# Security This Week: Racoons In My TLS, Bypassing Frontends, And Obscurity

Raccoon is the next flashy security flaw with a name, cute logo, and a website (and a PDF). Raccoon is a flaw in TLS version prior to 1.3, and seems to be a clever bit of work, albeit one with limited real-world application. The central problem is that these older versions of TLS, when using Diffie Hellman (DH), drop leading all-zero bytes in the resulting pre-master key. As that key is part of the input for calculating the master session key, a shortened pre-master key results in a slightly faster calculation of the master key. If an attacker can make fine-grained timing measurements, he can determine when the pre-master key is trimmed.

Let’s review Diffie Hellman, briefly. The client and server agree on two numeric values, a base `g` and modulus `p`, and each party generates a secret key, `a` and `b`. Each party calculates a public key by raising the shared base to their own private key, mod the shared modulus: `A = g^a mod p`. These public keys are exchanged, and each party raises the received key to their own secret key: `A^b`. Exponents have a non-obvious quirk, the power rule. A value raised to a power raised to a power is the same as the value raised to the power of the exponents multiplied together. `g^a^b` is equal to `g^(a*b)`. By going through this mathematical dance, the server and client have arrived at a shared value that only they know, while preserving the secrecy of their private keys. Continue reading “Security This Week: Racoons In My TLS, Bypassing Frontends, And Obscurity”

# Are You Smarter Than A Raccoon?

[Ben] has a raccoon problem. It seems that it’s not uncommon for him to come face-to-face with a pesky raccoon in the middle of the night, in his living room. We think most people would solve the problem by preventing the raccoon from entering the home. But [Ben] just seems hell-bent on catching him. Most recently he’s added motion-sensing to a live trap which he installed…. in his living room.

So [Ben] has cat’s which that to roam at night. They have free range thanks to a cat door which the hungry pest has been exploiting. Apparently the masked robber has a taste for cat food and that’s what keeps him coming back. [Ben] has been using the cat dish as bait but up to this point the live trap hasn’t worked. You see the raccoon isn’t going inside to get the food, but reaches through the cage and pulls pieces out one at a time. The solution is to put up a solid surface around the cage, and hope that the motion sensor will get him this time. Although we’ve linked the most recent post above, you’ll want to page through his blog for the whole story.

Wouldn’t it be better to install some kind of automatic lock that only lets in the kitty?