The problem is present directly in the TLS specification and only affects connections using ciphers based on the DH key exchange protocol (Diffie-Hellman, TLS_DH_*"). With ECDH ciphers, the problem does not appear and they remain secure. Vulnerable are only TLS protocols up to version 1.2 inclusive, TLS 1.3 protocol is not affected by the problem. The vulnerability manifests itself in TLS implementations that reuse the DH secret key in different TLS connections (this behavior is observed on approximately 4.4% of servers from the Alexa Top 1M rating).
In OpenSSL 1.0.2e and earlier, the DH primary key is reused in all server connections unless the SSL_OP_SINGLE_DH_USE option is explicitly set. Starting with OpenSSL 1.0.2f, the DH primary key is only reused when using static DH ciphers ("DH-*", e.g. "DH-RSA-AES256-SHA"). In OpenSSL 1.1.1, the vulnerability does not manifest itself, since this branch does not use the DH primary key and does not use static DH ciphers.
When using the DH key exchange method, both sides of the connection generate random private keys (hereinafter key "a" and key "b"), based on which public keys (ga mod p and gb mod p) are calculated and sent. After receiving the public keys, each party calculates a common primary key (gab mod p), which is used to form session keys. The Raccoon attack allows you to determine the primary key through the analysis of information through third-party channels, starting from the fact that in the TLS specifications up to version 1.2 it is prescribed to discard all leading zero bytes of the primary key before calculations with its participation.
Including the truncated primary key is passed to the session key generation function, based on hash functions with different delays when processing different data. Precise timing of key operations performed by the server allows the attacker to determine hints (oracle) that make it possible to judge whether the primary key starts from zero or not. For example, an attacker can intercept the public key (ga) sent by the client, resend it to the server, and determine
whether the resulting primary key starts at zero.
By itself, the definition of one byte of the key does not give anything, but by intercepting the βgaβ value transmitted by the client when negotiating the connection, the attacker can form a set of other values ββ\uXNUMXb\uXNUMXbrelated to βgaβ and send them to the server in separate connection negotiation sessions. By generating and sending the "gri*ga" values, the attacker can, through analysis of the change in delays in the server response, determine the values ββthat lead to the receipt of primary keys starting from zero. Having determined such values, the attacker can make a set of equations for
Vulnerabilities in OpenSSL
Separately, additional problems are noted (
Source: opennet.ru