A Comprehensive Study of the BREACH A�ack Against HTTPS
Esam Alzahrani, Jus�n Nonaka, and Thai Truong 12/03/13 BREACH Overview Browser Reconnaissance and Exfiltra�on via Adap�ve Compression of Hypertext Demonstrated at BlackHat 2013 by Angelo Prado, Neal Harris, and Yoel Gluck
• Chosen plaintext a�ack against HTTP compression • Client requests a webpage, the web server’s response is compressed • The HTTP compression may leak informa�on that will reveal encrypted secrets about the user Network Intrusion Detec�on System
Edge Firewall Switch Router DMZ Clients A�acker (Vic�m) 2 BREACH Requirements
Requirements for chosen plain text (side channel) a�ack • The web server should support HTTP compression • The web server should support HTTPS sessions • The web server reflects the user’s request • The reflected response must be in the HTML Body • The a�acker must be able to measure the size of the encrypted response • The a�acker can force the vic�m’s computer to send HTTP requests • The HTTP response contains secret informa�on that is encrypted § Cross Site Request Forgery token – browser redirec�on § SessionID (uniquely iden�fies HTTP session) § VIEWSTATE (handles mul�ple requests to the same ASP, usually hidden base64 encoded) § Oath tokens (Open Authen�ca�on - one �me password) § Email address, Date of Birth, etc (PII) SSL/TLS protocol structure • X.509 cer�fica�on authority • Secure Socket Layer (SSL) • Transport Layer Security (TLS) • Asymmetric cryptography for authen�ca�on – Ini�alize on OSI layer 5 (Session Layer) – Use server public key to encrypt pre-master secret – Establish cipher se�ngs through challenge handshake – Use master secret to create symmetric session key for informa�on encryp�on, decryp�on during the SSL/TLS session • OSI layer 6 (Presenta�on layer) perform symmetric cipher with session keys to encrypt the rest of the communica�on • Composed of two layers: TLS Record Layer and TLS Handshake Layer
4 TLS/SSL Handshake Session
•Use X.509 cer�fica�on authority to iden�fy server •Use asymmetric public key to encrypt pre-master secret •Both client and server use Master Secret to generate session keys Ø Client Write MAC secret key Ø Server Write MAC secret key Ø Client Write Key 5 Ø Server Write Key
HTTP and SSL/TLS
• Most applica�on protocols such as HTTP, SMTP, POP, FTP, etc. all have TLS/SSL variants • Two design choices to add TLS/SSL – Use different port numbers for TSL connec�on: HTTPS port 443, SMTPS port 465 and 587 – Add protocol specific mechanism to enable TSL/SSL mode
Hyper Text Transfer Protocol Security (HTTPS) is combined of HTTP1 and TLS Record SSL/TLS combine two layers: • Handshake Protocol Layer • Record Protocol Layer 6 HTTPS – SSLv3 Encryp�on
7 HTTPS – Data Encryp�on
• Record Protocol layer encrypt data using session key and apply hash algorithms on the data • Algorithm methods for encryp�on include: DES, 3- DES, RC2, RC4, and AES • Two common hash algorithm methods: Message Digest (MD5) and Standard Hash Algorithm1 (SHA-1)
8 SSL/TLS– Covered A�acks
CRIME A�ack BREACH A�ack
• September 2012, CRIME a�ack is • A�ack against HTTP demonstrated at Ekoparty 2012 compression – TLS compression side-channel • Not relaying on TLS-level a�ack compression – Inject par�al chosen plaintext • Web applica�on vulnerable if: to recover header of HTTPS – Server that uses HTTP-level request. compression – Capture the web cookies to – Contain user-input in HTTP exploit the authen�ca�on response body data. – Reflect a secret in HTTP response body
9 CRIME A�ack
l BREACH predecessor l Chosen plaintext a�ack against TLS compression l Guessing character by character l If first guess was successful we guess the next character l An a�acker needs script that sends HTTP request through a compromised client l A secret injected by an a�acker will then be added to original secret l If the size of a�acker's request reduced, the guess was correct
10 CRIME A�ack
11 HTTP Compression • Reduces transfer volume and speeds up Web page load �me. • Use compression schemes such as: üGZIP (GNU zip format) üDeflate ( zlib) : LZ77 and Huffman coding. üSDCH – Google Shared Dic�onary Compression
12 Compression Example
