SlideShare a Scribd company logo

Exploiting tls to disrupt privacy of web application's traffic

Download as PPTX, PDF
Sandipan Biswas
Sandipan Biswas

In this work, we analyze privacy and security aspects of encryption modes, padding schemes and order of padding of messages in TLS during encrypted communication between client and web-application on the server. We show that using padding schemes to pad all packets to hide message sizes during communication without considering underlying encryption modes and padding methodology is not safe .

Engineering
1 of 41
Exploiting TLS to disrupt privacy of traffic in web-application Sandipan Biswas MT12018 Advisors: Dr. Somitra Sanadhya & Dr. Donghoon Chang
Thesis committee  Dr. Somitra Sanadhya, IIIT Delhi (Chair)  Dr. Shweta Agrawal, IIT Delhi (External Examiner)  Dr. Debajyoti Bera, IIIT Delhi (Internal Examiner)
Agenda • Motivation • Previous Work • Chen et. al. mitigation • Liu et. al. mitigation • Example of k-indistinguishability • Our Contribution • Effect of padding in TLS on k-indistinguishability • Effect of padding in WPA2 on k-indistinguishability • Further Work • Mitigation • Conclusion • References
4 Web-based Application Internet Client Server •Advantages: •Less client-side resources •Easier to deliver and maintain •Characteristics: •Low entropy inputs •Rich & diverse resource objects •Stateful communications Encrypted Traffic
Side channel attacks • Side channel attacks on web-application’s have been studied based on observable attributes of traffic  Attributes include packet sizes , timing of packets etc.  Encryption is there to maintain confidentiality but sizes of packets are still visible by eavesdropper  To hide sizes padding is an option!  But how should it be done?
6 Example (cont.) – Search Engine •S value for each character entered as: a b c d e f g 509 504 502 516 499 504 502 h i j k l m n 509 492 517 499 501 503 488 o p q r s t 509 525 494 498 488 494 u v w x y z 503 522 516 491 502 501 • First keystroke: •Second keystroke: First Keystroke Second Keystroke a b c d a 509 487 493 501 497 b 504 516 488 482 481 c 502 501 488 473 477 d 516 543 478 509 499 Unique s value 12 out of 1616 out of 16 In reality, it may take more than two keystrokes to uniquely identify an input string. Leak out users’ private information: the input string
Two Conflicting Goals 7 • To prevent such side-channel attack, we face two seemingly conflicting goals, •Privacy protection: Remove the difference of packet sizes • Cost: Minimize the cost or overhead (padding, processing…) •Trade-off: Between two objectives
Chen et. al. (IEEE S&P 2010)  Authors tried mitigation with padding approaches  random padding : pad x bytes, and x  [0, )  round padding : pad to the next multiple of   Inferred that such application-agnostic approach is not feasible
Liu. et. al. (PETS 2012)  Introduced K-indistinguishability  Grouped packets in size of atleast k  Reduced padding cost while achieving privacy  All packets corresponding to same group have same size  Formal model for quantifying the amount of privacy protection provided by traffic padding solutions.
Padding Options 10 473 477 478 (c) c 477 477 478 (c) d 478 499 478 (d) b 499 499 509 (d) d 501 509 509 (c) a 509 509 509 (d) c S Value Padding (Prefix) char Option 1 Option 2 PPTP: Padding group
11 PPTP Components - Interaction Internet • Interaction: • action a: • Atomic user input that triggers traffic • A keystroke, a mouse click .. • action-sequence a: • A sequence of actions with known relationship • Consecutive keystrokes, a serial of mouse clicks •action-set Ai: •A collection of all ith action in a set of action- sequence User Input Observed Directional Packet Sizes a: 801→, ←54, ←509, 60→ 00: 812→, ←54, ←505, 60→, 813→, ←54, ←507, 60→ •Example 1: •Three actions: •a1 = input ‘a’ •a2 = input first ‘0‘ •a3 = input second ‘0’ • Two action-sequences: • a1 = (a) • a2 = (0,0) • Two action-sets: •A1 = {a,0} (0 as first keystroke) •A2 = {0} (0 as second keystroke) Ref: Liu. et. al. slides
12 PPTP Components - Observation Internet User Input Observed Directional Packet Sizes a: 801→, ←54, ←509, 60→ 00: 812→, ←54, ←505, 60→, 813→, ←54, ←507, 60→ •Example 2: • Three flow-vectors: •v1 = (509) •v2 = (505) •v3 = (507) •Two vector-sequences: •v1 = (v1) •v2 = (v2, v3) •Two vector-sets: • V1 = {(509),(505)} •V2 = {(507)} •Observation: • flow-vector v: •A sequence of flows (flow: a directional packet size) •Correspond to an action •vector-sequence v: • A sequence of flow-vectors •Correspond to an equal-length action-sequence •vector-set Vi: •A collection of all ith flow-vectors in a set of vector- sequence •Correspond to an action-set Ref: Liu. et. al. slides
13 Privacy and Cost Flow-Vector v (Flow s) Action a s1 a1 s2 a2 … … sn an Quasi-ID Sensitive Attribute •k-indistinguishability: Given a vector-action set VA •Padding group : any S⊆VA satisfying all the pairs in S have identical flow-vectors and no S’ ⊃S can satisfy this property •We say VA satisfies k-indistinguishability (k is an integer) if the cardinality of every padding group is no less than k •SVSD case (Single-Vector Single-Dimension): •Every action-sequence and flow-vector are of length one. •Assume: all actions are independent and each action triggers only a single packet used to identify the action. • Goal of privacy protection: •Upon observing any flow-vector in the traffic, the eavesdropper cannot determine which action in the table (vector-action set) has triggered this flow-vector. Ref: Liu. et. al. slides
14 Ceiling Padding (cont.) •Generalization. • Grouping and breaking: • Unique aspect: •Padding can only increase packet size but cannot decrease it or replace it with a range of values. •Dominant-vector: •Given a vector-set V, the dominant-vector is the flow-vector in which every flow is no smaller than the corresponding flow of any vector in V . •Ceiling padding: •Given a vector-set V, a ceiling-padded group in V is a padding group which each flow-vector is padded to the dominant-vector. •V is ceiling-padded if all the padding groups are ceiling padded. Ceiling Padding: Partition a vector-action set into padding groups, and then pad the flow- vectors to the dominant value to render them indistinguishable. Ref: Liu. et. al. slides
Example on k-indistinguishability  Assume 4 action sequence  a1={a,b} , a2={b,c} , a3={c,a} , a4={a,d }  Note that: a1 and a4 have same prefix for second keystroke . Prefix is “a”.  Corresponding vector sequences are :  v1 = {509, 487} , v2= {504, 482} , v3={502, 501} , v4={509, 497}  Vector-set can be formed as V1 = {509,504, 502 509} , V2 = {487, 482, 501, 497}.  Similarly Action-Set : A1 = {a, b, c, a} ,A2 = { b, c , a, d}.  Vector-Action Set : VA1 = {V1, A1}, VA2 = {V2,A2},  VA1 = {(a ,509),(b, 504) (c, 502), (a, 509)}  VA2 = {(b, 487), (c, 482), (a, 501), (d , 497)}
Example Continued Action Original Packet Size a 509 b 511 c 508 Action Original Packet Size Prefix b 487 a c 482 b a 501 c d 497 a After grouping , Simple SVSD on 1st table : SVA1 = {(c, 508), (b, 511), (a, 509)}, PVA1 ={(c,511), (b, 511), (a,511)}[Padding]. After SVMD and padding: SVA2 = {(c, 482),(b, 487), (d,497),(a, 501)}, PVA2 = {(c,501), (a, 501), (b, 501)(d, 501)} Note: Partition of a Vector Action set should be done such that their prefix is in same padding group in previous Vector Action set For same input string two flows corresponding to {a , b} and {a, d } is {511, 501},{511,501} respectively. Thus it maintains 3-indistingishability.
