[Docs] [txt|pdf|xml] [Tracker] [Email] [Nits]

Versions: 00 01

Network Working Group                                          B. Kihara
Internet-Draft                                                K. Shimizu
Intended status: BCP                                    Lepidum Co. Ltd.
Expires: April 18, 2013                                 October 15, 2012


                 Compression in TLS Considered Harmful
             draft-kihara-compression-considered-harmful-00

Abstract

   Transport Layer Security is essential to secret communications in the
   Internet, and protecting TLS is our fundamental task.  This document
   describes a threat on TLS when compression is used and possible
   mitigations of the threat.

Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 18, 2013.

Copyright Notice

   Copyright (c) 2012 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.




Kihara & Shimizu         Expires April 18, 2013                 [Page 1]

Internet-Draft       Compression Considered Harmful         October 2012


Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Conditions of Attacks . . . . . . . . . . . . . . . . . . . . . 3
   3.  Application to Existing Protocols . . . . . . . . . . . . . . . 3
     3.1.  Attacks on HTTP . . . . . . . . . . . . . . . . . . . . . . 3
     3.2.  More Applications . . . . . . . . . . . . . . . . . . . . . 4
   4.  Possible Mitigations  . . . . . . . . . . . . . . . . . . . . . 4
     4.1.  Abandon of Compression  . . . . . . . . . . . . . . . . . . 4
     4.2.  Separating Compression Contexts . . . . . . . . . . . . . . 4
     4.3.  Inserting Random Paddings . . . . . . . . . . . . . . . . . 4
   5.  Security Considerations . . . . . . . . . . . . . . . . . . . . 4
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5
   7.  Informative References  . . . . . . . . . . . . . . . . . . . . 5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . . . 5




































Kihara & Shimizu         Expires April 18, 2013                 [Page 2]

Internet-Draft       Compression Considered Harmful         October 2012


1.  Introduction

   Transport Layer Security [RFC5246] is, needless to say, essential to
   contemporary customs in the Internet like secret communications on
   the web.  Names, passwords, telephone numbers, credit card numbers,
   messages, session ids, and any other secrets are transported on TLS.
   Therefore, protecting TLS and underlying Public Key Infrastructure is
   our fundamental task.  Unfortunately, TLS and PKI are not infallible,
   and sometimes vulnerable to new attack vectors.  This document
   describes conditions for the CRIME attack [CRIME] which utilizes
   differences of compression rates to guess secret information from
   outside the encrypted transports and possible mitigations of the
   threat that should be considered when someone designs protocols with
   compression.


2.  Conditions of Attacks

   "Commonly-used lossless compression algorithms leak information about
   the data being compressed, in the size of the compressor output."
   [IACR-fse-2002-3091] In other words, by nature compressing data has
   the risk of information leakage.  Usually information from the size
   of compressed data is not enough to guess the secret easily; however,
   under some conditions the attack becomes much easier.

   Observing encrypted data itself is not so useful.  Though, if the
   attacker can inject string into the compression context where the
   secret is compressed, the attacker would be able to know whether the
   injected string matches the secret or not.  In addition, difference
   of the size of the compressed data in multiple tries will help the
   attacker to perform brute-force attacks.

   [[[More precise conditions are needed.  For example, initalizing
   compression contexts on each try will be a great help.]]]


3.  Application to Existing Protocols

3.1.  Attacks on HTTP

   The original CRIME is targeted at HTTP [RFC2616].  Web browsers tend
   to make requests according to malicious scripts, sending secret
   strings automatically together with injected strings by the scripts.
   To make matters worse, TLS compression [RFC3749] and SPDY
   [I-D.mbelshe-httpbis-spdy] had been compressing all data in the same
   context.  Therefore, stealing session cookies by the CRIME attack was
   very easy.  As a workaround, some web browsers disabled TLS
   compression and SPDY compression partially so that session cookies



Kihara & Shimizu         Expires April 18, 2013                 [Page 3]

Internet-Draft       Compression Considered Harmful         October 2012


   and bearer-token-type Authorization tokens cannot be stolen.
   However, compression of HTTP entities is still available and it is
   possible to guess some protions of HTTP entities if servers return
   injected strings in HTTP entities.

3.2.  More Applications

   [[[More applications are needed.]]]


4.  Possible Mitigations

4.1.  Abandon of Compression

   In principle, abandon of compression completely solves the problem of
   information leakage by compression.  It is RECOMMENDED to disable
   compression when communications are not trivial, unless traffic
   increase is considerable.  If data are confidentital and other
   mitigations are inapplicable, compression MUST be disabled,
   especially when the compression is applied in the lower layer like
   TLS compression.

4.2.  Separating Compression Contexts

   When compression is necessary, switching contexts will help
   protecting secrets.

   [[[This section shoulde be rewritten.  Precise requirements are
   needed.]]]

4.3.  Inserting Random Paddings

   If it is unavoidable to compress whole data in the same context,
   inserting random paddings will be REQUIRED to prevent disclosure of
   the original size of compressed data.  Note that this mitigation
   cannot prevent attackers from guessing secrets by statistical
   approaches.

   [[[Requirements of padding (ranges of length, randomness, and so on)
   are needed.]]]


5.  Security Considerations

   This document focuses on security.






Kihara & Shimizu         Expires April 18, 2013                 [Page 4]

Internet-Draft       Compression Considered Harmful         October 2012


6.  IANA Considerations

   This document does not require actions by IANA.


7.  Informative References

   [CRIME]    Rizzo, J. and T. Duong, "The CRIME Attack",  , <https://
              docs.google.com/presentation/d/
              11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/
              edit?pli=1#slide=id.g1d134dff_1_222>.

   [I-D.mbelshe-httpbis-spdy]
              Belshe, M. and R. Peon, "SPDY Protocol",
              draft-mbelshe-httpbis-spdy-00 (work in progress),
              February 2012.

   [IACR-fse-2002-3091]
              Kelsey, J., "Compression and Information Leakage of
              Plaintext", IACR fse-2002-3091, <http://www.iacr.org/
              cryptodb/archive/2002/FSE/3091/3091.pdf>.

   [RFC2616]  Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
              Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
              Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.

   [RFC3749]  Hollenbeck, S., "Transport Layer Security Protocol
              Compression Methods", RFC 3749, May 2004.

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246, August 2008.


Authors' Addresses

   Boku Kihara
   Lepidum Co. Ltd.
   #602, Village Sasazuka 3
   1-30-3 Sasazuka
   Shibuya-ku, Tokyo
   JP

   Email: kihara@lepidum.co.jp








Kihara & Shimizu         Expires April 18, 2013                 [Page 5]

Internet-Draft       Compression Considered Harmful         October 2012


   Kazuki Shimizu
   Lepidum Co. Ltd.

















































Kihara & Shimizu         Expires April 18, 2013                 [Page 6]


Html markup produced by rfcmarkup 1.107, available from http://tools.ietf.org/tools/rfcmarkup/