Pierluigi Paganini March 27, 2015

Bar Mitzvah is the name of a new attack on RC4-Based SSL/TLS encryption that allows disclosure of sensitive data by exploiting  a 13-Year-Old Vulnerability.

Both Secure Sockets Layer (SSL) and its successor Transport Layer Security (TLS) cryptographic protocols rely on the Rivest Cipher 4 (RC4) algorithm to encrypt data transfers.

The problem is that the RC4 is affected by several security issues, the last discovered in order of time, “Invariance Weakness,” was reported by Imperva that exploited it in an attack dubbed “Bar Mitzvah.”

The Invariance Weakness has been uncovered in the past 13 years, the experts demonstrated that the vulnerability could be exploited for plaintext recovery attacks allowing the attacker to extract partial data from protected communications.

The Bar Mitzvah attack could allow hackers to access a portion of traffic containing sensitive data, card details, and session cookies.

The attack, dubbed “Bar Mitzvah,” is similar to Browser Exploit Against SSL/TLS, aka BEAST attack.

The experts explained that in order to run the Bar Mitzvah, the attackers need to intercept a large number of SSL/TLS connections that use RC4 with the intent to find a weak key. Once discovered the weak key, the attacker can use it to recover partial plain text data.

The experts have estimated that to run an attack, it is necessary a number of attempts of 1 billion to discover a weak key out of every 16 million RC4 keys.

In order to reduce the complexity of the attack, an attacker can only target the first 100 bytes of protected data. The partial data could be used to improve a brute-force attacks on sensitive information (i.e. session cookies, sensitive data).

“Given that the Invariance Weakness is expressed only in the first 100 bytes of the keystream, it can be used only for the first 100 bytes of the protected upstream traffic and the first 100 bytes of the protected downstream traffic. Given that the first encrypted message in each direction is the SSL Handshake Finished message (36-bytes in typical usage of SSL), about 64 bytes of secret plaintext data are left for the attack.”  states the report published by Imperva titled “Attacking SSL when using RC4: Breaking SSL with a 13-year old RC4 Weakness.” 

The report also detailed another attack mode for the Bar Mitzvah, the Non-Targeted Passive Attack, in which the attacker exploit the Invariance Weakness to eavesdrop the traffic directed to a specific website. The attacker will be able to access one piece of sensitive information every 1 billion connections, but in this attack scenario it is impossible to discriminate the identity of a specific user. A variant of the Non-Targeted Passive Attack could obtain 1 billion connections from a group of victims, for example, launching a man-in-the-middle attack against multiple users through DNS poisoning.

As a countermeasure for the Bar Mitzvah it is suggested to avoid the use of the RC4 algorithm.

Despite the likelihood of being compromised by a Bar Mitzvah attack is low, the experts stress doesn’t underestimate it.

Pierluigi Paganini

(Security Affairs –  Bar Mitzvah,   encryption, RC4)