New HTTPS Bicycle Attack Reveals Details About Passwords From Encrypted Traffic

campuscodi writes: Dutch security researcher Guido Vranken has published a paper [PDF] in which he details a new attack on TLS/SSL-encrypted traffic, one that can potentially allow attackers to extract some information from HTTPS data streams. Attackers could extract the length of a password from TLS packets, and then use this information to simplify brute-force attacks. The new HTTPS Bicycle Attack can also be used retroactively on HTTPS traffic logged several years ago. Hello NSA!

We need to ban them immediately

Everyone knows only terrorists use bicycles. Good citizens should stick to unicycles.

Re:We need to ban them immediately

A good citizen will buy a Ford F150 or better

Re:We need to ban them immediately

[U2xhc2hkb3QgU3Vja3M]

No, good citizens will buy a Chevrolet Volt.

Re:We need to ban them immediately

Or a Chevy ... cuz Muuurica'

Re:We need to ban them immediately

So I can buy some dog shit then 'cause that's better.

Re: We need to ban them immediately

[Zoxed]

> Good citizens should stick to unicycles.

You have nothing to lose but your chains.

Re:We need to ban them immediately

[kyrsjo]

Best regards,
The Kingdom of Saudi Arabia

Re:We need to ban them immediately

Everyone knows only terrorists use bicycles.

http://www.dutchnews.nl/news/a...

Re:We need to ban them immediately

Around here, we make electricity by burning coal and trash (including industrial and medical waste), which I suppose is still cleaner than a VW diesel this time of year.

Re: We need to ban them immediately

Electric motors waste a lot less energy via heat than ICE engines, so even if you always produce your electricity by coal, you end up releasing less carbon.

Re: We need to ban them immediately

Chevy citation needed.

Re:We need to ban them immediately

Ford, because Chevy starts with C, which rhymes with P, and that stands for Pinko!

Re: We need to ban them immediately

[Varka]

Uh, no. You can keep your Citation.

How useful really is password length?

[Sowelu]

Seems to me that if you wanted to brute force something, you'd start with the minimum size allowed and go up from there. If there's 50 different characters allowed for any letter of a password, then testing all possible 7-length passwords takes 1/50th the time as testing all possible 8-length passwords, and so on. Negligible.

I guess it could be useful to know whether or not a given password IS brute forceable, though, and give you a rough ETA. An attacker could say "huh, this guy only has a 6 letter password, we can grab that in a minute", or "this guy has a length 20 password, we have no chance".

Re:How useful really is password length?

[JustAnotherOldGuy]

Seems to me that if you wanted to brute force something, you'd start with the minimum size allowed and go up from there.

Exactly.

I think this attack is probably going to be minimally useful at best, and even then only for very short, stupid passwords.

Re:How useful really is password length?

If you're targeting an individual user, you can look at their password lengths across multiple sites (to attack them where they're weakest, for example)

If you're targeting one *site*, you can look at the password lengths across all the users and attack the users (or subset of users, like admins or influential users) with the shortest passwords.

Re: How useful really is password length?

[Threni]

Eh? If you know the password is 13 chars why would you bother guessing shorter passwords?

Re:How useful really is password length?

[mspohr]

"I think this attack is probably going to be minimally useful at best, and even then only for very short, stupid passwords."

... which are already susceptible to simple brute force attacks.

Re: How useful really is password length?

Think what he's trying to say is, even with this sort of knowledge (password lenght) with a semi decent password you're looking at tens of thousands of hours of brute forcing, per account, assuming a dictionary attack won't get you through first.

It's not negligible, but it's not the end of the internet.

Re:How useful really is password length?

[antifoidulus]

You could also use the information to try to phish the users. "We noticed that your password is only x characters long, in order to increase security we are requiring passwords of at least x+y characters long, please click this link to reset your password"

Re:How useful really is password length?

Every bit of information is helpful to an attacker. Ill bet the person trying to gain access to your accounts has a lot more information on you than you think. All in hopes to get what they want.

Re: How useful really is password length?

[89cents]

True, but this will save you very little. Think of all possible 12 character passwords as a 13 character password with a null character for the last character. If you have a character set of 80 characters, this will only save you 1/80th of the total possible password combinations.

Re:How useful really is password length?

[viperidaenz]

Why not just phish users using a fixed value for x?
Put some spelling and grammar errors in the email too, that usually weeds out people smart enough not to fall for it. They just end up wasting your time.

Re: How useful really is password length?

let's say you have a 5 character password.
If I have to guess normally I'd start with 1 character, then 2, etc.
so that's 80 + 80^2 + 80^3 + 80^4 + 80^5
So it's actually slightly more than 1/80, but not enough to be useful in any way.
http://www.wolframalpha.com/input/?i=sum%2880%5E%28i%29%2C+i+%3D+1+to+n%29%2F%2880%5E%28n%2B1%29%29

Re:How useful really is password length?

[santiago]

You could also use the information to try to phish the users. "We noticed that your password is only x characters long, in order to increase security we are requiring passwords of at least x+y characters long, please click this link to reset your password"

I'm pretty sure any user this would work on would be equally susceptible to the same email with a universal value of 6, 7, or 8 for everyone.

Re:How useful really is password length?

[maugle]

It is still a very useful tool, though. As the GP pointed out, it allows for more effective use of computing resources by knowing in advance which passwords can and can not be feasibly cracked, and applying brute force attacks at only the crackable ones.

Re: How useful really is password length?

[Bengie]

With a semi-decent password, knowing the length would still take Universe ages. When it comes to bruteforcing, knowing the length doesn't save much time. Every character added to the password length increases the number of combinations by the magnitude of the alphabet size. Assuming you're using a full 92 char alphabet, lets assume 100 chars, a 12 char password is 100 larger space than 11 chars, and 10,000 larger than 10 chars, and 1,000,000 times larger than 9. Another way to write this. Assume 12 chars is "1". If you knew the password to be 12 chars, then the work would be 1. If you didn't know it was 12 chars and had to go through all of the smaller passwords, then it'll be 1 + 1/100 + 1/10000 + 1/1000000 + etc. As you can see, iterating through the smaller password sizes adds virtually no extra time.

The main benefits you gain is if you know the person uses certain words, you could limit the word combinations, or you could decide to skip breaking the password because it's too hard.

Re:How useful really is password length?

[JoeMerchant]

Mostly, it's a useful lesson to future protocol designs - next iteration should protect against this by sending some standard length block (SHA3?) of the password so that all information about it is obscured.

Re: How useful really is password length?

exactly. the first thing that comes to mind is the question whether this technique works on key stretching.

Re:How useful really is password length?

[NotQuiteReal]

very short, stupid passwords

OK, everyone - time to update your passwords - "54321" is 4.400243 times better than "12345"

Re: How useful really is password length?

It should still work on key stretching as that is performed server-side and only following transmission of the unhashed password.

Re: How useful really is password length?

It's still useful, as many people still use dictionary words, maybe padded with a digit or two.

You assume only brute-forcing, but anyone smart cracking passwords would start with a dictionary attack, then a 'dictionary+mutations' attack, and only then resolve to real brute-forcing the entire key space.

Re:How useful really is password length?

[gweihir]

Indeed. Length information can only tell you when to stop, because you have missed the password (e.g. because you did not use the full char-set on some assumption of language used) and how much effort is expected. The effort for shorter passwords is negligible. Takes some actual Math skills for seeing that (not very advanced ones though), and these seem to be in very short supply these days. Civilization is really devolving, with people knowing and understanding less and less.

Re:How useful really is password length?

Why not just phish users using a fixed value for x?
Put some spelling and grammar errors in the email too, that usually weeds out people smart enough not to fall for it. They just end up wasting your time.

The problem with this phish is curmudgeons such as slashdot users tend to send bogus resets, hiding the desired signal in the noise. My guess is that
spamglish (spelling and grammar errors) would only increase the bogosity, not weed it out.

In the early days of the internet, I managed to get myself on an "anti-free enterprise terrorist" list by my reporting spam to abuse@ Cut my spam to almost nothing. (In the Jurassic, when sender was traceable.)

Re:How useful really is password length?

It is still a very useful tool, though. As the GP pointed out, it allows for more effective use of computing resources by knowing in advance which passwords can and can not be feasibly cracked, and applying brute force attacks at only the crackable ones.

Sigh. Nobody bothers with a brute force if the password is more than maybe 5 or 6 characters. Brute Force represents a WORST CASE scenario for the ATTACKER, not an average case or a best case. Attackers will use a mutable dictionary attack prior to any sort of brute force, because the vast majority of people don't use purely random passwords.
Knowing the length in advance is a HUGE benefit to an attacker. You now know with 100% certainty the EXACT size of the data set you need to scan through.

I'm not going to get into the Math behind it, because if you don't understand it already I doubt anything I say will help. The takeaway is that you should never, EVER use real words in a password.

Re: How useful really is password length?

True, but this will save you very little. Think of all possible 12 character passwords as a 13 character password with a null character for the last character.
If you have a character set of 80 characters, this will only save you 1/80th of the total possible password combinations.

But if you start your guessing by using real words which individually, or in combination, add up to X characters, your target range is suddenly very small in comparison. Which is why most attackers use a mutable dictionary engine, not brute force. In this type of attack, knowing the length actually does give you a pretty significant 'head start'.

Re:How useful really is password length?

Length information can only tell you when to stop

It also tells you where to start.

Since you're so proud of your math skills, here's your homework. Assuming a 20 character length password, and 256 possible values per character, how many of the total possible (20-length) combinations contain at least one English word or proper noun with at least 5 characters?
THAT is far closer to the actual target space which will need to be scanned than the theoretical 'worst case' scenario for the attacker.

There's a lot you can do with language pattern analysis and other more traditional cryptographic approaches, combined with a mutable dictionary engine. Knowing the length of the password can be a HUGE benefit in these sorts of pursuits.

Re:How useful really is password length?

[Rob+Y.]

I would have hoped that security products that send encrypted passwords would insert random junk to randomize the length of the message containing the password. Since the password is in a predictable place in the data stream, it would make sense to garble it as much as possible, no?

Re:How useful really is password length?

[gweihir]

That is not brute-forcing. Incidentally, how do you arrive at 256 values per character? If it is characters you find on a keyboard, they will be far less. If it is Unicode, they may be far, far more. They will never be 256 in practice, unless it is a binary key, not a password. I will not even comment on you amateur-level analysis of the search space. Well, what can one expect from the typical big-ego-small-skill AC.

Getting password length

Don't most modern system pad encrypted data to hide its length? That's pretty much encryption 101 and one of the first things covered by the OpenSSL documentation. So, if encrypted data is padded, then how can you tell the length of a password sent over the wire?

Unless people are doing something really dumb and not using padding in their encrypted data, this doesn't seem like it should be possible.

Re:Getting password length

Stream ciphers could suffer if no padding is used - block ciphers are different +- 16 bytes

Only valid for stream ciphers.

[guruevi]

Not sure how he would get the results with block ciphers but the paper only describes stream ciphers. That's the reason we don't use stream ciphers for HTTPS but rather block ciphers. Stream ciphers should simply never be used where keys repeat.

Re:Only valid for stream ciphers.

[devman]

AES-GCM is derived from CTR mode. CTR mode turns a block cipher in to a keystream generator (thus a stream cipher). I haven't fully read the paper though, so I don't know whether this attack applies to block cipher used as stream ciphers.

Re:Only valid for stream ciphers.

I haven't fully read the paper though, so I don't know whether this attack applies to block cipher used as stream ciphers.

It does. A stream cipher is a stream cipher, regardless of the keystream source. I've spent the last eight months of my life completely immersed in pretty much nothing but cryptography, and I've been cautioning people about predictable lengths in streams. -PCP

Re:Only valid for stream ciphers.

[guruevi]

But the predictable stream length attack has been known about since the introduction of stream ciphers. That's why you don't use stream ciphers (or shouldn't at least) to secure predictable content like chunks of websites. You use block ciphers that ALWAYS has the same block size regardless of it's contents.

AES-GCM seems to be fast-tracked by US governmental agencies with at least one someone trying to (inadvertently?) sneak in an exploit in the OpenSSL implementation. Don't trust new ciphers too quickly, if it's too good to be true...

Re:Only valid for stream ciphers.

  That's the reason we don't use stream ciphers for HTTPS but rather block ciphers.

I don't believe this is true. Correct me if I'm wrong, but A quick trip over to https://www.ssllabs.com/ssltest/viewMyClient.html tells me that Chrome implements

TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256

ChaCha20 is a stream cipher.

I will say that block ciphers are more popular in general, but stream ciphers are certainly used and implemented.

Search sites

[AHuxley]

How secure are the more modern search sites with perfect forward secrecy and proxy services? Thanks.

Re:Search sites

Most ciphers used now (other than Salsa20) are block ciphers, not stream ciphers. Therefore they work in blocks, and are padded to fit said block size. This means that there is less information available to mount an attack like this to get exact size, but you would still be able to tell it is between two values. The only real solution is for HTML forms to have a standard padding scheme so that way logins are all the same size.

Constraints and Limitations

What this reinforces, is the need to use encryption widely and understand its limitations; and it has similarities to the issues with use of ECB mode ciphers mentioned on Wikipedia (https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_Codebook_.28ECB.29)

Like others, I'm less than certain of the real world impact of this particular issue.

What is also unclear, is if it is it possible to significantly reduce the amount of information that can be gained by not using stream ciphers, could the prevention be as simple as configuring web servers (etc) to not use stream based ciphers ? (e.g. Use AES in CBC mode).

Serious vulnerabilities

[WaffleMonster]

It's a good thing Guido discovered the need for padding when riding bicycles because you could fall and hurt your head.

Not the end of the world

[viperidaenz]

The attacker needs to know the exact length of all the other data. That means they need all the cookie data being sent, etc.

Re:Not the end of the world

[Martin+Blank]

Some of this is highly predictable. A given application could use only a single cookie, and that cookie could always be of exactly the same length. There might be some variation in the headers such as Content-Length, but for password submissions, this is unlikely to vary by more than a character or two. Predictability could be extremely high.

Some protocols are even more predictable.

Re:Not the end of the world

[viperidaenz]

So easy way to thwart it: Google Analytics, with its __utma and __utmb etc cookies that end up with every request to your domain.
There's also the User-Agent header that varies depending on the user.
There may be an If-Modified-Since header, an ETag header (although probably not on a POST request)
Accept, Accept-Encoding, Accept-Language, cache-control, origin, Referer, Connection. Those are all headers my browser is sending to slashdot.

It's even difficult figuring out what the URL in the request is, since that's also encrypted in the TLS data. All you can probably do is pick the next HTTPS request after a non-HTTPS request, assuming the login page is not sent over HTTPS and the form submission is.

Re:Not the end of the world

[PlusFiveTroll]

That's for a random MITM attack. If the attacker controlled the non-https page that sent you to the https page he wanted information from almost all of that is predictable.

Re:Not the end of the world

[Martin+Blank]

Given that almost all HTTPS sites are mapped 1:1 domain:IP address, it's not that hard to figure out what site it's connecting to. That brings some level of predictability, especially if one already has access to the site via another account, or it uses an established framework.

Watching unencrypted traffic from your browser is going to hand over some of that information. It's not necessarily that one can simply look at a payload length and quickly determine the password length, but that by using various known factors, a fairly educated guess can be made. That at least starts narrowing down the possibilities.

Variable length header

[manu0601]

In the case of HTTP, I wonder if causing an ever changing header to be sent could help. For instance change a cookie on each exchange, with random length.

In the case of POP, IMAP or SMTP, we are screwed, though.

Re:Variable length header

Counterintuitively, adding random padding does very little to defend against this kind of attack. The right fix is to ensure a fixed length (e.g. maybe whenever submitting a password field, the browser should include dummy data such that the total length is 64 characters long or something like that). The reason is that you can treat the length as a random variable and the random padding just adds some noise of a known distribution. You would end up with a distribution over possible password lengths, but given multiple requests you could even reduce that significantly.

https bicycle attack

[PopeRatzo]

I think this is taking the Internet of Things too far.

Re:https bicycle attack

[Bite+The+Pillow]

We should have stopped after the unicycle attack. That was taking the IoT one far.

Should have been more than enough warning.

here i was

thinking that this internet of things fad was out of control, but alas, it's just the name of the attack.
What a terrible choice of summary.

Screw bicycles

I hate those guys! They never stop at stop signs, always blow straight through the middle of intersections, and do their damndest to cut off anyone turning a corner. The worst part is when they cause an accident and play the victim because they can't be arsed to follow the laws when riding a 50 pound piece of aluminum among tons of steel.

Now I find out that they're going after my car's electronics and retroactively causing traffic problems! Fuck bicycles!

Hash those pedals

[WorBlux]

Client side hashing as a preventative measure?

Re:Hash those pedals

[stoborrobots]

Not particularly - then the hash becomes the new password. You'd need a client side hash with a nonce, and even then, the server needs a way to be able to validate the client-generated hash without storing the password in plaintext.

Re:Hash those pedals

Here we only want the length to change. Just add some random length, spurious value in the post. Server can dump this value as it is meaningless padding.

Or you know, use a block.

Re:Hash those pedals

[PlusFiveTroll]

Not a random length. You want a fixed total length. Say your longest possible password is 64 characters. You want to pad out every password to 96 characters, so if the users password is only 6 characters long an additional 90 random characters are padded. That way no statistical attacks can be performed.

Re:Fuck

Thanks, that site was hilariously paranoid drivel.

Major, sort of

[StikyPad]

Knowing the length of a password cuts the keyspace in half -- assuming that one starts a brute-force search from shortest to longest -- because you can skip 2^(n-1) keys. That's huge, but if your passphrase is long enough, then that's still just the difference between the several times the heat-death of the universe and a couple of times the heat-death of the universe.

But even if that's an appreciable difference, this is still only useful for targeted attacks, and in those cases, there are better vulnerabilities to exploit from a cost/benefit perspective. This is especially true for state actors who can drop six figures for zero-days the way one might decide to purchase a stick of gum at the checkout line.

Re:Major, sort of

password1, problem solved!!!

What The Hell Is Wrong With You People!?!

There are 57 comments as I post this and not one Bicycle Repairman reference?

Man. Slashdot has really gone downhill.

Why bicycle

From TFA:

The name TLS Bicycle Attack was chosen because of the conceptual similarity between how encryption
hides content and gift wrapping hides physical objects. My attack relies heavily on the property of
stream-based ciphers in TLS that the size of TLS application data payloads is directly known to the
attacker and this inadvertently reveals information about the plaintext size; similar to how a draped or
gift-wrapped bicycle is still identifiable as a bicycle, because cloaking it like that retains the underlying
shape. The reason that I've named this attack at all is only to make referring to it easier for everyone

Re:Why bicycle

[dotancohen]

...similar to how a draped or gift-wrapped bicycle is still identifiable as a bicycle, because cloaking it like that retains the underlying shape.

So then why wasn't it called the vacuum cleaner attack?
http://images-cdn.9gag.com/pho...

This is why we don't need back doors

[Midnight+Thunder]

With politicians want to push for back doors, this illustrates why we don't need them. Normal encryption has its weaknesses, flaws and limitations, which a well resourced 'intelligence' agency can take advantage of. Add the back doors and you have just expanded on the weaknesses, flaws and limitations, that would drive people to another form of encryption.

no need for that. ~ subtract the last request

[raymorris]

Suppose an attacker is targeting a log in page. To load the page, your browser makes several http requests - the html page itself, a css file, a JavaScript file or two, some images that are on the page, etc. The cookie, user-agent etc are the same for all of these requests. Therefore the attacker already knows all they need to about the length of all your headers wven before you submit the login form.

By trying it themselves ahead of time, the attacker knows that a login with an 8-character password will be the SAME size as the GET request for login.php. The exact size is irrelevant, it's the relative size that matters.

Perfect Forward Secrecy?

[DriveDog]

Seems to me there's no such thing. Everything may be logged. Soviet Venona messages were eventually cracked due to one-time pads not being used only one time, but that wouldn't have happened without the traffic having been logged and kept for years. If quantum computers are created that can crack encryption we've used up until now, there's not much hope for anything used up to the present except true one-time pads. Perfect forward secrecy is when everybody who saw the message has died.

Re:Perfect Forward Secrecy?

[JesseMcDonald]

I think you're reading too much into the name. PFS doesn't guarantee that the message will remain secret forever, or even that the encryption can't be broken by brute force at some point in the future. It just means that the encryption key is ephemeral: it's generated using e.g. Diffie-Hellman, which allows two or more nodes to arrive at a secure shared secret despite the presence of eavesdroppers, and it's discarded by both sides after the communication is complete.

The alternative is encrypting the traffic with a persistent shared secret or private key, which opens up the possibility that someone who records the cyphertext may be able to recover the key later from one of the parties and use it to decrypt the previously captured data. With PFS, once the session is over neither party retains enough information to decrypt it (short of brute force).