A Perfect CRIME? TIME Will Tell. Tal Be ery, Web research TL



Similar documents
Secure HTTP

Vulnerabilità dei protocolli SSL/TLS

Security Protocols/Standards

SSL BEST PRACTICES OVERVIEW

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

Chapter 17. Transport-Level Security

SSL/TLS: The Ugly Truth

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Identifying and Exploiting Padding Oracles. Brian Holyfield Gotham Digital Science

Implementation Vulnerabilities in SSL/TLS

Lab Exercise SSL/TLS. Objective. Requirements. Step 1: Capture a Trace

Is Your SSL Website and Mobile App Really Secure?

SSL GOOD PRACTICE GUIDE

Three attacks in SSL protocol and their solutions

Web Security Considerations

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

Internet Banking System Web Application Penetration Test Report

HTTPS: Transport-Layer Security (TLS), aka Secure Sockets Layer (SSL)

Web Application Guidelines

SiteCelerate white paper

HTTPS is Fast and Hassle-free with CloudFlare

Transport Layer Security Protocols

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

best practices for encryption in android

RIA SECURITY TECHNOLOGY

Protection, Usability and Improvements in Reflected XSS Filters

Cyber Security Workshop Ethical Web Hacking

QUIC. Quick UDP Internet Connections. Multiplexed Stream Transport over UDP. IETF-88 TSV Area Presentation

Web Application Security Assessment and Vulnerability Mitigation Tests

Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day. SSL Certificate - Subject Common Name Does Not Match Server FQDN

The Secure Sockets Layer (SSL)

Chapter 7 Transport-Level Security

Transport Level Security

Message Authentication Code

CS514: Intermediate Course in Computer Systems

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Criteria for web application security check. Version

SSL GOOD PRACTICE GUIDE

Communication Systems SSL

On the Use of Compression Algorithms for Network Traffic Classification

Breaking the Myths of Extended Validation SSL Certificates

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Storage Optimization in Cloud Environment using Compression Algorithm

First Semester Examinations 2011/12 INTERNET PRINCIPLES

Lecture 9 - Network Security TDTS (ht1)

Attacking SSL when using RC4

SSL and Browsers: The Pillars of Broken Security

Semantic based Web Application Firewall (SWAF V 1.6) Operations and User Manual. Document Version 1.0

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

, ) I Transport Layer Security

Client Server Registration Protocol

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Web Security. Mahalingam Ramkumar

Whitepaper : Using Unsniff Network Analyzer to analyze SSL / TLS

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

Einführung in SSL mit Wireshark

PHP Magic Tricks: Type Juggling. PHP Magic Tricks: Type Juggling

Authenticated encryption

Outline. Transport Layer Security (TLS) Security Protocols (bmevihim132)

Topics in Network Security

Network Security Essentials Chapter 5

Maximizing Performance with SPDY & SSL. Billy Hoffman

Wireless Networks. Welcome to Wireless

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

Information Security

CS5008: Internet Computing

Differences Between SSLv2, SSLv3, and TLS

HTTP connections can use transport-layer security (SSL or its successor, TLS) to provide data integrity

DNS REBINDING DENIS BARANOV, POSITIVE TECHNOLOGIES

Configuring SSL Termination

Security Testing with Selenium

HTTP/2: Operable and Performant. Mark

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

elearning for Secure Application Development

Breaking the Security Myths of Extended Validation SSL Certificates

Universal XSS via IE8s XSS Filters

Chapter 1 Web Application (In)security 1

Internet Firewall CSIS Packet Filtering. Internet Firewall. Examples. Spring 2011 CSIS net15 1. Routers can implement packet filtering

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

As enterprises conduct more and more

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

What is Web Security? Motivation

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

CS Computer Security Third topic: Crypto Support Sys

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

CS Final Exam

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

Implementation of Web Application Firewall

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Transcription:

A Perfect CRIME? TIME Will Tell Tal Be ery, Web research TL

Agenda BEAST + Modes of operation CRIME + Gzip compression + Compression + encryption leak data TIME + Timing + compression leak data Attacking responses 2

BEAST - -

BEAST Rizzo and Duong - 2011 Browser Exploit Against SSL/TLS (BEAST) Chosen Plaintext Attack Targets deterministic Initialization Vectors of Cipher- Block Chaining (CBC) 4

Chosen Plaintext Attack Model A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. ENC(XX) 5

CPA and the web Attacker is Eavesdropper can see ciphered text Attacker creates HTTP request interactively (via script) + Full control (almost): URL + Can predict: Most headers + Does not control or see: cookies Encrypted on wire Not accessible from script Same Origin Policy HTTP only 6

Modes of operation procedure of enabling the repeated and secure use of a block cipher under a single key 7

Modes of operation - CBC Previous block encryption result is fed as an IV to the next block Encryption becomes Stateful 8

C n+1 P n+1 CBC Oracle Attacker can verify a guess of any plaintext block 9 C i C i 1 i P n P C n ) ( ) ( ) ( ~ 1 ~ 1 1 1 ~ 1 1 i i n i i n n n n i i n n P C Enc C P C C Enc C P Enc C P C C P = = = = + + + i n i i i i i n i i C C P P C P C Enc C P P = = = + + 1 ~ 1 1 ~ ) (

Using the CBC oracle to decrypt the Cookie Attacker knows in which block the cookie resides Attacker controls the block contents so she can guess only one byte at a time and verify with the oracle + 256 guesses on worst case Repeat the process to discover all bytes in Cookie 10

Practical issues HTTP requests are not a good vehicle for BEAST: + New requests may cause new SSL connection + First bytes are fixed: GET /POST /, etc. + URL cannot be arbitrary: Only some characters are allowed The attacker needs a real bi-directional connection + Web sockets, Java, Silverlight + All of these technologies respect SOP So to exploit, extra vulnerbaility is needed: + SOP bug in the implementation + XSS in victim site NOT PRACTICAL 11

And yet... 12

Mitigations TLS 1.1 mitigates + Explicit IV + Not widely adopted Some advise to switch to SSL with stream ciphers + RC4 13

CRIME - -

CRIME Rizzo and Duong 2012 Compression Ratio Info-leak Made Easy (CRIME) Chosen Plaintext Attack Targets compression information leakage 15

Compression LZ algorithms Lempel Ziv, late 70s Compress repeating strings + Lossless + Asymptotically optimal + No overhead (No extra dictionary) 16

LZ Compression Example 001:001 In the beginning God created<25, 5>heaven an<14, 6>earth. 0<63, 5>2 A<23, 12> was without form,<55, 5>void;<9, 5>darkness<40, 4> <0, 7>upo<132, 6>face of<11, 5>deep.<93, 9>Spirit<27, 4><158, 4>mov<156, 3><54, 4><67, 9><62, 16>w<191, 3>rs 17

Huffman code David Huffman - 1952 Assign shorter codes (in bits) for frequent letters Note - Prefix code is a must! + Since we cannot rely on length to parse 18

Compression & Encryption 19

Compression & Encryption 20

Compression on the web Content compression + GZIP on response + On request body (Uncommon) Header compression + SSL/TLS Compression + SPDY Servers: Open SSL, others Clients: Chrome Servers: Apache MOD_SSL, others Clients: All but IE 21

Compression leaks data Again + Use the URL attacker controls + Guess byte by byte + Verify with an oracle If we had guessed correctly then packet size will be shorter 22

CRIME in a slide 23 oung & Rizzo original presentation https://docs.google.com/presentation/d/11ebmgihbychr9gl5ndyzchu_-lca2gizeuofalu2hou/present#slide=id.g1d134dff_1_157

Practical issues HTTP requests are a good vehicle for CRIME: + New requests over SPDY use the same SSL connection and compression context + The controlled part is location tolerant + The controlled part can express needed alphabet Some issues with Huffman coding + Some chars representation < 1 byte + Good guess might get unnoticed Solutions + Mostly tricks to make GZIP compress with not so aggressive Huffman coding 24

Impact Actual impact + SPDY implementations cancel/modify header compression + Chrome disabled SSL compression PR Impact + Much less than BEAST + The boy who cried BEAST syndrome 25

TIME - -

TIME Imperva 2013 Timing Info-leak Made Easy (TIME) Chosen Plaintext Attack Targets compression and timing information leakage 27

Attack Model Attacker has the capability to choose arbitrary plaintexts to be compressed and obtain timing observations on their traffic Attacker is no longer an Eavesdropper - attack might be useful against plaintext too! F(Comp(XX)) 28

Timing oracle Client send a window of TCP packets Waits RTT for ACK to send another RTT time is noticeable attacker can easily distinguish + Size(request) <= window + Size(request) > window If payload length is exactly on data boundary, attacker can determine 1 byte differences 29 http://ulam2.cs.luc.edu/ebook/chap03.html

HTTP Request s Time Measurements Create HTTP request with XHR + XHR adheres to SOP + Allows GET requests to flow If headers allow show response If not, abort + We don t care for the response + Timing leaks the request size Use gettime() on XHR events + onreadystatechange Noise elimination + Repeat the process (say 10 times) and obtain Minimal time 30

Compression leaks data Again + Use the URL attacker controls + Guess byte by byte + Verify with an oracle If we had guessed correctly: packet size will be shorter and so will the time 31

RTT Gap in the wild Sent with Chrome Sends 2 packets and wait If you need to send 3 packets pay extra RTT 32

RTT Gap in the wild implementing the Oracle HTML with Javascript Sending method is XHR Testing cnn.com Timing can be correctly captured Results are conclusive Script results 33

Attacking responses - -

Attacking response Detecting size remains the same Generating requests remains the same Main change + Attacker can only control the response indirectly + For example with the search functionality 35

Attack PoC 36

Attack PoC demo 37

HTTP Response Time Measurements Create HTTP request with iframe + iframe adhere to SOP + Doesn t allow parent to access the response content + Timing leaks the response size Use gettime() on iframe events + onload + Onreadystatechange (IE) Noise elimination as before 38

HTTP Response Time Measurements 39

Candidate? Get the Twitter username of a logged in user 40

Candidate? 41

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information