The Raccoon Attack - It Is All About The Timing

The Raccoon Attack - It Is All About The Timing

Two days ago, on Sep. 08, research teams from Germany and Israel published a  joint research paper describing another TLS timing attack - called Raccoon. This attack targets all TLS versions up to 1.2.

The new attack exploits a timing side-channel during the TLS handshake when the Diffie-Hellman (DH) key exchange is used to establish a shared key between the client and the server. In particular, an attacker can learn whether the first byte of the TLS pre-master secret is zero due to how the TLS specification defines the key derivation in case of the DH key exchange. With that information an attacker can mount a mathematical attack to reconstruct the entire pre-master secret.

An important note here is that this attack works because of a timing side channel introduced by the TLS specification and not by a specific implementation. However, the attack only works if the server uses static or reuses ephemeral DH keys.

To start with, this is a bad practice because it does not provide forward secrecy (PFS). Even if DH keys are reused, an attacker has to have the ability for very precise timing measurement. As a result, it is non-trivial to mount this new attack in practice.

MinIO supports TLS 1.2 and TLS 1.3. The latter does not support finite field DH but only elliptic curve DH (ECDH), and therefore, would be unaffected by this attack. Additionally, MinIO uses the Go TLS stack which is not affected by the Raccoon attack simply because it only implements DH over elliptic curves.

A big shout-out here to the Go security maintainers for picking secure defaults and not implementing legacy cryptography that is barely used and hard to get right.

But even if Go itself would be affected by Raccoon, MinIO wouldn't because we only support a short list of PFS cipher suites - each one using ECDH.

If you have any questions - please don't hesitate to reach out to us at security@min.io. Security audits are a cornerstone component of the MinIO Subscription Network. We encourage all production clients to be subscribers - it provides a commercial license while also offering deep technical support for tricky issues like this.