A team of academics has disclosed today a theoretical attack on the TLS cryptographic protocol that can be used to decrypt the HTTPS connection between users and servers and read sensitive communications.
Named Raccoon, the attack has been described as "really hard to exploit" and its underlying conditions as "rare."
How the Raccoon attack works
According to a paper published today, the Raccoon attack is, at its base, a timing attack, where a malicious third-party measures the time needed to perform known cryptographic operations in order to determine parts of the algorithm.
In the case of a Raccoon attack, the target is the Diffie-Hellman key exchange process, with the aim being to recover several bytes of information.
"In the end, this helps the attacker to construct a set of equations and use a solver for the Hidden Number Problem (HNP) to compute the original premaster secret established between the client and the server," the research team explained.
According to the researchers, all servers that use the Diffie-Hellman key exchange in setting up TLS connections are vulnerable to attacks.
This is a server-side attack and cannot be performed on a client, such as browsers. The attack also needs to be executed for each client-server connection in part, and cannot be used to recover the server's private key and decrypt all connections at once.
Servers that use the Diffie-Hellman key exchange and TLS 1.2 and below are considered vulnerable. DTLS is also impacted.
TLS 1.3 is considered safe.
Not a practical attack
But despite having the capability to decrypt TLS sessions and read sensitive communications, the research team was also the first to admit that the Raccoon attack was also extremely hard to pull off.
For starters, the attack requires that certain and extremely rare conditions be met.
"The vulnerability is really hard to exploit and relies on very precise timing measurements and on a specific server configuration to be exploitable," researchers said.
"[The attacker] needs to be close to the target server to perform high precision timing measurements. He needs the victim connection to use DH(E) and the server to reuse ephemeral keys. And finally, the attacker needs to observe the original connection.
"For a real attacker, this is a lot to ask for," academics said.
"However, in comparison to what an attacker would need to do to break modern cryptographic primitives like AES, the attack does not look complex anymore.
"But still, a real-world attacker will probably use other attack vectors that are simpler and more reliable than this attack," researchers added.
While the attack has been deemed hard to exploit, some vendors have done their due diligence and released patches. Microsoft (CVE-2020-1596), Mozilla, OpenSSL (CVE-2020-1968), and F5 Networks (CVE-2020-5929) have released security updates to block Raccoon attacks.
Additional technical details are also available on a dedicated website and in a research paper titled "Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles inTLS-DH(E)" [PDF].