Conference Proceedings
Drown: Breaking TLS using SSLv2
N Aviram, S Schinzel, J Somorovsky, N Heninger, M Dankel, J Steube, L Valenta, D Adrian, JA Halderman, V Dukhovni, E Käsper, S Cohney, S Engels, C Paar, Y Shavitt
Proceedings of the 25th Usenix Security Symposium | USENIX ASSOC | Published : 2016
Abstract
We present DROWN, a novel cross-protocol attack on TLS that uses a server supporting SSLv2 as an oracle to decrypt modern TLS connections. We introduce two versions of the attack. The more general form exploits multiple unnoticed protocol flaws in SSLv2 to develop a new and stronger variant of the Bleichenbacher RSA padding-oracle attack. To decrypt a 2048-bit RSA TLS ciphertext, an attacker must observe 1,000 TLS handshakes, initiate 40,000 SSLv2 connections, and perform 250 offline work. The victim client never initiates SSLv2 connections. We implemented the attack and can decrypt a TLS 1.2 handshake using 2048-bit RSA in under 8 hours, at a cost of $440 on Amazon EC2. Using Internet-w..
View full abstractGrants
Awarded by Alfred P. Sloan Foundation