Our Objective  To break k-indistinguishability of traffic  Our objective is to infer the input which caused the given packet size  Note the packet’s contents are encrypted using standard TLS1.2
Our Assumptions  We assume k-indistinguishibility is already implemented at server  All possible vector action sets possible are fed to padding algorithms by Liu. et. al(PETS ‘12).  Attacker is somehow aware of packet sizes before padding  We have also assumed that Bit-padding(10*) is used  Padding is done after MAC is generated(This is valid since in TLS such model is followed)  We assume either counter mode and CBC mode is used for encryption.
Revisiting TLS Record Protocol We consider Bit-Padding as an option in Step 5 Plaintext Size MAC Padding PAD
Earlier attacks on TLS MEE construction  Padding oracle attack by Vaudenay et. al. (Eurocrypt’02)  Password Interception in a SSL/TLS Channel by Canvel et. al.(Crypto ‘03)  Tag size does matter: Attacks and proofs for the TLS record protocol by Paterson et. al.(ASIACRYPT’11)  Plaintext-recovery attacks against Datagram TLS by AlFardan et. al. (NDSS ‘12)  Lucky13:Related Chosen ciphertext attack on TLS by  AlFardan et. al.(IEEE S&P ‘13)
Our contribution  In our work we analyze the security and privacy aspects of  Encryption modes  Padding scheme  Order of padding in TLS and WPA2  We propose a truncation based chosen ciphertext attack on TLS1.2  We exploit MAC-PAD-Encrypt construction in TLS record protocol  We also explore similar construction in CCMP protocol in WPA2 as well as in TLS1.2
When CTR mode is used in TLS  Let’s take an example of 3-indistinguishability  Possible packets are grouped in a group of 3  Now if padding is applied to make packets indistinguishable , all packets size will be same  Attacker’s objective is to distinguish between {a,b,c} based on packet size of the response from server  We consider Bit-padding scheme of the form 10*
After Padding •We assume MAC tag generated is of 32 byte •Padding is done using Bit-padding Plaintext size + MAC
After Encryption..  After encryption, packets are sent from client to server  Attacker can sniff packets.  Attacker can also modify ciphertexts and send it to server  Server responds to client based on ciphertext received  If ciphertext is wrongly padded or MAC verification fails etc. server responds with error message
How to distinguish packets? • We propose a bit truncation based chosen ciphertext attack • Attacker chooses packet having maximum padding in group having padding size let’s say d • Attacker can truncate d-1 bits from each packet such that server generates error message for intended packet and none for others • Based on error message sent back to client attacker can guess which input correspond to this particular packet
Effects of truncation on ciphertext  Let’s say for any i’th packet having size si in group attacker does truncation. Also assume s is maximum size of packet in group  Attacker truncates d-1 bits from each of packets in the group d  If (s-si-1)  (d-1) i.e message has more padding than truncated bits. Hence padding part will contain at least 1 in its starting position.MAC will be valid after padding removal  If (s-si-1) < (d-1) i.e message has less padding than truncated bits and hence padding will be assumed from MAC part . This will generate invalid MAC error.  Attacker can infer from this error that the packet generating no error is the intended one.
Attack on example..  For our example first we can try to identify c.  To identify c truncate 3 bits from all packets including packet corresponding to c  Post truncation padding part of c is left with 1 in LSB  Hence during padding removal MAC portion is not corrupted leading to no error  However for other packets part of MAC is being stripped off while padding removal leading to invalid MAC error
When user keystroke is “a” 509+32(MAC) Truncate Last 3 bits 3(PAD) Invalid Decryption A’(Corrupted) MAC Wrong padding MAC verification According to Bit-padding , pad is stripped starting from LSB until “1” encountered
When user keystroke is “b” 511+32(MAC) Truncate Last 3 bits 1(PAD) Invalid Decryption B’(Corrupted) MAC Wrong padding MAC verification 508+32(MAC) 1(PAD)2 bit
When user keystroke is “c” 508+32(MAC) Truncate Last 3 bits 1 Valid Decryption C(Non Corrupted) MAC Right padding MAC verification 000
In case of CBC mode  Unlike CTR mode in case of CBC mode we cannot do bit based truncation, rather we employ block based truncation techniques to identify inputs  Attacker can truncate block wise from all packets in such a way that they can distinguish between packets based on error generated at server  For a group of packets having size S={257,101,129}
During decryption in CBC mode
In case of WPA2  WPA2 is standard in wireless networks(IEEE 802.11i)  It provides confidentiality , Integrity of packets  Uses AES-CCMP : Counter Mode + CBC-MAC  Underlying block cipher is AES  An authenticated encryption scheme  AES-CCM is also recommended cipher-suite in TLS
CCMP protocol in WPA2 MSDU MPDU MPDU MPDU Fragmentation CCMP processing Encrypted MPDU Priority Queue Transmission MSDU: MAC Service Data Unit MPDU:MAC Protocol Data Unit
CCMP with padding MAC Header Plaintext Data MAC Header CCMP Header Plaintext Data Authenticated Data MAC Header CCMP Header Plaintext Data1st Block PAD PAD MICMAC Header CCMP Header Plaintext Data MICMAC Header CCMP Header Encrypted Data CBC-MAC PAD PAD Encryption in Counter mode
Problems in CCMP  Since counter mode is used no assumption of padding is done  If padding is done after Message Integrity Code generation, it can lead to similar privacy breach  Attacker can carry out similar chosen ciphertext attack on CCMP too
Mitigations  If padding was done before MAC is calculated then it would not have been possible to carry such attack  PAD-MAC-Encrypt is a better option  Always use authenticated padding  Even if authenticated padding is not used , add a field for PAD length in header and authenticate along with others. This will prevent unauthorized modification of messages and pad.
Further work  Yet to implement proposed attacks  Need to find other modes of operation vulnerable to this attack  Other possible vulnerable modes could be AES- GCM used in TLS , SSH etc.  Need to explore other padding schemes apart from Bit-padding
Conclusions  Traffic indistinguishability is a hard problem  Indifference to underlying  Padding schemes  Encryption modes  MAC calculation procedure can cause such privacy preserving schemes to break.  Schemes to make traffic anonymous not only has to be application agnostic and efficient , also care needs to be taken how the scheme affects the underlying cryptographic operation
References  Chen, S., Wang, R., Wang, X., and Zhang, K. Side- channel leaks in web applications :A reality today, a challenge tomorrow. In IEEE Symposium on Security and Privacy (2010)  Liu, W. M., Wang, L., Ren, K., Cheng, P., and Debbabi, M. k-indistinguishable traffic padding in web applications. In Privacy Enhancing Technologies (2012)  T. Dierks, E. R. The Transport Layer Security(TLS) Protocol. http://www.rfc-editor.org/rfc/rfc5246.Txt ,2008.
Thank You!

Recommended

CS6601 DISTRIBUTED SYSTEMS
CS6601 DISTRIBUTED SYSTEMSCS6601 DISTRIBUTED SYSTEMS
CS6601 DISTRIBUTED SYSTEMS
Kathirvel Ayyaswamy
 
Elgamal signature for content distribution with network coding
Elgamal signature for content distribution with network codingElgamal signature for content distribution with network coding
Elgamal signature for content distribution with network coding
ijwmn
 
IRJET-Block-Level Message Encryption for Secure Large File to Avoid De-Duplic...
IRJET-Block-Level Message Encryption for Secure Large File to Avoid De-Duplic...IRJET-Block-Level Message Encryption for Secure Large File to Avoid De-Duplic...
IRJET-Block-Level Message Encryption for Secure Large File to Avoid De-Duplic...
IRJET Journal
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functions
Mazin Alwaaly
 
Hash function
Hash functionHash function
Hash function
Harry Potter
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security 18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
6.hash mac
6.hash mac6.hash mac
6.hash mac
Virendrakumar Dhotre
 
Hash Function & Analysis
Hash Function & AnalysisHash Function & Analysis
Hash Function & Analysis
Pawandeep Kaur
 

Recommended

CS6601 DISTRIBUTED SYSTEMS
CS6601 DISTRIBUTED SYSTEMSCS6601 DISTRIBUTED SYSTEMS
CS6601 DISTRIBUTED SYSTEMS
Kathirvel Ayyaswamy
 
Elgamal signature for content distribution with network coding
Elgamal signature for content distribution with network codingElgamal signature for content distribution with network coding
Elgamal signature for content distribution with network coding
ijwmn
 
IRJET-Block-Level Message Encryption for Secure Large File to Avoid De-Duplic...
IRJET-Block-Level Message Encryption for Secure Large File to Avoid De-Duplic...IRJET-Block-Level Message Encryption for Secure Large File to Avoid De-Duplic...
IRJET-Block-Level Message Encryption for Secure Large File to Avoid De-Duplic...
IRJET Journal
 
Information and data security cryptographic hash functions
Information and data security cryptographic hash functionsInformation and data security cryptographic hash functions
Information and data security cryptographic hash functions
Mazin Alwaaly
 
Hash function
Hash functionHash function
Hash function
Harry Potter
 
18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security 18CS2005 Cryptography and Network Security
18CS2005 Cryptography and Network Security
Kathirvel Ayyaswamy
 
6.hash mac
6.hash mac6.hash mac
6.hash mac
Virendrakumar Dhotre
 
Hash Function & Analysis
Hash Function & AnalysisHash Function & Analysis
Hash Function & Analysis
Pawandeep Kaur
 
Ch11
Ch11Ch11
Ch11Joe Christensen
 
Hash
HashHash
Hash
Tazo Al
 
Distributed Hash Table
Distributed Hash TableDistributed Hash Table
Distributed Hash Tableravindra.devagiri
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
Harry Potter
 
Distributed System by Pratik Tambekar
Distributed System by Pratik TambekarDistributed System by Pratik Tambekar
Distributed System by Pratik Tambekar
Pratik Tambekar
 
Criptography approach using magnets
Criptography approach using magnetsCriptography approach using magnets
Criptography approach using magnetssnv09
 
A Novel Method for Preventing Selective Jamming Attacks in Wireless Networks
A Novel Method for Preventing Selective Jamming Attacks in Wireless NetworksA Novel Method for Preventing Selective Jamming Attacks in Wireless Networks
A Novel Method for Preventing Selective Jamming Attacks in Wireless Networks
IJMER
 
Cryptographic hash function md5
Cryptographic hash function md5Cryptographic hash function md5
Cryptographic hash function md5
Khulna University, Khulna, Bangladesh
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authentication
CAS
 
