Monday, January 18, 2016

What is an HTTPS Bicycle Attack ?

An HTTPS Bicycle Attack is an attack in which the attacker can capture HTTPS traffic of a user and exploit the TLS packets to deduce sensitive information like length of password, GPS location or IPv4 address range of the user.

The attack was first discovered by security researcher Guido Vranken and released on December 30, 2015.

How can an attacker deduce sensitive information like password length from the captured HTTPS traffic ?

When sensitive data is transferred between two hosts over unsecured network, it mostly uses TLS connection. The sensitive data sent by the user is encrypted using secret key and then transferred to the server. Normally, decrypting the sensitive data without the secret key is extremely difficult.

But, for HTTPS traffic, the plaintext HTTP headers included in each and every packet can be exploited by the attacker. The attacker can use Side Channel Information and deduce length of particular components transferred in that particular request.

At this point, if the attacker already has prior information of length of some of the components out of the combined components, he can subtract the length of known components from the length of combined components and deduce the length of the sensitive data.

To give an example, suppose the attacker wants to deduce length of a user's password for a particular target website. The attacker can capture the encrypted TLS packets sent during the authentication requests.

At the same time, he may collect information on the browser the user is using. The attacker can do it easily by perpetrating a direct attack to the user, since insecure HTTP request easily reveals the User-agent string.

Now, the attacker can replicate browser requests to the target website using the same browser as the user and deduce length of the requests to various pages on the target site. And, from the encrypted TLS payload of the browser requests in the packet capture, extract the length of the payloads.

The attacker can now compare the Pearson correlation coefficient for the plain texts and encrypted request. And, on comparing the results, he may deduce which encrypted request is for which page in the website.

Now, the attacker has information on which encrypted TLS request is for login page. From this, the attacker can subtract the length of known headers the user's browser has sent. He can also deduce the length of possible cookies, that are static enough in length.

Now, for a authentication request, normally the username and passwords are sent together. At this point, if the attacker already knows the username of the user, he may subtract that length from the remaining components and deduce the length of the user's password.

How can an attacker deduce actual passwords from length of passwords ?

Suppose, the attacker could deduce that a particular user's password is of length 8. Now, one option is to use brute force approach and try to login in the target website with all passwords comprised of 8 characters and numerals. If the password strength is weak enough, the attacker can deduce the actual password.

Another option is using Dictionary Attack. Often, users create passwords using dictionary words. So, if the attacker can try to login with all dictionary words with 8 characters, he will easily deduce the actual password.

The attacker may also use some other information specific to the user and try with a set of specific passwords of length 8, and deduce the password easily.

What all sensitive data can be deduced using HTTPS Bicycle Attack ?

Many sensitive data can be deduced using HTTPS Bicycle Attack. Even, TLS packets which have been captured long ago can be exploited to deduce sensitive data. Some of the sensitive data that can be deduced by HTTPS Bicycle Attack includes :

  • Length of passwords can be deduced from which the actual password may get revealed.
  • Small differences in the length of encrypted GPS co-ordinates can be used to estimate the location on the world map for a particular encrypted coordinate.
  • Differences in length of encrypted IPv4 addresses can reveal specific IP address range, which can later be used to deduce the actual IP address.

What is the mitigation of HTTPS Bicycle Attack ?

There are a couple of steps that can be taken to mitigate the attack.

  • The user can use a strong password comprised of a mixture of special characters, numerals and random characters and make it difficult for the attacker to deduce the actual password even though the attacker knows the length of the password.
  • Two-step authentication, that uses password as well as some other information like One Time Password etc to authenticate the user can mitigate the attack.
  • HTTPS Bicycle Attack is done on TLS that uses stream ciphers, because there is a 1:1 relation between input plaintext and encrypted output for stream ciphers. If one byte is added to the plaintext, one byte will be added to the output. So, it makes much easier for the attacker to deduce the length of sensitive data. So, turning off support of TLS stream ciphers may be a good option to mitigate this attack.
  • Using the latest version of TLS (version 1.2) can prevent this attack.
  • Sensitive information transferred can be hashed upto a fixed length so that the attacker cannot deduce information on length of sensitive data.

No comments:

Post a Comment