26

Can someone explain why the BEAST attack wasn't considered plausible? I saw an article quoting the creator as saying 'It is worth noting that the vulnerability that BEAST exploits has been presented since the very first version of SSL. Most people in the crypto and security community have concluded that it is non-exploitable' (http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091911) and several other articles mentioned that the attack was previously though implausible but I don't know why.

Andrei Botalov
  • 5,317
  • 10
  • 46
  • 73
Andrew Semler
  • 363
  • 2
  • 5

3 Answers3

23

The attack requires cooperation between an outer component (which can intercept traffic) and an inner component which runs on the attacked machine and is able to inject arbitrary data (chosen by the attacker) within the SSL tunnel, along with the piece of data which is to be decrypted. The general view among most people in the crypto and security communities is that when the attacker can do that, he has enough control on the attacked machine that he can be considered to have already won. A fix was nonetheless published in TLS 1.1 (published in 2006) and ulterior versions.

It so happens that with 2011's Internet, there can be a considerable amount of hostile code running on the user's system, through Java and/or Javascript, and such code has considerable power over what happens on said system. This is the kind of über-attacker that was envisioned and declared as "not plausible in practice" back in 2006. Note that BEAST is as yet unpublished except through some slides, so while it has run successfully in lab conditions, it is unclear whether it would be worth the effort to build it in the wild. After all, it seems that nobody ever bothered decrypting 40-bit SSL connections on a regular, industrial basis, despite the computational ease of doing so (that "nobody" is about attackers who are after credit card numbers and banking access passwords, not governmental security agencies -- if your country's secret service does not routinely decrypt 40-bit SSL, then you are entitled to question what the heck they do with your tax money).

One way to see it is that crypto and security researchers, and/or Web browser vendors, failed to envision the evolution of the Web architecture. Another way to see it is that browser vendors are hard at work building a Web structure which is, security-wise, doomed from start.

Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • +1 for the analysis of web structure evolution – gowenfawr Oct 17 '11 at 13:06
  • 1
    +1. One thing I'd like to correct is BEAST is an unrelease Working exploit - http://vnhacker.blogspot.com/2011/09/beast.html. If these were random people I'd agree in calling it unconfirmed to be working untill published, but given their history you can be certain if its in the video, it works. – eglasius Oct 27 '11 at 23:17
  • 3
    @eglasius: what I mean is that there is no doubt that the crypto part of BEAST works (that's a rather old chosen-plaintext attack on CBC mode, it was already known in 2006 which is why TLS 1.1 already has the proper fix) and the Web/Javascript component is also quite plausible. What is less clear is whether operational conditions make it applicable "in the wild". The attack assumes coordination between the inner component (the hostile Javascript code) and an outer component (a network sniffer). This may or may not prove difficult to use as part of a true attack (thus "not worth the effort"). – Thomas Pornin Oct 28 '11 at 16:20
  • 2
    @Thomas please check the blog post I linked. They do a have a complete attack there (via a hostile java applet). They did take advantage of a separate 0 day vulnerability in the java vm to get to the point of doing that (oracle issued a patch in response ... firefox is not disabling the old by default, so it'll be out there for a while), but point is it is Not theory, the exploit exists now. These guys are the real deal (great&recent security researchers), as they are the same that made the asp.net padding oracle scandal (along with many other techs impacted), which also took some convincing. – eglasius Oct 28 '11 at 18:57
4

Previously, the attack was considered possible in principle but not a serious threat in practice. It was believed that the attack would require so much chosen plaintext that the attack was not a practical threat. In addition, in the web setting, there was no known way to get the victim's browser to encrypt the chosen plaintext with the necessary level of control (it was known how to do it in a VPN setting, but not for a victim who is using web browser to browse the web). Therefore, the attack was believed to be of limited relevance in the real world.

Obviously, this belief had some holes in it. As Bruce Schneier writes, "attacks always get better". In other words, just because today an attack appears to require 220 chosen plaintexts, doesn't mean it will always be so -- people might in the future discover ways to reduce the amount of chosen plaintext required.

I can sympathize with an argument that, in retrospect, the community should have taken the attack more seriously. That said, hindsight is 20-20, so I wouldn't judge the community too harshly. Bottom line: these things happen. Our understanding grows over time.

D.W.
  • 98,860
  • 33
  • 271
  • 588
1

The exploit was only considered theoretical, so all big browser vendors simply chose to ignore it. Anyway, as far as I know , the paper is still not released, but some people in the crypto community seem to have understood the attack.