Pgp smime
Pgp smimePgp smime
Pgp smime
Tania Agni
 
Conventional Encryption NS2
Conventional Encryption NS2Conventional Encryption NS2
Conventional Encryption NS2koolkampus
 
A technical writing on cryptographic hash function md5
A technical writing on cryptographic hash function md5A technical writing on cryptographic hash function md5
A technical writing on cryptographic hash function md5
Khulna University, Khulna, Bangladesh
 
Unit 3
Unit 3Unit 3
Unit 3
tamil arasan
 
01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt
GnanalakshmiV
 
Hashing Algorithm: MD5
Hashing Algorithm: MD5Hashing Algorithm: MD5
Hashing Algorithm: MD5
ijsrd.com
 
Message Authentication: MAC, Hashes
Message Authentication: MAC, HashesMessage Authentication: MAC, Hashes
Message Authentication: MAC, Hashes
Shafaan Khaliq Bhatti
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Unit 2
Unit 2Unit 2
Unit 2
tamil arasan
 
Is unit 5_message authentication and hash functions
Is unit 5_message authentication and hash functionsIs unit 5_message authentication and hash functions
Is unit 5_message authentication and hash functionsSarthak Patel
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing FunctionsYusuf Uzun
 
Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...
Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...
Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...
Roberto Rigolin F. Lopes
 
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
cscpconf
 

More Related Content

What's hot

Hash
HashHash
Hash
Tazo Al
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
Harry Potter
 
Distributed System by Pratik Tambekar
Distributed System by Pratik TambekarDistributed System by Pratik Tambekar
Distributed System by Pratik Tambekar
Pratik Tambekar
 
Criptography approach using magnets
Criptography approach using magnetsCriptography approach using magnets
Criptography approach using magnetssnv09
 
A Novel Method for Preventing Selective Jamming Attacks in Wireless Networks
A Novel Method for Preventing Selective Jamming Attacks in Wireless NetworksA Novel Method for Preventing Selective Jamming Attacks in Wireless Networks
A Novel Method for Preventing Selective Jamming Attacks in Wireless Networks
IJMER
 
Cryptographic hash function md5
Cryptographic hash function md5Cryptographic hash function md5
Cryptographic hash function md5
Khulna University, Khulna, Bangladesh
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authentication
CAS
 
Pgp smime
Pgp smimePgp smime
Pgp smime
Tania Agni
 
Conventional Encryption NS2
Conventional Encryption NS2Conventional Encryption NS2
Conventional Encryption NS2koolkampus
 
A technical writing on cryptographic hash function md5
A technical writing on cryptographic hash function md5A technical writing on cryptographic hash function md5
A technical writing on cryptographic hash function md5
Khulna University, Khulna, Bangladesh
 
Unit 3
Unit 3Unit 3
Unit 3
tamil arasan
 
01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt
GnanalakshmiV
 
Hashing Algorithm: MD5
Hashing Algorithm: MD5Hashing Algorithm: MD5
Hashing Algorithm: MD5
ijsrd.com
 
Message Authentication: MAC, Hashes
Message Authentication: MAC, HashesMessage Authentication: MAC, Hashes
Message Authentication: MAC, Hashes
Shafaan Khaliq Bhatti
 
Hash Function
Hash FunctionHash Function
Hash Function
Siddharth Srivastava
 
Unit 2
Unit 2Unit 2
Unit 2
tamil arasan
 
Is unit 5_message authentication and hash functions
Is unit 5_message authentication and hash functionsIs unit 5_message authentication and hash functions
Is unit 5_message authentication and hash functionsSarthak Patel
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing FunctionsYusuf Uzun
 

What's hot (20)

Ch11
Ch11Ch11
Ch11
 
Hash
HashHash
Hash
 
Distributed Hash Table
Distributed Hash TableDistributed Hash Table
Distributed Hash Table
 
Hash crypto
Hash cryptoHash crypto
Hash crypto
 
Distributed System by Pratik Tambekar
Distributed System by Pratik TambekarDistributed System by Pratik Tambekar
Distributed System by Pratik Tambekar
 
Criptography approach using magnets
Criptography approach using magnetsCriptography approach using magnets
Criptography approach using magnets
 
A Novel Method for Preventing Selective Jamming Attacks in Wireless Networks
A Novel Method for Preventing Selective Jamming Attacks in Wireless NetworksA Novel Method for Preventing Selective Jamming Attacks in Wireless Networks
A Novel Method for Preventing Selective Jamming Attacks in Wireless Networks
 
Cryptographic hash function md5
Cryptographic hash function md5Cryptographic hash function md5
Cryptographic hash function md5
 
Public key cryptography and message authentication
Public key cryptography and message authenticationPublic key cryptography and message authentication
Public key cryptography and message authentication
 
Pgp smime
Pgp smimePgp smime
Pgp smime
 
Conventional Encryption NS2
Conventional Encryption NS2Conventional Encryption NS2
Conventional Encryption NS2
 
A technical writing on cryptographic hash function md5
A technical writing on cryptographic hash function md5A technical writing on cryptographic hash function md5
A technical writing on cryptographic hash function md5
 
Unit 3
Unit 3Unit 3
Unit 3
 
01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt01204427-Hash_Crypto (1).ppt
01204427-Hash_Crypto (1).ppt
 
Hashing Algorithm: MD5
Hashing Algorithm: MD5Hashing Algorithm: MD5
Hashing Algorithm: MD5
 
Message Authentication: MAC, Hashes
Message Authentication: MAC, HashesMessage Authentication: MAC, Hashes
Message Authentication: MAC, Hashes
 
Hash Function
Hash FunctionHash Function
Hash Function
 
Unit 2
Unit 2Unit 2
Unit 2
 
Is unit 5_message authentication and hash functions
Is unit 5_message authentication and hash functionsIs unit 5_message authentication and hash functions
Is unit 5_message authentication and hash functions
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
 

Similar to Exploiting tls to disrupt privacy of web application's traffic

Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...
Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...
Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...
Roberto Rigolin F. Lopes
 
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
cscpconf
 
Chapter8 27 nov_2010
Chapter8 27 nov_2010Chapter8 27 nov_2010
Chapter8 27 nov_2010Umang Gupta
 
