Vigil@nce - TLS: obtaining data size via HTTPS Bicycle
March 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can analyze TLS sessions using the GCM mode, in order
to guess the size of confidential data sent.
Impacted products: SSL protocol.
Severity: 2/4.
Creation date: 06/01/2016.
DESCRIPTION OF THE VULNERABILITY
The TLS protocol supports several "ciphers". For example:
– ECDHE-ECDSA-AES256-GCM-SHA384
– ECDHE-RSA-AES256-GCM-SHA384
– ECDHE-ECDSA-AES256-SHA384
– ECDHE-RSA-AES256-SHA384
Those containing "GCM", use the Galois/Counter Mode, which is a
stream cipher (and not a block cipher). The size of the encrypted
message is thus the same as the size of the clear message. This
property (weakness) is known since several years. Note: RC4 is
also a stream cipher, but its usage is now not recommended.
However, if the attacker captures TLS packets, and knows a part of
the clear message, he can deduce the length of unknown data. For
example, the attacker can go to the authentication page of a web
service with the same browser than the victim, in order to know
the length of HTTP headers which are usually sent in the TLS
session. Then, if he captures the victim’s TLS session, he can
obtain the size of data sent in the authentication form, and thus
guess the size of his password.
An attacker can therefore analyze TLS sessions using the GCM mode,
in order to guess the size of confidential data sent.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/TLS-obtaining-data-size-via-HTTPS-Bicycle-18648