Reference Guide

10 SSL/TLS Communications

RSA BSAFE SSL-J 6.2.6 Security Best Practices Guide

Lucky Thirteen Attack

In February 2013, the Lucky Thirteen (SSL/TLS Plaintext Recovery) attack was

announced. Researchers discovered a weakness in the handling of CBC cipher suites

in SSL, TLS, and DTLS. Vulnerable implementations do not properly consider timing

side-channel attacks on a MAC check requirement during the processing of

malformed CBC padding. This allows remote attackers to conduct distinguishing

attacks and plaintext recovery attacks via statistical analysis of timing data for crafted

packets. The Lucky Thirteen attack exploits timing differences arising during MAC

processing.

How to Help Prevent the Attack

To help prevent the Lucky Thirteen attack, disable CBC mode cipher suites on clients

and servers. Cipher suites that use RC4 and, if TLS 1.2 is available, AES-GCM should

be used.

How to Help Prevent the Attack in SSL-J

SSL-J includes a patch to ensure MAC checking is time invariant in servers.

Note: This patch is only applicable on the server side. Because the security of

the client side cannot be guaranteed, RSA recommends that clients do not use

CBC mode cipher suites.

For more information, see

http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

and

CVE-2013-0169.