BEAST Attack
What is BEAST Attack?
BEAST AttackA 2011 chosen-plaintext attack on SSL 3.0 and TLS 1.0 CBC ciphers (CVE-2011-3389) by Rizzo and Duong that recovers HTTPS cookies via a predictable IV flaw.
BEAST (Browser Exploit Against SSL/TLS) was disclosed at Ekoparty 2011 by Juliano Rizzo and Thai Duong and tracked as CVE-2011-3389. SSL 3.0 and TLS 1.0 chain CBC initialization vectors across records, so the IV of each new record is the previous ciphertext block and is predictable. By injecting chosen plaintext from a malicious iframe or applet and observing encrypted records, an attacker can run a blockwise-adaptive chosen-plaintext attack and recover HTTP cookies one byte at a time. Mitigations include TLS 1.1+ (which uses explicit per-record IVs), preferring RC4 in the short term, the 1/n-1 split, and ultimately TLS 1.2 and TLS 1.3 with AEAD ciphers.
● Examples
- 01
Recovering an authentication cookie from a TLS 1.0 banking site through a malicious Java applet.
- 02
Decrypting HTTP request headers byte-by-byte on a CBC-mode HTTPS session.
● Frequently asked questions
What is BEAST Attack?
A 2011 chosen-plaintext attack on SSL 3.0 and TLS 1.0 CBC ciphers (CVE-2011-3389) by Rizzo and Duong that recovers HTTPS cookies via a predictable IV flaw. It belongs to the Attacks & Threats category of cybersecurity.
What does BEAST Attack mean?
A 2011 chosen-plaintext attack on SSL 3.0 and TLS 1.0 CBC ciphers (CVE-2011-3389) by Rizzo and Duong that recovers HTTPS cookies via a predictable IV flaw.
How does BEAST Attack work?
BEAST (Browser Exploit Against SSL/TLS) was disclosed at Ekoparty 2011 by Juliano Rizzo and Thai Duong and tracked as CVE-2011-3389. SSL 3.0 and TLS 1.0 chain CBC initialization vectors across records, so the IV of each new record is the previous ciphertext block and is predictable. By injecting chosen plaintext from a malicious iframe or applet and observing encrypted records, an attacker can run a blockwise-adaptive chosen-plaintext attack and recover HTTP cookies one byte at a time. Mitigations include TLS 1.1+ (which uses explicit per-record IVs), preferring RC4 in the short term, the 1/n-1 split, and ultimately TLS 1.2 and TLS 1.3 with AEAD ciphers.
How do you defend against BEAST Attack?
Defences for BEAST Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for BEAST Attack?
Common alternative names include: BEAST, Browser Exploit Against SSL/TLS.
● Related terms
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- attacks№ 235
CRIME Attack
A 2012 side-channel attack by Rizzo and Duong that recovers HTTPS session cookies by exploiting TLS-level compression and observing ciphertext lengths.
- attacks№ 636
Lucky 13
A 2013 TLS timing attack by AlFardan and Paterson that exploits MAC-then-encrypt CBC processing to act as a padding oracle and recover plaintext.
- attacks№ 786
Padding Oracle Attack
A cryptographic attack (Vaudenay 2002) that decrypts CBC ciphertext when a server reveals whether a tampered message has correct PKCS#7 padding.
- attacks№ 1016
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.