Unit 2
Unit 2Unit 2
Unit 2
APARNA P
 
Data link layer
Data link layer Data link layer
Data link layer
Mukesh Chinta
 
datalinklayermukesh
datalinklayermukeshdatalinklayermukesh
datalinklayermukesh
TamiratDejene1
 
Client server computing in mobile environments part 2
Client server computing in mobile environments part 2Client server computing in mobile environments part 2
Client server computing in mobile environments part 2
Praveen Joshi
 
Week9 lec1
Week9 lec1Week9 lec1
Week9 lec1
syedhaiderraza
 
Implementation on Data Security Approach in Dynamic Multi Hop Communication
Implementation on Data Security Approach in Dynamic Multi Hop Communication Implementation on Data Security Approach in Dynamic Multi Hop Communication
Implementation on Data Security Approach in Dynamic Multi Hop Communication
IJCSIS Research Publications
 
DataLinkControl.ppt
DataLinkControl.pptDataLinkControl.ppt
DataLinkControl.ppt
MaddalaSeshu
 
Jaimin chp-3 - data-link layer- 2011 batch
Jaimin chp-3 - data-link layer- 2011 batchJaimin chp-3 - data-link layer- 2011 batch
Jaimin chp-3 - data-link layer- 2011 batch
Jaimin Jani
 
Data Link Layer
Data Link LayerData Link Layer
Data Link Layer
Rutwik Jadhav
 
Q01725110114
Q01725110114Q01725110114
Q01725110114
IOSR Journals
 
Enhancing Cloud Computing Security for Data Sharing Within Group Members
Enhancing Cloud Computing Security for Data Sharing Within Group MembersEnhancing Cloud Computing Security for Data Sharing Within Group Members
Enhancing Cloud Computing Security for Data Sharing Within Group Members
iosrjce
 
Computer Networking network layer chapter 4
Computer Networking network layer chapter 4Computer Networking network layer chapter 4
Computer Networking network layer chapter 4
RoopaRathod2
 
Chapter_4_V6.11 Network layer.ppt
Chapter_4_V6.11 Network layer.pptChapter_4_V6.11 Network layer.ppt
Chapter_4_V6.11 Network layer.ppt
MaiTran87348
 
Mca3050 advanced computer networks
Mca3050 advanced computer networksMca3050 advanced computer networks
Mca3050 advanced computer networks
smumbahelp
 
Mca3050 advanced computer networks
Mca3050 advanced computer networksMca3050 advanced computer networks
Mca3050 advanced computer networks
smumbahelp
 
unit2-210710110327.pdf
unit2-210710110327.pdfunit2-210710110327.pdf
unit2-210710110327.pdf
ssuser3aa461
 
Computer Networks Unit 2 UNIT II DATA-LINK LAYER & MEDIA ACCESS
Computer Networks Unit 2 UNIT II DATA-LINK LAYER & MEDIA ACCESSComputer Networks Unit 2 UNIT II DATA-LINK LAYER & MEDIA ACCESS
Computer Networks Unit 2 UNIT II DATA-LINK LAYER & MEDIA ACCESS
Dr. SELVAGANESAN S
 

Similar to Exploiting tls to disrupt privacy of web application's traffic (20)

Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...
Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...
Creating Ever-changing QoS-constrained Dataflows in Tactical Networks: An Exp...
 
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
ASSURED NEIGHBOR BASED COUNTER PROTOCOL ON MAC-LAYER PROVIDING SECURITY IN MO...
 
Chapter8 27 nov_2010
Chapter8 27 nov_2010Chapter8 27 nov_2010
Chapter8 27 nov_2010
 
Unit 2
Unit 2Unit 2
Unit 2
 
Data link layer
Data link layer Data link layer
Data link layer
 
datalinklayermukesh
datalinklayermukeshdatalinklayermukesh
datalinklayermukesh
 
Client server computing in mobile environments part 2
Client server computing in mobile environments part 2Client server computing in mobile environments part 2
Client server computing in mobile environments part 2
 
Week9 lec1
Week9 lec1Week9 lec1
Week9 lec1
 
Implementation on Data Security Approach in Dynamic Multi Hop Communication
Implementation on Data Security Approach in Dynamic Multi Hop Communication Implementation on Data Security Approach in Dynamic Multi Hop Communication
Implementation on Data Security Approach in Dynamic Multi Hop Communication
 
DataLinkControl.ppt
DataLinkControl.pptDataLinkControl.ppt
DataLinkControl.ppt
 
Jaimin chp-3 - data-link layer- 2011 batch
Jaimin chp-3 - data-link layer- 2011 batchJaimin chp-3 - data-link layer- 2011 batch
Jaimin chp-3 - data-link layer- 2011 batch
 
Data Link Layer
Data Link LayerData Link Layer
Data Link Layer
 
Q01725110114
Q01725110114Q01725110114
Q01725110114
 
Enhancing Cloud Computing Security for Data Sharing Within Group Members
Enhancing Cloud Computing Security for Data Sharing Within Group MembersEnhancing Cloud Computing Security for Data Sharing Within Group Members
Enhancing Cloud Computing Security for Data Sharing Within Group Members
 
Computer Networking network layer chapter 4
Computer Networking network layer chapter 4Computer Networking network layer chapter 4
Computer Networking network layer chapter 4
 
Chapter_4_V6.11 Network layer.ppt
Chapter_4_V6.11 Network layer.pptChapter_4_V6.11 Network layer.ppt
Chapter_4_V6.11 Network layer.ppt
 
Mca3050 advanced computer networks
Mca3050 advanced computer networksMca3050 advanced computer networks
Mca3050 advanced computer networks
 
Mca3050 advanced computer networks
Mca3050 advanced computer networksMca3050 advanced computer networks
Mca3050 advanced computer networks
 
unit2-210710110327.pdf
unit2-210710110327.pdfunit2-210710110327.pdf
unit2-210710110327.pdf
 
Computer Networks Unit 2 UNIT II DATA-LINK LAYER & MEDIA ACCESS
Computer Networks Unit 2 UNIT II DATA-LINK LAYER & MEDIA ACCESSComputer Networks Unit 2 UNIT II DATA-LINK LAYER & MEDIA ACCESS
Computer Networks Unit 2 UNIT II DATA-LINK LAYER & MEDIA ACCESS
 