• DEFLATE is a lossless compression algorithm comprised of LZ77 and Huffman coding • LZ77 removes redundant repeated sequences of three or more characters • Huffman coding eliminates redundant repeated symbols • LZ77 Distance Length Example Blah blah => Blah b(5,3) • Huffman Coding Example (variable length coding) to be or not to be
13 Cross Site Request Forgery (CSRF)
• A malicious a�ack that tricks an authen�cated user to send unintended request to webpage • Unlike Cross site scrip�ng (XSS), it exploits a trust of website for a user • An a�acker includes a link to a website to spoof an authen�cated user to request that link • If that website keeps user’s creden�als in session cookie, it will be compromised • Example, if a website accepts HTML code:
Eve: Hello Alice! Look here:
14 Query String Parameter
• This query string parameter is reflected by the server and is both compressed and encrypted in the webpage body • The Outlook Web Access Cross Site Request Forgery (CSRF) token is named canary • The CSRF token iden�fies the user’s HTTP requests to the web server
BREACH Chosen Plaintext A�ack
Guess #1 Client Server GET /product/?id=12345&user=CSRF=0 HTTP/1.1 HTTP Get Request with CSRF Guess #1 Guess #2 GET /product/?id=12345&user=CSRF=1 HTTP/1.1 Guess #3 GET /product/?id=12345&user=CSRF=2 HTTP/1.1 … Compressed and Encrypted Response #1 Guess #15 Record GET /product/?id=12345&user=CSRF=e HTTP/1.1 payload HTTP Get Request with CSRF Guess #2 size Guess #16 GET /product/?id=12345&user=CSRF=f HTTP/1.1
• The server will reflect the user request.
• The response is compressed and encrypted. Compressed and Encrypted Response #2 Record payload • A correct guess should result in a smaller response size HTTP Get Request with CSRF Guess #3 payload because LZ77 will be able to remove redundant pa�erns. 16 Huffman Coding Problem
• Although LZ77 may leak useful informa�on, Huffman coding can further compress an incorrect guess; this incorrect guess may be as small or even smaller than the compressed correct guess.
• Huffman Collisions Correct Guess &secret=abc4 (Response: 1024 bytes) Wrong Guess &secret=abcd (Response: 1024 bytes)
• Padding, Guess Swaps, and Character Pools First GET/owa/?ae=Item&t=IPM.Note&a=New&id=canary=
Huffman Coding Two Tries
Assume the correct character is either ‘a’ or ‘d’ • First GET /owa/?ae=Item&t=IPM.Note&a=New&id=canary=a{} • Second GET /owa/?ae=Item&t=IPM.Note&a=New&id=canary={}a
• First GET /owa/?ae=Item&t=IPM.Note&a=New&id=canary=abcd • Second GET /owa/?ae=Item&t=IPM.Note&a=New&id=canary=abdc
Request Response Size Explana�on Huffman coding depends on frequency count canary=a{} 99 to compress redundant symbols; therefore if canary={}a 100 we keep the character frequency count
constant we can monitor the response payload canary={}d 98 size and reasonably determine if changes in
payload size are due to LZ77 or Huffman coding. canary=d{} 98
18 Huffman Coding Charset Pools
Guess #1 canary=abca{}-b-c-d-e-f-0-1-2-3-4-5-6-7-8-9 Guess #2 canary=abcb{}-a-c-d-e-f-0-1-2-3-4-5-6-7-8-9 Guess #3 canary=abcc{}-a-b-d-e-f-0-1-2-3-4-5-6-7-8-9
Explana�on The smallest response is assumed correct. Sixteen guesses are required for each character. The hyphen should prevent LZ77 from compressing redundant pa�erns.
19 Mi�ga�ng BREACH – User Solu�ons
• RequestPolicy Firefox Add-On Denies all cross site requests by default Can create a custom white-list for trusted cross-site requests
• CsFire Firefox 3.7+ and Chrome Add-On Removes authentication metadata (session cookies and authentication headers) from cross domain requests
20 Mi�ga�ng BREACH - Con�nued
• Solu�ons for Web Server/Domain Administrators/Security Engineers ü Disable HTTP compression in web servers ü Thro�le the number of concurrent requests that the server will handle ü Install Cisco Intrusion Detec�on System Signature 2580/0
• Solu�ons for Applica�on Developers ü Change CSRF token with every HTTP request ü Separate session secrets from user input ü Obfuscate the length of the secret web response with random padding
21 BREACH Summary
• Chosen plaintext a�ack against HTTP compression • The server must reflect the user’s response • The webpage must contain the encrypted response • A�acker must be able to view the vic�m’s encrypted traffic • A�acker must force vic�m to send HTTP requests • Requires thousands of HTTP requests to discover encrypted secrets • Users can mi�gate this vulnerability with browser plugins
22 Thank You Q&A