[cryptography] Compression Attack on SSL

[Tom Ritter]

This comes from the same school of Attacker controlled requests
inside of an SSL tunnel to reveal some other portion of the data going
over SSL style attacks, BEAST being the other big example.  Many
people (including me) *think* this is the new CRIME attack Thai and
Juliano have announced [0].

The short of it is: by sending guesses of what you think a session
cookie is, you can observe how the data compresses if you can observe
packet sizes.  Guess all 16-64 possible characters, the single
character that compressed the smallest was the correct guess.  Move to
the next.  I've confirmed (outside of SSL) that this theory does work
in practice and allows you to guess out a portion of a message (the
cookie in this case).  Porting it to SSL using RC4 should be easy (no
padding); for AES it would be trickier because of the block padding,
but if you line it up to a boundary I'm sure it's possible.

Thomas Pornin has a good writeup here:
http://security.stackexchange.com/a/19914  And some circumstantial
evidence that this is CRIME is this commit to chrome[1] by the right
person, the fact that Tor is not vulnerable to the attack[2] (it
chunks data into 512 byte blocks), the hints given that it affects all
versions of TLS and the global warming comment, and the fact that
CRIME begins with a C for Compression ;)

I have a few random unanswered questions:
 - When did FF disable this? I went looking in the diffs but couldn't find it =/
 - Is there any way to fix this without just wholesale disabling compression?
 - Does this have implications to SPDY? (Which also compresses)

-tom

[0] http://www.ekoparty.org//2012/thai-duong.php
[1] https://chromiumcodereview.appspot.com/10825183
[2] https://twitter.com/nickm_tor/status/243460419501559808
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Compression Attack on SSL

[Matthew Green]

Or if you want a more formal analysis (from 2002), see this paper by Kelsey. 
Particularly sections 5  6:

http://www.iacr.org/cryptodb/data/paper.php?pubkey=3091

The real question is: how many sites actually support TLS compression? How much 
practical impact does CRIME really have?

Matt

On Sep 11, 2012, at 10:53 AM, Tom Ritter t...@ritter.vg wrote:

 This comes from the same school of Attacker controlled requests
 inside of an SSL tunnel to reveal some other portion of the data going
 over SSL style attacks, BEAST being the other big example.  Many
 people (including me) *think* this is the new CRIME attack Thai and
 Juliano have announced [0].
 
 The short of it is: by sending guesses of what you think a session
 cookie is, you can observe how the data compresses if you can observe
 packet sizes.  Guess all 16-64 possible characters, the single
 character that compressed the smallest was the correct guess.  Move to
 the next.  I've confirmed (outside of SSL) that this theory does work
 in practice and allows you to guess out a portion of a message (the
 cookie in this case).  Porting it to SSL using RC4 should be easy (no
 padding); for AES it would be trickier because of the block padding,
 but if you line it up to a boundary I'm sure it's possible.
 
 Thomas Pornin has a good writeup here:
 http://security.stackexchange.com/a/19914  And some circumstantial
 evidence that this is CRIME is this commit to chrome[1] by the right
 person, the fact that Tor is not vulnerable to the attack[2] (it
 chunks data into 512 byte blocks), the hints given that it affects all
 versions of TLS and the global warming comment, and the fact that
 CRIME begins with a C for Compression ;)
 
 I have a few random unanswered questions:
 - When did FF disable this? I went looking in the diffs but couldn't find it 
 =/
 - Is there any way to fix this without just wholesale disabling compression?
 - Does this have implications to SPDY? (Which also compresses)
 
 -tom
 
 [0] http://www.ekoparty.org//2012/thai-duong.php
 [1] https://chromiumcodereview.appspot.com/10825183
 [2] https://twitter.com/nickm_tor/status/243460419501559808
 ___
 cryptography mailing list
 cryptography@randombit.net
 http://lists.randombit.net/mailman/listinfo/cryptography

___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography