the "crime" attack on TLS

Phil Pennock help-gnutls-phil at spodhuis.org
Fri Sep 14 06:03:08 CEST 2012


[ Sorry to Nikos who sees this twice; my first reply was rejected by the
  list, so new message-id. ]

On 2012-09-13 at 13:14 +0200, Nikos Mavrogiannopoulos wrote:
> * How to mitigate the attack?
> 1. Do not enable compression (gnutls' doesn't enable it by default)
> 2. When using compression use the CBC ciphers that include a random
> padding up to 255 bytes. That would increase the number of trials an
> attacker needs to perform significantly.
> 3. Make sure that even if you must mix adversary-controlled data with
> sensitive data, that the adversary cannot trigger that multiple times.

One thing I noted is that the attack relies upon compression working,
while DEFLATE uses a new Huffman tree for each compression block.  So if
you end a _compression_ block any time you switch sensitivity level
within the stream, you protect different parts of the cleartext from
each other and this attack shouldn't work.

Both GnuTLS and OpenSSL use Z_SYNC_FLUSH to get a complete set of data
for sending, while still being in a compression block.  Z_FULL_FLUSH is
needed to end a compression block, or to end the compression with
Z_FINISH.

OpenSSL has BIO_flush() which will end up using Z_FINISH to end a
compression block, with the side-effect of also flushing down to the
wire level which would be unfortunate performance wise.

I couldn't find anything similar in GnuTLS and was wondering if a new
control call to end a compression block, starting a new one, would be
useful for senders who want to be able to use compression but split
contexts at security boundaries within the stream?

I wrote up my preliminary views at:
  http://bridge.grumpy-troll.org/2012/09/tls-crime-beast-and-you-programmer.html

-Phil




More information about the Gnutls-help mailing list