a perfect crime time will tell
play

A Perfect CRIME? TIME Will Tell Tal Beery, Web research TL Agenda - PowerPoint PPT Presentation

Apr 05, 2023 •15 likes •425 views

A Perfect CRIME? TIME Will Tell Tal Beery, Web research TL Agenda BEAST + Modes of operation CRIME + Gzip compression + Compression + encryption leak data TIME + Timing + compression leak data Attacking responses 2

  1. A Perfect CRIME? TIME Will Tell Tal Be’ery, Web research TL

  2. Agenda § BEAST + Modes of operation § CRIME + Gzip compression + Compression + encryption leak data § TIME + Timing + compression leak data § Attacking responses 2 CONFIDENTIAL

  3. BEAST - CONFIDENTIAL - CONFIDENTIAL

  4. BEAST § Rizzo and Duong - 2011 § Browser Exploit Against SSL/TLS (BEAST) § Chosen Plaintext Attack § Targets deterministic Initialization Vectors of Cipher- Block Chaining (CBC) 4 CONFIDENTIAL

  5. Chosen Plaintext Attack Model § A chosen-plaintext attack (CPA) is an attack model for cryptanalysis which presumes that the attacker has the capability to choose arbitrary plaintexts to be encrypted and obtain the corresponding ciphertexts. ENC(XX) 5 CONFIDENTIAL

  6. CPA and the web § Attacker is Eavesdropper – can see ciphered text § Attacker creates HTTP request interactively (via script) + Full control (almost): URL + Can predict: Most headers + Does not control or see: cookies – Encrypted on wire – Not accessible from script • Same Origin Policy • “HTTP only” 6 CONFIDENTIAL

  7. Modes of operation § procedure of enabling the repeated and secure use of a block cipher under a single key 7 CONFIDENTIAL

  8. Modes of operation - CBC § Previous block encryption result is fed as an IV to the next block § Encryption becomes “Stateful” 8 CONFIDENTIAL

  9. CBC Oracle § Attacker can verify a guess of any plaintext block P P P i n n 1 + C i 1 − C C C i n n 1 + ~ P C C P = ⊕ ⊕ i n 1 n i 1 + − ~ ~ C Enc ( P C ) Enc ( C C P C ) Enc ( C P ) = ⊕ = ⊕ ⊕ ⊕ = ⊕ i i n 1 n 1 n n i 1 n i 1 + + − − ~ P P C Enc ( C P ) C = ⇒ = ⊕ = i i n 1 i 1 i i + − ~ P P C C ≠ ⇒ ≠ i 9 i n 1 i + CONFIDENTIAL

  10. Using the CBC oracle to decrypt the Cookie § Attacker knows in which block the cookie resides § Attacker controls the block contents so she can guess only one byte at a time and verify with the oracle + 256 guesses on worst case § Repeat the process to discover all bytes in Cookie 10 CONFIDENTIAL

  11. Practical issues § HTTP requests are not a good vehicle for BEAST: + New requests may cause new SSL connection + First bytes are fixed: GET /POST /, etc. + URL cannot be arbitrary: Only some characters are allowed NOT § The attacker needs a real bi-directional connection PRACTICAL + Web sockets, Java, Silverlight + All of these technologies respect SOP § So to exploit, extra vulnerbaility is needed: + SOP bug in the implementation + XSS in victim site 11 CONFIDENTIAL

  12. And yet... 12 CONFIDENTIAL

  13. Mitigations § TLS 1.1 mitigates + Explicit IV + Not widely adopted § Some advise to switch to SSL with stream ciphers + RC4 13 CONFIDENTIAL

  14. CRIME - CONFIDENTIAL - CONFIDENTIAL

  15. CRIME § Rizzo and Duong – 2012 § Compression Ratio Info-leak Made Easy (CRIME) § Chosen Plaintext Attack § Targets compression information leakage 15 CONFIDENTIAL

  16. Compression – LZ algorithms § Lempel Ziv, late 70s § Compress repeating strings + Lossless + Asymptotically optimal + No overhead (No extra dictionary) 16 CONFIDENTIAL

  17. LZ Compression – Example § 001:001 In the beginning God created<25, 5>heaven an<14, 6>earth. 0<63, 5>2 A<23, 12> was without form,<55, 5>void;<9, 5>darkness<40, 4> <0, 7>upo<132, 6>face of<11, 5>deep.<93, 9>Spirit<27, 4><158, 4>mov<156, 3><54, 4><67, 9><62, 16>w<191, 3>rs 17 CONFIDENTIAL

  18. Huffman code § David Huffman - 1952 § Assign shorter codes (in bits) for frequent letters § Note - Prefix code is a must! + Since we cannot rely on length to parse 18 CONFIDENTIAL

  19. Compression & Encryption 19 CONFIDENTIAL

  20. Compression & Encryption 20 CONFIDENTIAL

  21. Compression on the web § Content compression + GZIP on response + On request body (Uncommon) § Header compression + SSL/TLS Compression – Servers: Open SSL, others – Clients: Chrome + SPDY – Servers: Apache MOD_SSL, others – Clients: All but IE 21 CONFIDENTIAL

  22. Compression leaks data § Again + Use the URL attacker controls + Guess byte by byte + Verify with an oracle – If we had guessed correctly then packet size will be shorter 22 CONFIDENTIAL

  23. CRIME in a slide oung & Rizzo original presentation 23 https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/present#slide=id.g1d134dff_1_157 CONFIDENTIAL

  24. Practical issues § HTTP requests are a good vehicle for CRIME: + New requests over SPDY use the same SSL connection and compression context + The controlled part is “location tolerant” + The controlled part can express needed alphabet § Some issues with Huffman coding + Some chars representation < 1 byte + Good guess might get unnoticed § Solutions + Mostly tricks to make GZIP compress with not so aggressive Huffman coding 24 CONFIDENTIAL

  25. Impact § Actual impact + SPDY implementations cancel/modify header compression + Chrome disabled SSL compression § PR Impact + Much less than BEAST + The boy who cried BEAST syndrome 25 CONFIDENTIAL

  26. TIME - CONFIDENTIAL - CONFIDENTIAL

  27. TIME § Imperva – 2013 § Timing Info-leak Made Easy (TIME) § Chosen Plaintext Attack § Targets compression and timing information leakage 27 CONFIDENTIAL

  28. Attack Model § Attacker has the capability to choose arbitrary plaintexts to be compressed and obtain timing observations on their traffic § Attacker is no longer an Eavesdropper - attack might be useful against plaintext too! F(Comp(XX)) 28 CONFIDENTIAL

  29. Timing oracle § Client send a window of TCP packets § Waits RTT for ACK to send another § RTT time is noticeable § attacker can easily distinguish + Size(request) <= window + Size(request) > window § If payload length is exactly on data boundary, attacker can determine 1 byte differences 29 http://ulam2.cs.luc.edu/ebook/chap03.html CONFIDENTIAL

  30. HTTP Request’s Time Measurements § Create HTTP request with XHR + XHR adheres to SOP + Allows GET requests to flow – If headers allow show response – If not, abort + We don’t care for the response + Timing leaks the request size § Use getTime() on XHR events + onreadystatechange § Noise elimination + Repeat the process (say 10 times) and obtain Minimal time 30 CONFIDENTIAL

  31. Compression leaks data § Again + Use the URL attacker controls + Guess byte by byte + Verify with an oracle – If we had guessed correctly: packet size will be shorter and so will the time 31 CONFIDENTIAL

  32. RTT Gap in the wild § Sent with Chrome § Sends 2 packets and wait § If you need to send 3 packets – pay extra RTT 32 CONFIDENTIAL

  33. RTT Gap in the wild – implementing the Oracle § HTML with Javascript Sending method is XHR § Testing cnn.com § Timing can be correctly captured § Results are conclusive Script results 33 CONFIDENTIAL

  34. Attacking responses - CONFIDENTIAL - CONFIDENTIAL

  35. Attacking response § Detecting size – remains the same § Generating requests – remains the same § Main change + Attacker can only control the response indirectly + For example with the search functionality 35 CONFIDENTIAL

  36. Attack PoC 36 CONFIDENTIAL

  37. Attack PoC demo 37 CONFIDENTIAL

  38. HTTP Response Time Measurements § Create HTTP request with iframe + iframe adhere to SOP + Doesn’t allow parent to access the response content + Timing leaks the response size § Use getTime() on iframe events + onLoad + Onreadystatechange (IE) § Noise elimination – as before 38 CONFIDENTIAL

  39. HTTP Response Time Measurements 39 CONFIDENTIAL

  40. Candidate? § Get the Twitter username of a logged in user 40 CONFIDENTIAL

  41. Candidate? 41 CONFIDENTIAL

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

LABOR &amp; MANAGEMENT NAVIGATE CHANGE IN WHY A PERFECT STORM? A PERFECT TIME FOR CHANGE

LABOR &amp; MANAGEMENT NAVIGATE CHANGE IN WHY A PERFECT STORM? A PERFECT TIME FOR CHANGE

LABOR &amp; MANAGEMENT NAVIGATE CHANGE IN WHY A PERFECT STORM? A PERFECT TIME FOR CHANGE STRONG HAND ON THE WHEEL IS EXPECTED CHANGE OF COURSE IS MANDATORY RESISTANCE TO CHANGE IS AT ITS LOWEST THE GREATEST LEADERSHIP TEST IN A

