker the information he needs to decrypt the data and, as a result, to break the confidentiality of the protocol.

Eavesdropping via a side channel
"Timing is a so-called side channel, one of many, that allows us to infer the secret key of an algorithm and possibly even to crack it," elaborates Merget. "Let’s say I encrypt the word dog or the word mouse. It takes longer for me to encrypt the word mouse because it has more letters. An attacker can measure the time it takes me to encrypt communication, and then use the measured time to deduce what was encrypted." In addition to time, factors such as rising temperatures or the power consumption of devices likewise provide information about the computing operations of an algorithm – these, too, are side channels that may enable attackers to obtain keys.

The leading zero
The concept behind the RACCOON attack is easy to understand. "Broadly speaking, the Diffie-Hellman key is always based on calculations with a remainder," says Merget. In the mathematical derivations of the Diffie-Hellman key exchange, calculations are continued with the remainder without the leading zeros.

"Processing smaller numbers can be done more rapidly because of the smaller data volume. This gives the attacker an advantage: he observes how fast an operation was executed and then concludes whether or not there was a leading zero," explains Merget. This is the vulnerability that the attacker exploits. He can then reconstruct the secret key from the information he has gathered. "However, to do this, he needs complicated mathematical procedures used in linear algebra," adds Merget.

Reporting vulnerabilities
To find out just how widespread the vulnerability is, Merget sent data packets via a dedicated internet line to approximately 100,000 servers that use TLS. "Three per cent of the world’s internet responded and was affected by this vulnerable TLS configuration," points out Merget.

"In the first step, we contacted all developers of major TLS implementations and warned them. We then reported the case to the Federal Office for Information Security and asked them to support us in the so-called responsible disclosure process," says Merget. The purpose of this process for the disclosure of security vulnerabilities, which is well-established in IT security, is to notify manufacturers promptly about vulnerabilities and to provide updates and patches before the public becomes aware of them.

Forewarned is forearmed
But how can the vulnerability be fixed? "The best course of action is to use the latest and most secure version of TLS, TLS 1.3," recommends Merget. Overall, however, the researcher is convinced that the TLS protocol is very secure: "It is extremely difficult to still detect vulnerabilities."


The invention of TLS
The encryption protocol TLS was developed in 1994 by the company Netscape (today: Firefox) and was initially called SSL (the acronym stands for: Secure Sockets Layer). In 1999, the Internet Engineering Task Force renamed SSL in TLS, because they believed that the protocol for data security on the internet shouldn’t be in the hands of one corporation.

The article is published as part of the IT security special issue of the science magazine Rubin 2022/23.

To the Outreach Website

General note: In case of using gender-assigning attributes we include all those who consider themselves in this gender regardless of their own biological sex.