A Comprehensive Study of the BREACH A8ack Against HTTPS Esam Alzahrani, JusCn Nonaka, and Thai Truong 12/03/13 BREACH Overview Browser Reconnaissance and Exfiltraon via AdapCve Compression of Hypertext Demonstrated at BlackHat 2013 by Angelo Prado, Neal Harris, and Yoel Gluck • Chosen plaintext aack against HTTP compression • Client requests a webpage, the web server’s response is compressed • The HTTP compression may leak informaon that will reveal encrypted secrets about the user Network Intrusion DetecCon System Edge Firewall Switch Router DMZ Clients A8acker (Vicm) 2 BREACH Requirements Requirements for chosen plain text (side channel) aack • The web server should support HTTP compression • The web server should support HTTPS sessions • The web server reflects the user’s request • The reflected response must be in the HTML Body • The aacker must be able to measure the size of the encrypted response • The aacker can force the vicCm’s computer to send HTTP requests • The HTTP response contains secret informaon that is encrypted § Cross Site Request Forgery token – browser redirecCon § SessionID (uniquely idenCfies HTTP session) § VIEWSTATE (handles mulCple requests to the same ASP, usually hidden base64 encoded) § Oath tokens (Open AuthenCcaon - one Cme password) § Email address, Date of Birth, etc (PII) SSL/TLS protocol structure • X.509 cerCficaon authority • Secure Socket Layer (SSL) • Transport Layer Security (TLS) • Asymmetric cryptography for authenCcaon – IniCalize on OSI layer 5 (Session Layer) – Use server public key to encrypt pre-master secret – Establish cipher sengs through challenge handshake – Use master secret to create symmetric session key for informaon encrypCon, decrypCon during the SSL/TLS session • OSI layer 6 (Presentaon layer) perform symmetric cipher with session keys to encrypt the rest of the communicaon • Composed of two layers: TLS Record Layer and TLS Handshake Layer 4 TLS/SSL Handshake Session •Use X.509 cerCficaon authority to idenCfy server •Use asymmetric public key to encrypt pre-master secret •Both client and server use Master Secret to generate session keys Ø Client Write MAC secret key Ø Server Write MAC secret key Ø Client Write Key 5 Ø Server Write Key HTTP and SSL/TLS • Most applicaon protocols such as HTTP, SMTP, POP, FTP, etc. all have TLS/SSL variants • Two design choices to add TLS/SSL – Use different port numbers for TSL connecCon: HTTPS port 443, SMTPS port 465 and 587 – Add protocol specific mechanism to enable TSL/SSL mode Hyper Text Transfer Protocol Security (HTTPS) is combined of HTTP1 and TLS Record SSL/TLS combine two layers: • Handshake Protocol Layer • Record Protocol Layer 6 HTTPS – SSLv3 EncrypCon 7 HTTPS – Data EncrypCon • Record Protocol layer encrypt data using session key and apply hash algorithms on the data • Algorithm methods for encrypCon include: DES, 3- DES, RC2, RC4, and AES • Two common hash algorithm methods: Message Digest (MD5) and Standard Hash Algorithm1 (SHA-1) 8 SSL/TLS– Covered A8acks CRIME Aack BREACH Aack • September 2012, CRIME aack is • A8ack against HTTP demonstrated at Ekoparty 2012 compression – TLS compression side-channel • Not relaying on TLS-level aack compression – Inject parCal chosen plaintext • Web applicaon vulnerable if: to recover header of HTTPS – Server that uses HTTP-level request. compression – Capture the web cookies to – Contain user-input in HTTP exploit the authenCcaon response body data. – Reflect a secret in HTTP response body 9 CRIME A8ack l BREACH predecessor l Chosen plaintext aack against TLS compression l Guessing character by character l If first guess was successful we guess the next character l An aacker needs script that sends HTTP request through a compromised client l A secret injected by an aacker will then be added to original secret l If the size of aacker's request reduced, the guess was correct 10 CRIME A8ack 11 HTTP Compression • Reduces transfer volume and speeds up Web page load me. • Use compression schemes such as: üGZIP (GNU zip format) üDeflate ( zlib) : LZ77 and Huffman coding. üSDCH – Google Shared DicConary Compression 12 Compression Example • DEFLATE is a lossless compression algorithm comprised of LZ77 and Huffman coding • LZ77 removes redundant repeated sequences of three or more characters • Huffman coding eliminates redundant repeated symbols • LZ77 Distance Length Example Blah blah => Blah b(5,3) • Huffman Coding Example (variable length coding) to be or not to be 13 Cross Site Request Forgery (CSRF) • A malicious aack that tricks an authenCcated user to send unintended request to webpage • Unlike Cross site scripCng (XSS), it exploits a trust of website for a user • An aacker includes a link to a website to spoof an authenCcated user to request that link • If that website keeps user’s credenCals in session cookie, it will be compromised • Example, if a website accepts HTML code: Eve: Hello Alice! Look here: <img src="h8p://bank.example.com/withdraw? account=Alice&amount=1000000&for=Eve"> 14 Query String Parameter • This query string parameter is reflected by the server and is both compressed and encrypted in the webpage body • The Outlook Web Access Cross Site Request Forgery (CSRF) token is named canary • The CSRF token idenCfies the user’s HTTP requests to the web server BREACH Chosen Plaintext A8ack Guess #1 Client Server GET /product/?id=12345&user=CSRF=0 HTTP/1.1 HTTP Get Request with CSRF Guess #1 Guess #2 GET /product/?id=12345&user=CSRF=1 HTTP/1.1 Guess #3 GET /product/?id=12345&user=CSRF=2 HTTP/1.1 … Compressed and Encrypted Response #1 Guess #15 Record GET /product/?id=12345&user=CSRF=e HTTP/1.1 payload HTTP Get Request with CSRF Guess #2 size Guess #16 GET /product/?id=12345&user=CSRF=f HTTP/1.1 • The server will reflect the user request. • The response is compressed and encrypted. Compressed and Encrypted Response #2 Record payload • A correct guess should result in a smaller response size HTTP Get Request with CSRF Guess #3 payload because LZ77 will be able to remove redundant paerns. 16 Huffman Coding Problem • Although LZ77 may leak useful informaon, Huffman coding can further compress an incorrect guess; this incorrect guess may be as small or even smaller than the compressed correct guess. • Huffman Collisions Correct Guess &secret=abc4 (Response: 1024 bytes) Wrong Guess &secret=abcd (Response: 1024 bytes) • Padding, Guess Swaps, and Character Pools First GET/owa/?ae=Item&t=IPM.Note&a=New&id=canary=<guess><padding> Second GET/owa/?ae=Item&t=IPM.Note&a=New&id=canary=<padding><guess> Huffman Coding Two Tries Assume the correct character is either ‘a’ or ‘d’ • First GET /owa/?ae=Item&t=IPM.Note&a=New&id=canary=a{} • Second GET /owa/?ae=Item&t=IPM.Note&a=New&id=canary={}a • First GET /owa/?ae=Item&t=IPM.Note&a=New&id=canary=abcd • Second GET /owa/?ae=Item&t=IPM.Note&a=New&id=canary=abdc Request Response Size Explanaon Huffman coding depends on frequency count canary=a{} 99 to compress redundant symbols; therefore if canary={}a 100 we keep the character frequency count constant we can monitor the response payload canary={}d 98 size and reasonably determine if changes in payload size are due to LZ77 or Huffman coding. canary=d{} 98 18 Huffman Coding Charset Pools Guess #1 canary=abca{}-b-c-d-e-f-0-1-2-3-4-5-6-7-8-9 Guess #2 canary=abcb{}-a-c-d-e-f-0-1-2-3-4-5-6-7-8-9 Guess #3 canary=abcc{}-a-b-d-e-f-0-1-2-3-4-5-6-7-8-9 Explanaon The smallest response is assumed correct. Sixteen guesses are required for each character. The hyphen should prevent LZ77 from compressing redundant paerns. 19 MiCgang BREACH – User SoluCons • RequestPolicy Firefox Add-On Denies all cross site requests by default Can create a custom white-list for trusted cross-site requests • CsFire Firefox 3.7+ and Chrome Add-On Removes authentication metadata (session cookies and authentication headers) from cross domain requests 20 MiCgang BREACH - ConCnued • SoluCons for Web Server/Domain Administrators/Security Engineers ü Disable HTTP compression in web servers ü Thro8le the number of concurrent requests that the server will handle ü Install Cisco Intrusion DetecCon System Signature 2580/0 • SoluCons for Applicaon Developers ü Change CSRF token with every HTTP request ü Separate session secrets from user input ü Obfuscate the length of the secret web response with random padding 21 BREACH Summary • Chosen plaintext aack against HTTP compression • The server must reflect the user’s response • The webpage must contain the encrypted response • A8acker must be able to view the vicCm’s encrypted traffic • A8acker must force vicCm to send HTTP requests • Requires thousands of HTTP requests to discover encrypted secrets • Users can miCgate this vulnerability with browser plugins 22 Thank You Q&A .