702 views • 38 slides
I W A K p r e s e n t a t i o n WHAT IS CRIME ? A crime is an illegal act for which someone

I W A K p r e s e n t a t i o n WHAT IS CRIME ? A crime is an illegal act for which someone

MKAN PRESENTS I W A K p r e s e n t a t i o n WHAT IS CRIME ? A crime is an illegal act for which someone can be punished by the government; especially a gross violation of law . Crime constitutes a major threat to the 60% national security

880 views • 34 slides
What is Cyber Crime? Cyber Enabled Crime Cyber Dependant Crime Traditional crime that is

What is Cyber Crime? Cyber Enabled Crime Cyber Dependant Crime Traditional crime that is

R egional C yber C rime U nit DC Louise Gibson Prepare, Prevent &amp; Protect What is Cyber Crime? Cyber Enabled Crime Cyber Dependant Crime Traditional crime that is enhanced in scale or Crimes that can only be committed solely reach by use

316 views • 9 slides
Speaking with Impact Issues 2 and Conversation Strategies Crime Crime . . . . . . . . .

Speaking with Impact Issues 2 and Conversation Strategies Crime Crime . . . . . . . . .

. Crime movies . . . . . . . . . Textbook Crime songs Punishment . Crime vocabulary I Cloze I Crime vocabulary II Cloze II and III Crime Exam Week 5 Criminal cases Death penalty The end Speaking with Impact Issues 2 and

1.66k views • 140 slides
SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS AGENDA

SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS AGENDA

Angelo Prado Neal Harris Yoel Gluck SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS AGENDA Proceed with caution: Review of CRIME Introducing BREACH In the weeds Demo time! Mitigations b r e a c h SSL,

526 views • 40 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM &amp; IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

619 views • 20 slides
Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M

Defining Encryption (ctd.) Lecture 3 SIM &amp; IND security Beyond One-Time: CPA security Computational Indistinguishability Recall Onetime Encryption Perfect Secrecy Perfect secrecy : m, m M K 0 1 2 3 M {Enc(m,K)} K KeyGen

1.45k views • 98 slides
Cyb e r Crime Wha t is it? Ho w do e s it o c c ur? Ho w c a n we pre ve nt it? Wha t if it

Cyb e r Crime Wha t is it? Ho w do e s it o c c ur? Ho w c a n we pre ve nt it? Wha t if it

Cyb e r Crime Wha t is it? Ho w do e s it o c c ur? Ho w c a n we pre ve nt it? Wha t if it ha ppe ns? Cyb e r Crime : T ho ug ht Pro vo king Sta tistic s I n the Ye a r 2020: 5 Billio n Pe o ple will b e Online 50

394 views • 13 slides
1H18 Results Presentation 29 January 2018 perfect parts and tools, on time, every time Business

1H18 Results Presentation 29 January 2018 perfect parts and tools, on time, every time Business

1H18 Results Presentation 29 January 2018 perfect parts and tools, on time, every time Business &amp; Industry Chris Borch, CEO Low Ming Wah, COO 2 Micro-Mechanics 1H18 Results Presentation Corporate Overview Founded in 1983 in Singapore

352 views • 22 slides
Geoff Cannon Community Safety Sgt. Beth Shire Crime Reduction Advisor DOORSTEP CRIME CRIME

Geoff Cannon Community Safety Sgt. Beth Shire Crime Reduction Advisor DOORSTEP CRIME CRIME

Geoff Cannon Community Safety Sgt. Beth Shire Crime Reduction Advisor DOORSTEP CRIME CRIME REDUCTION METHODS EXTRACTS FROM THE POLICE DISTRACTION BURGLARY PROBLEM PROFILE PRODUCED JULY 2008 For the last three years Bath sector has

199 views • 17 slides
Knife Crime Knife Crime This lesson deal with the issue of knife crime in modern Britain. Read

Knife Crime Knife Crime This lesson deal with the issue of knife crime in modern Britain. Read

Knife Crime Knife Crime This lesson deal with the issue of knife crime in modern Britain. Read through the PPT and answer the questions on the last slide. Knife Crime in the UK Knife crime is a particularly big issue in the news at the moment

492 views • 15 slides
We are not a perfect church We are not a perfect people We are here because we know we need

We are not a perfect church We are not a perfect people We are here because we know we need

We are not a perfect church We are not a perfect people We are here because we know we need Gods help and He has provided this help through Jesus Christ our Lord! CFF Exists to Know Christ and to Make Him Known! Prayer for all

322 views • 16 slides
Characterization for perfect matchings Often we are interested in perfect matchings. X Y 1 5

Characterization for perfect matchings Often we are interested in perfect matchings. X Y 1 5

15-251 Great Ideas in Theoretical Computer Science Lecture 14: Graphs IV: Stable Matchings October 12th, 2017 Halls Theorem Characterization for perfect matchings Often we are interested in perfect matchings. X Y 1 5 2 6 3 7 4

285 views • 10 slides
* Background T RANSPOR T POLICE 11 years of crime reduction Variation in crime allocation

* Background T RANSPOR T POLICE 11 years of crime reduction Variation in crime allocation

~ ;. BRITISh * Background T RANSPOR T POLICE 11 years of crime reduction Variation in crime allocation policies and procedure Force Restructure in 2014 No review of Force Crime Resources 20:20:10 New ways of working t

270 views • 14 slides
Crime, Policing and Citizenship (CPC) - Space-Time Interactions of Dynamic Network Tao

Crime, Policing and Citizenship (CPC) - Space-Time Interactions of Dynamic Network Tao

Crime, Policing and Citizenship (CPC) - Space-Time Interactions of Dynamic Network Tao Cheng + CPC Team {tao.cheng@ucl.ac.uk} Department of Civil, Environmental &amp; Geoma@c

610 views • 14 slides
Perfect sets and f -ideals Introduction Perfect sets and f -ideals of degree d Author Jin Guo (

Perfect sets and f -ideals Introduction Perfect sets and f -ideals of degree d Author Jin Guo (

Perfect sets and f -ideals Jin Guo Outline Perfect sets and f -ideals Introduction Perfect sets and f -ideals of degree d Author Jin Guo ( n, 2) th perfect number (This is a joint work with professor Tongsuo Wu) Structure of V ( n, 2)

2.01k views • 154 slides
The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of

The Security of Ciphertext Stealing Phillip Rogaway 1 Mark Wooding 2 Haibin Zhang 1 1 Department of Computer Science University of California at Davis 2 Thales e-Security Ltd March 20, 2012 Rogaway, Wooding, Zhang (UC Davis, Thales) The Security

1.19k views • 105 slides
Positively Disruptive - Next Frontier in Point of Care Stuart C. Ray, MD Professor of Medicine,

Positively Disruptive - Next Frontier in Point of Care Stuart C. Ray, MD Professor of Medicine,

Positively Disruptive - Next Frontier in Point of Care Stuart C. Ray, MD Professor of Medicine, Oncology, and Health Sciences Informatics Vice Chair of Medicine for Data Integrity and Analytics Johns Hopkins Medical Institutions sray@jhmi.edu

576 views • 25 slides
So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity

So Far ... AUTHENTICATED ENCRYPTION We have looked at methods to provide privacy and authenticity separately: Goal Primitive Security notion Data privacy symmetric encryption IND-CPA Data authenticity MAC UF-CMA Mihir Bellare UCSD 1

105 views • 9 slides
MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and

MESSAGE AUTHENTICATION CODES and PRF DOMAIN EXTENSION Mihir Bellare UCSD 1 Integrity and authenticity The goal is to ensure that M really originates with Alice and not someone else M has not been modified in transit Mihir Bellare

989 views • 46 slides
Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore?

Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore?

Protect Sensitive Data with Ada Keystore Stphane Carrez FOSDEM 2020 Why Ada Keystore? Store sensitive parameters of an Ada server : Database connection passwords API secret keys Tool to store sensitive information :

266 views • 24 slides
Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block

Background Collision attack on CBC and CFB Impossible plaintext cryptanalysis of CTR Conclusions Impossible plaintext cryptanalysis and probable-plaintext collision attacks of 64-bit block cipher modes David McGrew mcgrew@cisco.com Fast

554 views • 43 slides
CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization

CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization

CBC Steering Committee Virtual meeting, 15 September 2020 Please write your name, organization and country in the chat Function: Example: Peter Pan, Office of the Auditor General, Never Never Land Please use the chat function to communicate

373 views • 34 slides
Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting?

Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting?

Lucky 13, BEAST, CRIME,... Is TLS dead, or just resting? Kenny Paterson Information Security Group Overview Introduction to TLS (and why YOU

1.25k views • 76 slides

More recommend