Vigil@nce - TLS: obtaining data size via HTTPS Bicycle
March 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can analyze TLS sessions using the GCM mode, in order to guess the size of confidential data sent.
Impacted products: SSL protocol.
Creation date: 06/01/2016.
DESCRIPTION OF THE VULNERABILITY
The TLS protocol supports several "ciphers". For example:
Those containing "GCM", use the Galois/Counter Mode, which is a stream cipher (and not a block cipher). The size of the encrypted message is thus the same as the size of the clear message. This property (weakness) is known since several years. Note: RC4 is also a stream cipher, but its usage is now not recommended.
However, if the attacker captures TLS packets, and knows a part of the clear message, he can deduce the length of unknown data. For example, the attacker can go to the authentication page of a web service with the same browser than the victim, in order to know the length of HTTP headers which are usually sent in the TLS session. Then, if he captures the victim’s TLS session, he can obtain the size of data sent in the authentication form, and thus guess the size of his password.
An attacker can therefore analyze TLS sessions using the GCM mode, in order to guess the size of confidential data sent.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN