Improving Technical Security Open Internet Standards Technology

Get lucky: The Virtues of Breaking Internet Security

The first Applied Networking Research Prize for 2014 was awarded to Kenny Paterson for finding and documenting new attacks against key Internet security protocols. In their paper, “Lucky Thirteen: Breaking the TLS and DTLS Record Protocols” (Proc. IEEE Symposium on Security and Privacy, pp. 526-540, San Francisco, CA, USA, May 2013.), Kenny and his co-author Nadhem Al Fardan demonstrate practical attacks against Transport Layer Security, a fundamental security building block for much of today’s online activity.

Kenny’s presentation to the Internet Research Task Force open meeting in London gave a great insight into the techniques he and others have developed to leverage seemingly tiny differences in the timing of protocol operations to reveal plaintext and thereby break the security of the transaction. There is now a real need for constant-time, constant-memory access implementations to be confident that such potential implementation weaknesses have been completely eliminated (and see [] for a discussion of how hard that is to achieve in practice).

Kenny noted the importance of the virtuous cycle that sees widely used security protocols gaining a high profile in the research community, leading to more analysis and more development work to patch weaknesses as they are discovered, and ultimately stronger security protocols for everyone. Responsible disclosure practices and close collaboration with the IETF were key aspects in this instance.

Kenny’s slides are available and audio from the presentation is also available starting at 00:18:25.