Researchers have unveiled a theoretical attack on the TLS encryption protocol that can be used to decrypt connection HTTPS between users and servers and read sensitive communications. This is an attack known as Raccoon. But how does the Raccoon attack work and what does it offer to hackers?
According to a document released today, during the Raccoon attack, hackers count the time it takes to perform known cryptographic functions to identify parts of the algorithm. The target of such an attack is the Diffie-Hellman key exchange process, with the aim of recovering several byte information. In this way, hackers can construct a set of equations and use a solver to Hidden Number Problem (HNP) to calculate the original premaster secret created between the client and the server. According to researchers, all servers that use it exchange Diffie-Hellman keys for creating TLS connections, are vulnerable to attacks Raccoon.
This is a server-side attack and cannot be executed on a client, such as browsers. The attack must also be performed in part for each client-server connection and cannot be used to retrieve the server private key and decrypt all connections at the same time. Servers that use Diffie-Hellman key exchange and TLS 1.2 and below are considered vulnerable, and DTLS is also affected. On the other hand, TLS 1.3 is considered secure.
However, despite their ability to decrypt TLS sessions and read sensitive communications, this group of researchers was the first to admit that the Raccoon attack was extremely difficult to carry out, as specific and extremely "rare" conditions had to be met. In particular, the researchers said that hackers need to be close to the destination server to perform high-precision timing measurements. They need the victim connection to use the Diffie-Hellman key exchange and the server to reuse the ephemeral keys. And finally, hackers need to notice the initial connection. However, compared to what hackers must do to "break" modern cryptographic primitives such as AES, the attack no longer seems complicated. In fact, hackers are likely to use other methods of attack that are simpler and more reliable than this attack.
While the attack has been deemed "difficult" to exploit, some companies have been released patches. Indicatively The Microsoft (CVE-2020-1596), Mozilla and F5 Networks (CVE-2020-5929) but also the OpenSSL (CVE-2020-1968), have been released updates security to prevent Raccoon attacks. Additional technical details are also available on a dedicated site and in a research paper entitled "Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles inTLS-DH".