#20869: Prevent repetitive output to counter BREACH-type attacks
-------------------------------+--------------------------------------
Reporter: patrys | Owner: nobody
Type: Uncategorized | Status: new
Component: contrib.csrf | Version: 1.5
Severity: Normal | Resolution:
Keywords: | Triage Stage: Unreviewed
Has patch: 0 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------------------------
Comment (by patrys):
What do you mean by slow? To use compression as an approach vector you
need to know the prefix of the string you're targetting. If it's truly
random then there is no way to predict a prefix long enough to make the
attack feasible.
Let's assume that P is prefix and S is salt. The proposed solution
suggests:
P₁ + P₂ + … + (S₁ XOR P₁) + (S₂ XOR P₂) + …
If I can predict P then I have already defeated the countermeasure and can
continue the BREACH. Assuming a guess of G I can use:
P₁ + P₂ + … + (G₁ XOR P₁) + (G₂ XOR P₂) + …
The XOR part does not make the attack any more complicated.
--
Ticket URL: <https://code.djangoproject.com/ticket/20869#comment:5>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
--
You received this message because you are subscribed to the Google Groups
"Django updates" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/django-updates/064.09a585f216dfc4b700808f1fec8e5134%40djangoproject.com.
For more options, visit https://groups.google.com/groups/opt_out.
