Network Working Group B. Kihara Internet-Draft K. Shimizu Intended status: BCP Lepidum Co. Ltd. Expires: April 25, 2013 October 22, 2012 Considerations for Protocols with Compression over TLS draft-kihara-compression-considered-harmful-01 Abstract Transport Layer Security is essential to secret communications in the Internet, and protecting TLS is our fundamental task. This document describes a threat to TLS when compression is used and proposes possible mitigations of the threat. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 25, 2013. Copyright Notice Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Kihara & Shimizu Expires April 25, 2013 [Page 1] Internet-Draft Compression Considered Harmful October 2012 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Conditions of Attacks . . . . . . . . . . . . . . . . . . . . . 3 3. Application to Existing Protocols . . . . . . . . . . . . . . . 3 3.1. Attacks on HTTP . . . . . . . . . . . . . . . . . . . . . . 3 3.2. More Applications . . . . . . . . . . . . . . . . . . . . . 4 4. Possible Mitigations . . . . . . . . . . . . . . . . . . . . . 4 4.1. Abandon of Compression . . . . . . . . . . . . . . . . . . 4 4.2. Compressing Non-Sensitive Data Only . . . . . . . . . . . . 4 4.3. Using Static Dictionary for Compression . . . . . . . . . . 4 4.4. Inserting Random Paddings . . . . . . . . . . . . . . . . . 4 4.5. Detecting and Blocking Attacks . . . . . . . . . . . . . . 5 4.6. More Mitigations . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . . 5 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 5 7. Informative References . . . . . . . . . . . . . . . . . . . . 5 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 6 Kihara & Shimizu Expires April 25, 2013 [Page 2] Internet-Draft Compression Considered Harmful October 2012 1. Introduction Transport Layer Security [RFC5246] is, needless to say, essential to contemporary customs in the Internet like secret communications on the web. Names, passwords, telephone numbers, credit card numbers, messages, session ids, and any other secrets are transported on TLS. Therefore, protecting TLS and underlying Public Key Infrastructure is our fundamental task. Unfortunately, TLS and PKI are not infallible, and sometimes vulnerable to new attack vectors. This document describes conditions for the CRIME attack [CRIME] which utilizes differences of compression rates to guess secret information from outside the encrypted transports and proposes possible mitigations of the threat that should be considered when someone designs protocols with compression. 2. Conditions of Attacks "Commonly-used lossless compression algorithms leak information about the data being compressed, in the size of the compressor output." [IACR-fse-2002-3091] In other words, by nature compressing data has the risk of information leakage. Usually information from the size of compressed data is not enough to guess the secret easily; however, under some conditions the attack becomes much easier. Observing encrypted data itself is not so useful. Though, if the attacker can inject string into the compression context where the secret is compressed, the attacker would be able to know whether the injected string matches the secret or not. In addition, difference of the size of the compressed data in multiple tries will help the attacker to perform brute-force attacks. [[[More precise conditions are needed. For example, initalizing compression contexts on each try will be a great help.]]] [[[Note that ANY KIND OF COMPRESSION WILL REVEAL SECRETS REGARDLESS OF THE LAYER OF COMPRESSION, including TLS compression, SPDY, and HTTP gzip.]]] 3. Application to Existing Protocols 3.1. Attacks on HTTP The original CRIME is targeted at HTTP [RFC2616]. Web browsers tend to make requests according to malicious scripts, sending secret strings automatically together with injected strings by the scripts. To make matters worse, TLS compression [RFC3749] and SPDY [I-D.mbelshe-httpbis-spdy] had been compressing all data in the same Kihara & Shimizu Expires April 25, 2013 [Page 3] Internet-Draft Compression Considered Harmful October 2012 context. Therefore, stealing session cookies by the CRIME attack was very easy. As a workaround, some web browsers disabled TLS compression and SPDY compression partially so that session cookies and bearer-token-type Authorization tokens cannot be stolen. However, compression of HTTP entities is still available and it is possible to guess some protions of HTTP entities if servers return injected strings in HTTP entities. 3.2. More Applications [[[More applications are needed? Currently we have not found such applications.]]] 4. Possible Mitigations 4.1. Abandon of Compression In principle, abandon of compression completely solves the problem of information leakage by compression. It is RECOMMENDED to disable compression when communications are not trivial, unless traffic increase is considerable. If data are confidentital and other mitigations are inapplicable, all kinds of compression MUST be disabled. 4.2. Compressing Non-Sensitive Data Only The problem that this document describes is information leakage by compression. However, if transferred data are not sensitive, we do not have to take care of the problem. Therefore compressing non- sensitive data will save bandwidth without exposing sensitive data. Note that dynamically-generated contents can contain sensitive data and SHOULD NOT be compressed. 4.3. Using Static Dictionary for Compression The CRIME attack utilizes differences of compression rate to estimate that the candidate string matches the sensitive data or not. In order to prevent such attacks, using static dictionary will be effective, especially when compressing patterned contents like HTTP headers. 4.4. Inserting Random Paddings If it is unavoidable to compress whole data in the same context, inserting random paddings will be available to prevent disclosure of the original size of compressed data. Note that this mitigation cannot prevent attackers from guessing secrets by statistical Kihara & Shimizu Expires April 25, 2013 [Page 4] Internet-Draft Compression Considered Harmful October 2012 approaches. [[[Requirements of padding (ranges of length, randomness, and so on) and quantitative evaluations are needed.]]] 4.5. Detecting and Blocking Attacks To achieve attacks on compression, attackers have to make multiple traffics in order to observe differences of compresion rate. Therefore, detecting too frequent requests and blocking such requests will mitigate attacks. Note that this mitigation cannot prevent attacks completely and SHOULD be used with other mitigations. 4.6. More Mitigations [[[There should be more mitigations.]]] 5. Security Considerations This document focuses on security. 6. IANA Considerations This document does not require actions by IANA. 7. Informative References [CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", , . [I-D.mbelshe-httpbis-spdy] Belshe, M. and R. Peon, "SPDY Protocol", draft-mbelshe-httpbis-spdy-00 (work in progress), February 2012. [IACR-fse-2002-3091] Kelsey, J., "Compression and Information Leakage of Plaintext", IACR fse-2002-3091, . [RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999. Kihara & Shimizu Expires April 25, 2013 [Page 5] Internet-Draft Compression Considered Harmful October 2012 [RFC3749] Hollenbeck, S., "Transport Layer Security Protocol Compression Methods", RFC 3749, May 2004. [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, August 2008. Authors' Addresses Boku Kihara Lepidum Co. Ltd. #602, Village Sasazuka 3 1-30-3 Sasazuka Shibuya-ku, Tokyo JP Email: kihara@lepidum.co.jp Kazuki Shimizu Lepidum Co. Ltd. Kihara & Shimizu Expires April 25, 2013 [Page 6]