Recently uploaded

ML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptxML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptx
Vijay Dialani, PhD
 
AP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specificAP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specific
BrazilAccount1
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
AafreenAbuthahir2
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation & Control
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
MLILAB
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
AhmedHussein950959
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
karthi keyan
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
TeeVichai
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
AJAYKUMARPUND1
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
Neometrix_Engineering_Pvt_Ltd
 
space technology lecture notes on satellite
space technology lecture notes on satellitespace technology lecture notes on satellite
space technology lecture notes on satellite
ongomchris
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
gerogepatton
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
JoytuBarua2
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
BrazilAccount1
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
Kamal Acharya
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
Divya Somashekar
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
Robbie Edward Sayers
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
Kamal Acharya
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
SamSarthak3
 
Investor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptxInvestor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptx
AmarGB2
 

Recently uploaded (20)

ML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptxML for identifying fraud using open blockchain data.pptx
ML for identifying fraud using open blockchain data.pptx
 
AP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specificAP LAB PPT.pdf ap lab ppt no title specific
AP LAB PPT.pdf ap lab ppt no title specific
 
WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234WATER CRISIS and its solutions-pptx 1234
WATER CRISIS and its solutions-pptx 1234
 
Water Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdfWater Industry Process Automation and Control Monthly - May 2024.pdf
Water Industry Process Automation and Control Monthly - May 2024.pdf
 
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdfH.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
H.Seo, ICLR 2024, MLILAB, KAIST AI.pdf
 
ASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdfASME IX(9) 2007 Full Version .pdf
ASME IX(9) 2007 Full Version .pdf
 
CME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional ElectiveCME397 Surface Engineering- Professional Elective
CME397 Surface Engineering- Professional Elective
 
Railway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdfRailway Signalling Principles Edition 3.pdf
Railway Signalling Principles Edition 3.pdf
 
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
Pile Foundation by Venkatesh Taduvai (Sub Geotechnical Engineering II)-conver...
 
Standard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - NeometrixStandard Reomte Control Interface - Neometrix
Standard Reomte Control Interface - Neometrix
 
space technology lecture notes on satellite
space technology lecture notes on satellitespace technology lecture notes on satellite
space technology lecture notes on satellite
 
Immunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary AttacksImmunizing Image Classifiers Against Localized Adversary Attacks
Immunizing Image Classifiers Against Localized Adversary Attacks
 
Planning Of Procurement o different goods and services
Planning Of Procurement o different goods and servicesPlanning Of Procurement o different goods and services
Planning Of Procurement o different goods and services
 
English lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdfEnglish lab ppt no titlespecENG PPTt.pdf
English lab ppt no titlespecENG PPTt.pdf
 
Student information management system project report ii.pdf
Student information management system project report ii.pdfStudent information management system project report ii.pdf
Student information management system project report ii.pdf
 
block diagram and signal flow graph representation
block diagram and signal flow graph representationblock diagram and signal flow graph representation
block diagram and signal flow graph representation
 
HYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generationHYDROPOWER - Hydroelectric power generation
HYDROPOWER - Hydroelectric power generation
 
Final project report on grocery store management system..pdf
Final project report on grocery store management system..pdfFinal project report on grocery store management system..pdf
Final project report on grocery store management system..pdf
 
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdfAKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
AKS UNIVERSITY Satna Final Year Project By OM Hardaha.pdf
 
Investor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptxInvestor-Presentation-Q1FY2024 investor presentation document.pptx
Investor-Presentation-Q1FY2024 investor presentation document.pptx
 

Exploiting tls to disrupt privacy of web application's traffic

  • 1. Exploiting TLS to disrupt privacy of traffic in web-application Sandipan Biswas MT12018 Advisors: Dr. Somitra Sanadhya & Dr. Donghoon Chang
  • 2. Thesis committee  Dr. Somitra Sanadhya, IIIT Delhi (Chair)  Dr. Shweta Agrawal, IIT Delhi (External Examiner)  Dr. Debajyoti Bera, IIIT Delhi (Internal Examiner)
  • 3. Agenda • Motivation • Previous Work • Chen et. al. mitigation • Liu et. al. mitigation • Example of k-indistinguishability • Our Contribution • Effect of padding in TLS on k-indistinguishability • Effect of padding in WPA2 on k-indistinguishability • Further Work • Mitigation • Conclusion • References
  • 4. 4 Web-based Application Internet Client Server •Advantages: •Less client-side resources •Easier to deliver and maintain •Characteristics: •Low entropy inputs •Rich & diverse resource objects •Stateful communications Encrypted Traffic
  • 5. Side channel attacks • Side channel attacks on web-application’s have been studied based on observable attributes of traffic  Attributes include packet sizes , timing of packets etc.  Encryption is there to maintain confidentiality but sizes of packets are still visible by eavesdropper  To hide sizes padding is an option!  But how should it be done?
  • 6. 6 Example (cont.) – Search Engine •S value for each character entered as: a b c d e f g 509 504 502 516 499 504 502 h i j k l m n 509 492 517 499 501 503 488 o p q r s t 509 525 494 498 488 494 u v w x y z 503 522 516 491 502 501 • First keystroke: •Second keystroke: First Keystroke Second Keystroke a b c d a 509 487 493 501 497 b 504 516 488 482 481 c 502 501 488 473 477 d 516 543 478 509 499 Unique s value 12 out of 1616 out of 16 In reality, it may take more than two keystrokes to uniquely identify an input string. Leak out users’ private information: the input string
  • 7. Two Conflicting Goals 7 • To prevent such side-channel attack, we face two seemingly conflicting goals, •Privacy protection: Remove the difference of packet sizes • Cost: Minimize the cost or overhead (padding, processing…) •Trade-off: Between two objectives
  • 8. Chen et. al. (IEEE S&P 2010)  Authors tried mitigation with padding approaches  random padding : pad x bytes, and x  [0, )  round padding : pad to the next multiple of   Inferred that such application-agnostic approach is not feasible
  • 9. Liu. et. al. (PETS 2012)  Introduced K-indistinguishability  Grouped packets in size of atleast k  Reduced padding cost while achieving privacy  All packets corresponding to same group have same size  Formal model for quantifying the amount of privacy protection provided by traffic padding solutions.
  • 10. Padding Options 10 473 477 478 (c) c 477 477 478 (c) d 478 499 478 (d) b 499 499 509 (d) d 501 509 509 (c) a 509 509 509 (d) c S Value Padding (Prefix) char Option 1 Option 2 PPTP: Padding group
  • 11. 11 PPTP Components - Interaction Internet • Interaction: • action a: • Atomic user input that triggers traffic • A keystroke, a mouse click .. • action-sequence a: • A sequence of actions with known relationship • Consecutive keystrokes, a serial of mouse clicks •action-set Ai: •A collection of all ith action in a set of action- sequence User Input Observed Directional Packet Sizes a: 801→, ←54, ←509, 60→ 00: 812→, ←54, ←505, 60→, 813→, ←54, ←507, 60→ •Example 1: •Three actions: •a1 = input ‘a’ •a2 = input first ‘0‘ •a3 = input second ‘0’ • Two action-sequences: • a1 = (a) • a2 = (0,0) • Two action-sets: •A1 = {a,0} (0 as first keystroke) •A2 = {0} (0 as second keystroke) Ref: Liu. et. al. slides
  • 12. 12 PPTP Components - Observation Internet User Input Observed Directional Packet Sizes a: 801→, ←54, ←509, 60→ 00: 812→, ←54, ←505, 60→, 813→, ←54, ←507, 60→ •Example 2: • Three flow-vectors: •v1 = (509) •v2 = (505) •v3 = (507) •Two vector-sequences: •v1 = (v1) •v2 = (v2, v3) •Two vector-sets: • V1 = {(509),(505)} •V2 = {(507)} •Observation: • flow-vector v: •A sequence of flows (flow: a directional packet size) •Correspond to an action •vector-sequence v: • A sequence of flow-vectors •Correspond to an equal-length action-sequence •vector-set Vi: •A collection of all ith flow-vectors in a set of vector- sequence •Correspond to an action-set Ref: Liu. et. al. slides
  • 13. 13 Privacy and Cost Flow-Vector v (Flow s) Action a s1 a1 s2 a2 … … sn an Quasi-ID Sensitive Attribute •k-indistinguishability: Given a vector-action set VA •Padding group : any S⊆VA satisfying all the pairs in S have identical flow-vectors and no S’ ⊃S can satisfy this property •We say VA satisfies k-indistinguishability (k is an integer) if the cardinality of every padding group is no less than k •SVSD case (Single-Vector Single-Dimension): •Every action-sequence and flow-vector are of length one. •Assume: all actions are independent and each action triggers only a single packet used to identify the action. • Goal of privacy protection: •Upon observing any flow-vector in the traffic, the eavesdropper cannot determine which action in the table (vector-action set) has triggered this flow-vector. Ref: Liu. et. al. slides
  • 14. 14 Ceiling Padding (cont.) •Generalization. • Grouping and breaking: • Unique aspect: •Padding can only increase packet size but cannot decrease it or replace it with a range of values. •Dominant-vector: •Given a vector-set V, the dominant-vector is the flow-vector in which every flow is no smaller than the corresponding flow of any vector in V . •Ceiling padding: •Given a vector-set V, a ceiling-padded group in V is a padding group which each flow-vector is padded to the dominant-vector. •V is ceiling-padded if all the padding groups are ceiling padded. Ceiling Padding: Partition a vector-action set into padding groups, and then pad the flow- vectors to the dominant value to render them indistinguishable. Ref: Liu. et. al. slides
  • 15. Example on k-indistinguishability  Assume 4 action sequence  a1={a,b} , a2={b,c} , a3={c,a} , a4={a,d }  Note that: a1 and a4 have same prefix for second keystroke . Prefix is “a”.  Corresponding vector sequences are :  v1 = {509, 487} , v2= {504, 482} , v3={502, 501} , v4={509, 497}  Vector-set can be formed as V1 = {509,504, 502 509} , V2 = {487, 482, 501, 497}.  Similarly Action-Set : A1 = {a, b, c, a} ,A2 = { b, c , a, d}.  Vector-Action Set : VA1 = {V1, A1}, VA2 = {V2,A2},  VA1 = {(a ,509),(b, 504) (c, 502), (a, 509)}  VA2 = {(b, 487), (c, 482), (a, 501), (d , 497)}
  • 16. Example Continued Action Original Packet Size a 509 b 511 c 508 Action Original Packet Size Prefix b 487 a c 482 b a 501 c d 497 a After grouping , Simple SVSD on 1st table : SVA1 = {(c, 508), (b, 511), (a, 509)}, PVA1 ={(c,511), (b, 511), (a,511)}[Padding]. After SVMD and padding: SVA2 = {(c, 482),(b, 487), (d,497),(a, 501)}, PVA2 = {(c,501), (a, 501), (b, 501)(d, 501)} Note: Partition of a Vector Action set should be done such that their prefix is in same padding group in previous Vector Action set For same input string two flows corresponding to {a , b} and {a, d } is {511, 501},{511,501} respectively. Thus it maintains 3-indistingishability.
  • 17. Our Objective  To break k-indistinguishability of traffic  Our objective is to infer the input which caused the given packet size  Note the packet’s contents are encrypted using standard TLS1.2
  • 18. Our Assumptions  We assume k-indistinguishibility is already implemented at server  All possible vector action sets possible are fed to padding algorithms by Liu. et. al(PETS ‘12).  Attacker is somehow aware of packet sizes before padding  We have also assumed that Bit-padding(10*) is used  Padding is done after MAC is generated(This is valid since in TLS such model is followed)  We assume either counter mode and CBC mode is used for encryption.
  • 19. Revisiting TLS Record Protocol We consider Bit-Padding as an option in Step 5 Plaintext Size MAC Padding PAD
  • 20. Earlier attacks on TLS MEE construction  Padding oracle attack by Vaudenay et. al. (Eurocrypt’02)  Password Interception in a SSL/TLS Channel by Canvel et. al.(Crypto ‘03)  Tag size does matter: Attacks and proofs for the TLS record protocol by Paterson et. al.(ASIACRYPT’11)  Plaintext-recovery attacks against Datagram TLS by AlFardan et. al. (NDSS ‘12)  Lucky13:Related Chosen ciphertext attack on TLS by  AlFardan et. al.(IEEE S&P ‘13)
  • 21. Our contribution  In our work we analyze the security and privacy aspects of  Encryption modes  Padding scheme  Order of padding in TLS and WPA2  We propose a truncation based chosen ciphertext attack on TLS1.2  We exploit MAC-PAD-Encrypt construction in TLS record protocol  We also explore similar construction in CCMP protocol in WPA2 as well as in TLS1.2
  • 22. When CTR mode is used in TLS  Let’s take an example of 3-indistinguishability  Possible packets are grouped in a group of 3  Now if padding is applied to make packets indistinguishable , all packets size will be same  Attacker’s objective is to distinguish between {a,b,c} based on packet size of the response from server  We consider Bit-padding scheme of the form 10*
  • 23. After Padding •We assume MAC tag generated is of 32 byte •Padding is done using Bit-padding Plaintext size + MAC
  • 24. After Encryption..  After encryption, packets are sent from client to server  Attacker can sniff packets.  Attacker can also modify ciphertexts and send it to server  Server responds to client based on ciphertext received  If ciphertext is wrongly padded or MAC verification fails etc. server responds with error message
  • 25. How to distinguish packets? • We propose a bit truncation based chosen ciphertext attack • Attacker chooses packet having maximum padding in group having padding size let’s say d • Attacker can truncate d-1 bits from each packet such that server generates error message for intended packet and none for others • Based on error message sent back to client attacker can guess which input correspond to this particular packet
  • 26. Effects of truncation on ciphertext  Let’s say for any i’th packet having size si in group attacker does truncation. Also assume s is maximum size of packet in group  Attacker truncates d-1 bits from each of packets in the group d  If (s-si-1)  (d-1) i.e message has more padding than truncated bits. Hence padding part will contain at least 1 in its starting position.MAC will be valid after padding removal  If (s-si-1) < (d-1) i.e message has less padding than truncated bits and hence padding will be assumed from MAC part . This will generate invalid MAC error.  Attacker can infer from this error that the packet generating no error is the intended one.
  • 27. Attack on example..  For our example first we can try to identify c.  To identify c truncate 3 bits from all packets including packet corresponding to c  Post truncation padding part of c is left with 1 in LSB  Hence during padding removal MAC portion is not corrupted leading to no error  However for other packets part of MAC is being stripped off while padding removal leading to invalid MAC error
  • 28. When user keystroke is “a” 509+32(MAC) Truncate Last 3 bits 3(PAD) Invalid Decryption A’(Corrupted) MAC Wrong padding MAC verification According to Bit-padding , pad is stripped starting from LSB until “1” encountered
  • 29. When user keystroke is “b” 511+32(MAC) Truncate Last 3 bits 1(PAD) Invalid Decryption B’(Corrupted) MAC Wrong padding MAC verification 508+32(MAC) 1(PAD)2 bit
  • 30. When user keystroke is “c” 508+32(MAC) Truncate Last 3 bits 1 Valid Decryption C(Non Corrupted) MAC Right padding MAC verification 000
  • 31. In case of CBC mode  Unlike CTR mode in case of CBC mode we cannot do bit based truncation, rather we employ block based truncation techniques to identify inputs  Attacker can truncate block wise from all packets in such a way that they can distinguish between packets based on error generated at server  For a group of packets having size S={257,101,129}
  • 33. In case of WPA2  WPA2 is standard in wireless networks(IEEE 802.11i)  It provides confidentiality , Integrity of packets  Uses AES-CCMP : Counter Mode + CBC-MAC  Underlying block cipher is AES  An authenticated encryption scheme  AES-CCM is also recommended cipher-suite in TLS
  • 34. CCMP protocol in WPA2 MSDU MPDU MPDU MPDU Fragmentation CCMP processing Encrypted MPDU Priority Queue Transmission MSDU: MAC Service Data Unit MPDU:MAC Protocol Data Unit
  • 35. CCMP with padding MAC Header Plaintext Data MAC Header CCMP Header Plaintext Data Authenticated Data MAC Header CCMP Header Plaintext Data1st Block PAD PAD MICMAC Header CCMP Header Plaintext Data MICMAC Header CCMP Header Encrypted Data CBC-MAC PAD PAD Encryption in Counter mode
  • 36. Problems in CCMP  Since counter mode is used no assumption of padding is done  If padding is done after Message Integrity Code generation, it can lead to similar privacy breach  Attacker can carry out similar chosen ciphertext attack on CCMP too
  • 37. Mitigations  If padding was done before MAC is calculated then it would not have been possible to carry such attack  PAD-MAC-Encrypt is a better option  Always use authenticated padding  Even if authenticated padding is not used , add a field for PAD length in header and authenticate along with others. This will prevent unauthorized modification of messages and pad.
  • 38. Further work  Yet to implement proposed attacks  Need to find other modes of operation vulnerable to this attack  Other possible vulnerable modes could be AES- GCM used in TLS , SSH etc.  Need to explore other padding schemes apart from Bit-padding
  • 39. Conclusions  Traffic indistinguishability is a hard problem  Indifference to underlying  Padding schemes  Encryption modes  MAC calculation procedure can cause such privacy preserving schemes to break.  Schemes to make traffic anonymous not only has to be application agnostic and efficient , also care needs to be taken how the scheme affects the underlying cryptographic operation
  • 40. References  Chen, S., Wang, R., Wang, X., and Zhang, K. Side- channel leaks in web applications :A reality today, a challenge tomorrow. In IEEE Symposium on Security and Privacy (2010)  Liu, W. M., Wang, L., Ren, K., Cheng, P., and Debbabi, M. k-indistinguishable traffic padding in web applications. In Privacy Enhancing Technologies (2012)  T. Dierks, E. R. The Transport Layer Security(TLS) Protocol. http://www.rfc-editor.org/rfc/rfc5246.Txt ,2008.