Bar Mitzvah Attack

RC4 is the most popular stream cipher in the world. In fact, as of March 2015, RC4 is estimated to protect as much as 30% of SSL traffic, likely amounting to billions of TLS connections every day. Yet it suffers a critical – and long known – weakness known as the Invariance Weakness. In this paper we will revisit the Invariance Weakness – a 13-year old vulnerability of RC4 that is based on huge classes of RC4 weak keys, which was first published in the FMS paper in 2001. We will show how this vulnerability can be used to mount partial plaintext recovery attacks on SSL-protected data, when RC4 is the cipher of choice, for recovering the LSBs of as many as 100 bytes from the encrypted stream. As opposed to BEAST, POODLE, CRIME and other attacks on SSL that were published in recent years, including the Royal Holloway Attack on the usage of RC4, a new attack based upon the Invariance Weakness does not rely on aggregation of small fragments of plaintext information, but on a “hit”, a rare event that causes a significant leakage to occur. We show how this unique characteristic can be used to attack SSL in new scenarios, including the first practical attack on SSL that does not require an active Man-in-the-Middle. Furthermore, the new attack is not limited to recovery of temporal session tokens, but can be used to steal parts of permanent secret data such as account credentials and credit card numbers when delivered over HTTPS. Another variant of the attack recovers a significant part of a secret with small but non-negligible probability, even if that was transmitted only once over the SSL connection. This paper will describe the Invariance Weakness in detail, explain its impacts, and recommend some mitigating actions.