Lucky 13
What is Lucky 13?
Lucky 13A 2013 TLS timing attack by AlFardan and Paterson that exploits MAC-then-encrypt CBC processing to act as a padding oracle and recover plaintext.
Lucky 13 was published in 2013 by Nadhem AlFardan and Kenny Paterson of Royal Holloway. It targets the CBC ciphersuites of SSL 3.0, TLS 1.0/1.1/1.2 and DTLS, which use MAC-then-encrypt with HMAC-SHA1. The number 13 refers to the constant bytes (TLS header plus sequence number) the MAC covers. Tiny timing differences in MAC verification, depending on padding length, reveal whether a forged ciphertext has valid padding, giving the attacker a padding oracle even without explicit error messages. With many connections, plaintext bytes such as cookies can be recovered. Mitigations: constant-time MAC implementations and AEAD ciphers (AES-GCM, ChaCha20-Poly1305) in TLS 1.2 and TLS 1.3.
● Examples
- 01
Recovering a small fraction of plaintext bytes from a TLS-CBC session via millions of forged records.
- 02
Exploiting DTLS implementations where retransmission allows even more measurements.
● Frequently asked questions
What is Lucky 13?
A 2013 TLS timing attack by AlFardan and Paterson that exploits MAC-then-encrypt CBC processing to act as a padding oracle and recover plaintext. It belongs to the Attacks & Threats category of cybersecurity.
What does Lucky 13 mean?
A 2013 TLS timing attack by AlFardan and Paterson that exploits MAC-then-encrypt CBC processing to act as a padding oracle and recover plaintext.
How does Lucky 13 work?
Lucky 13 was published in 2013 by Nadhem AlFardan and Kenny Paterson of Royal Holloway. It targets the CBC ciphersuites of SSL 3.0, TLS 1.0/1.1/1.2 and DTLS, which use MAC-then-encrypt with HMAC-SHA1. The number 13 refers to the constant bytes (TLS header plus sequence number) the MAC covers. Tiny timing differences in MAC verification, depending on padding length, reveal whether a forged ciphertext has valid padding, giving the attacker a padding oracle even without explicit error messages. With many connections, plaintext bytes such as cookies can be recovered. Mitigations: constant-time MAC implementations and AEAD ciphers (AES-GCM, ChaCha20-Poly1305) in TLS 1.2 and TLS 1.3.
How do you defend against Lucky 13?
Defences for Lucky 13 typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Lucky 13?
Common alternative names include: Lucky Thirteen, Lucky13.
● Related terms
- attacks№ 786
Padding Oracle Attack
A cryptographic attack (Vaudenay 2002) that decrypts CBC ciphertext when a server reveals whether a tampered message has correct PKCS#7 padding.
- attacks№ 089
BEAST Attack
A 2011 chosen-plaintext attack on SSL 3.0 and TLS 1.0 CBC ciphers (CVE-2011-3389) by Rizzo and Duong that recovers HTTPS cookies via a predictable IV flaw.
- attacks№ 235
CRIME Attack
A 2012 side-channel attack by Rizzo and Duong that recovers HTTPS session cookies by exploiting TLS-level compression and observing ciphertext lengths.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- vulnerabilities№ 1038
Side-Channel Attack
An attack that recovers secrets from a system by observing physical or implementation characteristics — timing, power, electromagnetic emissions, caches, acoustic signals — rather than logical flaws.