Slashdot Mirror

← Back to Stories (view on slashdot.org)

New HTTPS Bicycle Attack Reveals Details About Passwords From Encrypted Traffic (softpedia.com)

Posted by samzenpus on from the protect-ya-neck dept.

campuscodi writes: Dutch security researcher Guido Vranken has published a paper [PDF] in which he details a new attack on TLS/SSL-encrypted traffic, one that can potentially allow attackers to extract some information from HTTPS data streams. Attackers could extract the length of a password from TLS packets, and then use this information to simplify brute-force attacks. The new HTTPS Bicycle Attack can also be used retroactively on HTTPS traffic logged several years ago. Hello NSA!

45 of 78 comments (clear)

  1. We need to ban them immediately by Anonymous Coward · · Score: 1

    Everyone knows only terrorists use bicycles. Good citizens should stick to unicycles.

    1. Re:We need to ban them immediately by U2xhc2hkb3QgU3Vja3M · · Score: 1

      No, good citizens will buy a Chevrolet Volt.

    2. Re: We need to ban them immediately by Zoxed · · Score: 3, Funny

      > Good citizens should stick to unicycles.

      You have nothing to lose but your chains.

    3. Re:We need to ban them immediately by kyrsjo · · Score: 1

      Best regards,
      The Kingdom of Saudi Arabia

    4. Re: We need to ban them immediately by Varka · · Score: 1

      Uh, no. You can keep your Citation.

  2. How useful really is password length? by Sowelu · · Score: 4, Insightful

    Seems to me that if you wanted to brute force something, you'd start with the minimum size allowed and go up from there. If there's 50 different characters allowed for any letter of a password, then testing all possible 7-length passwords takes 1/50th the time as testing all possible 8-length passwords, and so on. Negligible.

    I guess it could be useful to know whether or not a given password IS brute forceable, though, and give you a rough ETA. An attacker could say "huh, this guy only has a 6 letter password, we can grab that in a minute", or "this guy has a length 20 password, we have no chance".

    1. Re:How useful really is password length? by JustAnotherOldGuy · · Score: 1

      Seems to me that if you wanted to brute force something, you'd start with the minimum size allowed and go up from there.

      Exactly.

      I think this attack is probably going to be minimally useful at best, and even then only for very short, stupid passwords.

      --
      Just cruising through this digital world at 33 1/3 rpm...
    2. Re:How useful really is password length? by Anonymous Coward · · Score: 2, Insightful

      If you're targeting an individual user, you can look at their password lengths across multiple sites (to attack them where they're weakest, for example)

      If you're targeting one *site*, you can look at the password lengths across all the users and attack the users (or subset of users, like admins or influential users) with the shortest passwords.

    3. Re: How useful really is password length? by Threni · · Score: 1

      Eh? If you know the password is 13 chars why would you bother guessing shorter passwords?

    4. Re:How useful really is password length? by mspohr · · Score: 2

      "I think this attack is probably going to be minimally useful at best, and even then only for very short, stupid passwords."

      ... which are already susceptible to simple brute force attacks.

      --
      I don't read your sig. Why are you reading mine?
    5. Re:How useful really is password length? by antifoidulus · · Score: 2

      You could also use the information to try to phish the users. "We noticed that your password is only x characters long, in order to increase security we are requiring passwords of at least x+y characters long, please click this link to reset your password"

      --
      Monstar L
    6. Re:How useful really is password length? by Anonymous Coward · · Score: 1

      Every bit of information is helpful to an attacker. Ill bet the person trying to gain access to your accounts has a lot more information on you than you think. All in hopes to get what they want.

    7. Re: How useful really is password length? by 89cents · · Score: 1

      True, but this will save you very little. Think of all possible 12 character passwords as a 13 character password with a null character for the last character. If you have a character set of 80 characters, this will only save you 1/80th of the total possible password combinations.

    8. Re:How useful really is password length? by viperidaenz · · Score: 1

      Why not just phish users using a fixed value for x?
      Put some spelling and grammar errors in the email too, that usually weeds out people smart enough not to fall for it. They just end up wasting your time.

    9. Re:How useful really is password length? by santiago · · Score: 1

      You could also use the information to try to phish the users. "We noticed that your password is only x characters long, in order to increase security we are requiring passwords of at least x+y characters long, please click this link to reset your password"

      I'm pretty sure any user this would work on would be equally susceptible to the same email with a universal value of 6, 7, or 8 for everyone.

    10. Re:How useful really is password length? by maugle · · Score: 2

      It is still a very useful tool, though. As the GP pointed out, it allows for more effective use of computing resources by knowing in advance which passwords can and can not be feasibly cracked, and applying brute force attacks at only the crackable ones.

    11. Re: How useful really is password length? by Bengie · · Score: 2

      With a semi-decent password, knowing the length would still take Universe ages. When it comes to bruteforcing, knowing the length doesn't save much time. Every character added to the password length increases the number of combinations by the magnitude of the alphabet size. Assuming you're using a full 92 char alphabet, lets assume 100 chars, a 12 char password is 100 larger space than 11 chars, and 10,000 larger than 10 chars, and 1,000,000 times larger than 9. Another way to write this. Assume 12 chars is "1". If you knew the password to be 12 chars, then the work would be 1. If you didn't know it was 12 chars and had to go through all of the smaller passwords, then it'll be 1 + 1/100 + 1/10000 + 1/1000000 + etc. As you can see, iterating through the smaller password sizes adds virtually no extra time.

      The main benefits you gain is if you know the person uses certain words, you could limit the word combinations, or you could decide to skip breaking the password because it's too hard.

    12. Re:How useful really is password length? by JoeMerchant · · Score: 1

      Mostly, it's a useful lesson to future protocol designs - next iteration should protect against this by sending some standard length block (SHA3?) of the password so that all information about it is obscured.

    13. Re:How useful really is password length? by NotQuiteReal · · Score: 1

      very short, stupid passwords

      OK, everyone - time to update your passwords - "54321" is 4.400243 times better than "12345"

      --
      This issue is a bit more complicated than you think.
    14. Re:How useful really is password length? by gweihir · · Score: 1

      Indeed. Length information can only tell you when to stop, because you have missed the password (e.g. because you did not use the full char-set on some assumption of language used) and how much effort is expected. The effort for shorter passwords is negligible. Takes some actual Math skills for seeing that (not very advanced ones though), and these seem to be in very short supply these days. Civilization is really devolving, with people knowing and understanding less and less.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    15. Re:How useful really is password length? by Rob+Y. · · Score: 1

      I would have hoped that security products that send encrypted passwords would insert random junk to randomize the length of the message containing the password. Since the password is in a predictable place in the data stream, it would make sense to garble it as much as possible, no?

      --
      Posted from my Android phone. Oh, I can change this? There, that's better...
    16. Re:How useful really is password length? by gweihir · · Score: 1

      That is not brute-forcing. Incidentally, how do you arrive at 256 values per character? If it is characters you find on a keyboard, they will be far less. If it is Unicode, they may be far, far more. They will never be 256 in practice, unless it is a binary key, not a password. I will not even comment on you amateur-level analysis of the search space. Well, what can one expect from the typical big-ego-small-skill AC.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  3. Only valid for stream ciphers. by guruevi · · Score: 3, Insightful

    Not sure how he would get the results with block ciphers but the paper only describes stream ciphers. That's the reason we don't use stream ciphers for HTTPS but rather block ciphers. Stream ciphers should simply never be used where keys repeat.

    --
    Custom electronics and digital signage for your business: www.evcircuits.com
    1. Re:Only valid for stream ciphers. by devman · · Score: 2

      AES-GCM is derived from CTR mode. CTR mode turns a block cipher in to a keystream generator (thus a stream cipher). I haven't fully read the paper though, so I don't know whether this attack applies to block cipher used as stream ciphers.

    2. Re:Only valid for stream ciphers. by guruevi · · Score: 2

      But the predictable stream length attack has been known about since the introduction of stream ciphers. That's why you don't use stream ciphers (or shouldn't at least) to secure predictable content like chunks of websites. You use block ciphers that ALWAYS has the same block size regardless of it's contents.

      AES-GCM seems to be fast-tracked by US governmental agencies with at least one someone trying to (inadvertently?) sneak in an exploit in the OpenSSL implementation. Don't trust new ciphers too quickly, if it's too good to be true...

      --
      Custom electronics and digital signage for your business: www.evcircuits.com
  4. Search sites by AHuxley · · Score: 1

    How secure are the more modern search sites with perfect forward secrecy and proxy services? Thanks.

    --
    Domestic spying is now "Benign Information Gathering"
    1. Re:Search sites by Anonymous Coward · · Score: 1

      Most ciphers used now (other than Salsa20) are block ciphers, not stream ciphers. Therefore they work in blocks, and are padded to fit said block size. This means that there is less information available to mount an attack like this to get exact size, but you would still be able to tell it is between two values. The only real solution is for HTML forms to have a standard padding scheme so that way logins are all the same size.

  5. Serious vulnerabilities by WaffleMonster · · Score: 1

    It's a good thing Guido discovered the need for padding when riding bicycles because you could fall and hurt your head.

  6. Not the end of the world by viperidaenz · · Score: 1

    The attacker needs to know the exact length of all the other data. That means they need all the cookie data being sent, etc.

    1. Re:Not the end of the world by Martin+Blank · · Score: 1

      Some of this is highly predictable. A given application could use only a single cookie, and that cookie could always be of exactly the same length. There might be some variation in the headers such as Content-Length, but for password submissions, this is unlikely to vary by more than a character or two. Predictability could be extremely high.

      Some protocols are even more predictable.

      --
      You can never go home again... but I guess you can shop there.
    2. Re:Not the end of the world by viperidaenz · · Score: 1

      So easy way to thwart it: Google Analytics, with its __utma and __utmb etc cookies that end up with every request to your domain.
      There's also the User-Agent header that varies depending on the user.
      There may be an If-Modified-Since header, an ETag header (although probably not on a POST request)
      Accept, Accept-Encoding, Accept-Language, cache-control, origin, Referer, Connection. Those are all headers my browser is sending to slashdot.

      It's even difficult figuring out what the URL in the request is, since that's also encrypted in the TLS data. All you can probably do is pick the next HTTPS request after a non-HTTPS request, assuming the login page is not sent over HTTPS and the form submission is.

    3. Re:Not the end of the world by PlusFiveTroll · · Score: 1

      That's for a random MITM attack. If the attacker controlled the non-https page that sent you to the https page he wanted information from almost all of that is predictable.

    4. Re:Not the end of the world by Martin+Blank · · Score: 1

      Given that almost all HTTPS sites are mapped 1:1 domain:IP address, it's not that hard to figure out what site it's connecting to. That brings some level of predictability, especially if one already has access to the site via another account, or it uses an established framework.

      Watching unencrypted traffic from your browser is going to hand over some of that information. It's not necessarily that one can simply look at a payload length and quickly determine the password length, but that by using various known factors, a fairly educated guess can be made. That at least starts narrowing down the possibilities.

      --
      You can never go home again... but I guess you can shop there.
  7. Variable length header by manu0601 · · Score: 1

    In the case of HTTP, I wonder if causing an ever changing header to be sent could help. For instance change a cookie on each exchange, with random length.

    In the case of POP, IMAP or SMTP, we are screwed, though.

  8. https bicycle attack by PopeRatzo · · Score: 4, Funny

    I think this is taking the Internet of Things too far.

    --
    You are welcome on my lawn.
    1. Re:https bicycle attack by Bite+The+Pillow · · Score: 1

      We should have stopped after the unicycle attack. That was taking the IoT one far.

      Should have been more than enough warning.

  9. Hash those pedals by WorBlux · · Score: 1

    Client side hashing as a preventative measure?

    1. Re:Hash those pedals by PlusFiveTroll · · Score: 1

      Not a random length. You want a fixed total length. Say your longest possible password is 64 characters. You want to pad out every password to 96 characters, so if the users password is only 6 characters long an additional 90 random characters are padded. That way no statistical attacks can be performed.

  10. Major, sort of by StikyPad · · Score: 1

    Knowing the length of a password cuts the keyspace in half -- assuming that one starts a brute-force search from shortest to longest -- because you can skip 2^(n-1) keys. That's huge, but if your passphrase is long enough, then that's still just the difference between the several times the heat-death of the universe and a couple of times the heat-death of the universe.

    But even if that's an appreciable difference, this is still only useful for targeted attacks, and in those cases, there are better vulnerabilities to exploit from a cost/benefit perspective. This is especially true for state actors who can drop six figures for zero-days the way one might decide to purchase a stick of gum at the checkout line.

    --
    https://www.eff.org/https-everywhere
  11. Why bicycle by Anonymous Coward · · Score: 1

    From TFA:

    The name TLS Bicycle Attack was chosen because of the conceptual similarity between how encryption
    hides content and gift wrapping hides physical objects. My attack relies heavily on the property of
    stream-based ciphers in TLS that the size of TLS application data payloads is directly known to the
    attacker and this inadvertently reveals information about the plaintext size; similar to how a draped or
    gift-wrapped bicycle is still identifiable as a bicycle, because cloaking it like that retains the underlying
    shape. The reason that I've named this attack at all is only to make referring to it easier for everyone

    1. Re:Why bicycle by dotancohen · · Score: 1

      ...similar to how a draped or gift-wrapped bicycle is still identifiable as a bicycle, because cloaking it like that retains the underlying shape.

      So then why wasn't it called the vacuum cleaner attack?
      http://images-cdn.9gag.com/pho...

      --
      It is dangerous to be right when the government is wrong.
  12. This is why we don't need back doors by Midnight+Thunder · · Score: 1

    With politicians want to push for back doors, this illustrates why we don't need them. Normal encryption has its weaknesses, flaws and limitations, which a well resourced 'intelligence' agency can take advantage of. Add the back doors and you have just expanded on the weaknesses, flaws and limitations, that would drive people to another form of encryption.

    --
    Jumpstart the tartan drive.
  13. no need for that. ~ subtract the last request by raymorris · · Score: 1

    Suppose an attacker is targeting a log in page. To load the page, your browser makes several http requests - the html page itself, a css file, a JavaScript file or two, some images that are on the page, etc. The cookie, user-agent etc are the same for all of these requests. Therefore the attacker already knows all they need to about the length of all your headers wven before you submit the login form.

    By trying it themselves ahead of time, the attacker knows that a login with an 8-character password will be the SAME size as the GET request for login.php. The exact size is irrelevant, it's the relative size that matters.

  14. Perfect Forward Secrecy? by DriveDog · · Score: 1

    Seems to me there's no such thing. Everything may be logged. Soviet Venona messages were eventually cracked due to one-time pads not being used only one time, but that wouldn't have happened without the traffic having been logged and kept for years. If quantum computers are created that can crack encryption we've used up until now, there's not much hope for anything used up to the present except true one-time pads. Perfect forward secrecy is when everybody who saw the message has died.

    1. Re:Perfect Forward Secrecy? by JesseMcDonald · · Score: 1

      I think you're reading too much into the name. PFS doesn't guarantee that the message will remain secret forever, or even that the encryption can't be broken by brute force at some point in the future. It just means that the encryption key is ephemeral: it's generated using e.g. Diffie-Hellman, which allows two or more nodes to arrive at a secure shared secret despite the presence of eavesdroppers, and it's discarded by both sides after the communication is complete.

      The alternative is encrypting the traffic with a persistent shared secret or private key, which opens up the possibility that someone who records the cyphertext may be able to recover the key later from one of the parties and use it to decrypt the previously captured data. With PFS, once the session is over neither party retains enough information to decrypt it (short of brute force).

      --
      "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat