CNS - 20 - TLS IV

Suppose you have the following situation

and assume the following:

1. You know that the \(i\) th block of the plaintext message contains a password.

2. The possible values for the password are either JOE or UGO.

3. You can do a Choosen Plaintext Attack (CPA).

Even with the following assumption, if the encryption scheme is IND-CPA (semantically secure), then you'd still be unable to understand whether the password was JOE or UGO. We will now see that if the IV are predictable, then we break the semantic security property.

Assume now that the IV is predictable.

the basic idea of the attack is that by choosing a proper first block of the plaintext message, the attacker can pass arbitrary values to the PRP. Indeed, if the attacker has

\[\text{newmsg}[0] = X \mathbin{\oplus} \text{Something}\]

has the first plaintext block, then the first ciphertext block is obtained by passing to the PRP the value \(\text{Something}\). To actually guess which password was sent in the original message then the something has have the following form

\[\text{Something} = \text{FF54B1F1} \mathbin{\oplus} \text{"PASS=JOE"}\]

if I get as a result \(\text{132FA776}\), then the password was JOE, otherwise it was UGO, semantic security is broken, and I'm able to perform a dictionary attack.

The main breakthrough of the attack was the introduction of the following new idea: inserting some preamble text in order to align the plaintext that we want to break such that only a single unknown character is in inside a particular block. The extra preamble text needed to allign the first character of the password is injected by the code we have put on the victim machine and this injection takes place before the message is encrypted and sent to the server.

In the BEAST attack in particular the idea was to align the authentication token so that only the first character of the password was within a given block.

After the first letter is discovered, the preamble text can be changed so that in the block the first two letters appear

With this approach the complexity for an \(N\) bytes cookie is \(256 * N\), against a full brute force approach which would take \(256^N\) guesses. For an \(8\) byte password this would instantiate in

\[\begin{split} 256 \cdot 8 &= 2^{11} = 2048 \\ 256^{8} &= 2^{64} = 18 446 744 073 709 551 616 \\ \end{split}\]

Consider to send messages which contain only letters of the alphabet. With this assumption a possible compression scheme would be the following: anytime you have a letter appearing multiple times in a row, you compress it by prefixing a number to a single instance of the letter. For example,

\[\begin{split} \text{AAAABC} \,\, &\overset{\text{compress}}{\longrightarrow} \,\, \text{4ABC} &\overset{\text{encrypt}}{\longrightarrow} \text{X&%\$} \\ \text{ABCDEF} \,\, &\overset{\text{compress}}{\longrightarrow} \,\, \text{ABCDEF} &\overset{\text{encrypt}}{\longrightarrow} \text{&\$%A%\$} \\ \end{split}\]

The underlyign idea behind the CRIME attack was then the following:

1. Add a preamble to the message to be compressed and then encrypted, just like it was done in the BEAST attack. This preamble should be easily compressible.

2. See the size of the resulting encryption. By checking the size one can infer information about the original plaintext, such as, for example, the first letter.

Graphically we get,

The actual attack CRIME stands for Compression Ratio Info-Leak Made Easy. This attack works irrespective of the cipher used, so it can be applied to both stream ciphers and block ciphers.

To actually make this attack work the attacker has to be able to inject a suitably choosen text prior to the user data. The text choosen depends on the particularities of the compression algorithm used. In the CRIME attack the compression algorithm which was attacked was DEFLATE.

The DEFLATE algorithm jointly uses two sub-algorithm:

• Huffman Coding (bit oriented).

• LZ77 (bytes oriented): replaces repeated 3+ char strings within a given window size with (offset, size) pointers. For example, give the following string

  GIUSEPPE BIANCHI AND MARCO BIANCHINI
  

  then the compressed result is the following

  GIUSEPPE BIANCHI AND MARCO(-17, 8)NI
  

After the CRIME attack in september 2012 compression in TLS was disabled in Chrome.

The problem of compression is actually much more fundamental, and it doesnt concern only TLS. Indeed, similar attacks were made also in other settings, such as:

• The TIME attack.

• The BREACH attack.

Thus, anytime you see COMPRESS then ENCRYPT, you have to be careful of whats going on.

Observation: In 2002, 10 years prior the actual exploitation, Kelsey wrote a paper named "Compression and Information Leakage of *Plaintext" which discussed these issues.