1. Lucky Thirteen: Breaking the TLS and DTLS Record Protocols 2013 Attacks Oakland TLS
    N. J. Al Fardan and K. G. Paterson
    [View PDF on isg.rhul.ac.uk]
    [Show BibTex Citation]

    author={N. J. Al Fardan and K. G. Paterson},
    booktitle={2013 IEEE Symposium on Security and Privacy},
    title={Lucky Thirteen: Breaking the TLS and DTLS Record Protocols},
    keywords={computer network security;cryptographic protocols;data integrity;Internet;mobile computing;DTLS record protocols;transport layer security protocol;data confidentiality;data integrity;de facto secure protocol;Internet;mobile applications;plaintext recovery attacks;timing analysis;decryption;OpenSSL implementations;cryptographic design;Timing;Encryption;Ciphers;Media Access Protocol;TLS;DTLS;CBC-mode encryption;timing attack;plaintext recovery},

The Transport Layer Security (TLS) protocol aims to provide confidentiality and integrity of data in transit across untrusted networks. TLS has become the de facto secure protocol of choice for Internet and mobile applications. DTLS is a variant of TLS that is growing in importance. In this paper, we present distinguishing and plaintext recovery attacks against TLS and DTLS. The attacks are based on a delicate timing analysis of decryption processing in the two protocols. We include experimental results demonstrating the feasibility of the attacks in realistic network environments for several different implementations of TLS and DTLS, including the leading OpenSSL implementations. We provide countermeasures for the attacks. Finally, we discuss the wider implications of our attacks for the cryptographic design used by TLS and DTLS.