A Lucky Thirteen attack is a cryptographic timing attack against implementations of the Transport Layer Security (TLS) protocol that use the CBC mode of operation, first reported in February 2013 by its developers Nadhem J. AlFardan and Kenny Paterson of the Information Security Group at Royal Holloway, University of London.
It is a novel variant of Serge Vaudenay's padding oracle attack that was previously thought to have been fixed, that uses a timing side-channel attack against the message authentication code (MAC) check stage in the TLS algorithm to break the algorithm in a way that was not fixed by previous attempts to mitigate Vaudenay's attack.
"In this sense, the attacks do not pose a significant danger to ordinary users of TLS in their current form. However, it is a truism that attacks only get better with time, and we cannot anticipate what improvements to our attacks, or entirely new attacks, may yet be discovered." — Nadhem J. AlFardan and Kenny Paterson
The researchers only examined Free Software implementations of TLS and found all examined products to be potentially vulnerable to the attack. They have tested their attacks successfully against OpenSSL and GnuTLS. Because the researchers applied responsible disclosure and worked with the software vendors, some software updates to mitigate the attacks were available at the time of publication.
Martin R. Albrecht and Paterson have since demonstrated a variant Lucky Thirteen attack against Amazon's s2n TLS implementation, even though s2n includes countermeasures intended to prevent timing attacks.
- Dan Goodin (4 February 2013). ""Lucky Thirteen" attack snarfs cookies protected by SSL encryption". Ars Technica. Retrieved 4 February 2013. CS1 maint: discouraged parameter (link)
- Nadhem J. AlFardan and Kenneth G. Paterson (4 February 2013). "Lucky Thirteen: Breaking the TLS and DTLS Record Protocols". Royal Holloway, University of London. Retrieved 21 June 2013. CS1 maint: discouraged parameter (link) CS1 maint: uses authors parameter (link)
- Adam Langley (4 February 2013). "Lucky Thirteen attack on TLS CBC". Retrieved 4 February 2013. CS1 maint: discouraged parameter (link)
- Albrecht, Martin R.; Paterson, Kenneth G. "Lucky Microseconds: A Timing Attack on Amazon's s2n Implementation of TLS". Cryptology ePrint Archive. Retrieved 24 November 2015. CS1 maint: discouraged parameter (link)
- Time is money (in CBC ciphersuites), Nikos Mavrogiannopoulos, 5 February 2013