Bicycle Attack by Guido Vranken

7/23/2019 Bicycle Attack by Guido Vranken

http://slidepdf.com/reader/full/bicycle-attack-by-guido-vranken 1/21

HTTPS Bicycle Attack

By Guido Vranken <[email protected]>

ABSTRACT

It is usually assumed that HTTP traffic encapsulated in TLS doesn't reveal the exactsizes of its parts, such as the length of a Cooie header, or the payload of a HTTPP!ST re"uest that may contain varia#le$length credentials such as pass%ords& In thispaper I sho% that the redundancy of the plaintext HTTP headers included in each andevery re"uest can #e exploited in order to reveal the length of particular componentssuch as pass%ords( of particular re"uests such as authentication to a %e#application(& The redundancy of HTTP in practice allo%s for an iterative resolution ofthe length of 'unno%ns' in a HTTP message until the lengths of all its componentsare no%n except for a coveted secret, such as a pass%ord, %hose length is thenimplied& The attac furthermore exploits the property of stream$oriented cipher suitessuch as those #ased on )alois*Counter +ode that the exact size of the plaintext can#e no%n to a man$in$the$middle&The paper furthermore gives insight in ho% very small differences in the length ofintercepted encrypted( )PS coordinates can #e used to estimate the location on the%orld map for a particular encrypted coordinate& nother example demonstrates thatdifferences in length of intercepted encrypted( IPv- addresses are #ound to specificIP ranges&The paper concludes %ith a set of proposed mitigations against this attac&

Table of Contents

HTTPS .icycle ttac&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/.ST0CT&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&//& Introduction&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1

/& !n TLS side$channel leas&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&11& note on TLS records and cipher modes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&2

1& !vervie% of the attac&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&-

/& 3ingerprinting&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&-1& Length deduction through su#traction&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&4

Step /5 preparation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&6Step 15 analysis&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&7

2& Implications&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8-& !ther examples&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8

/& Location leas through encrypted )PS coordinates&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&8



/& 9educing location from )PS coordinate length&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&81& :xploitation&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/-2& 9isclaimer&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/6

1& Length of IPv- addresses leas ranges&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/64& Prevention&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/;

/& Hashing #efore transmission&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/;

1& Padding the secret&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&/82& !n varia#le$length padding schemes&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1<-& =sing constant$length identifiers to refer to o#>ects&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1/

1. Introduction

1. On TLS side-cannel leaks

It has long #een no%n that SSL*TLS from hereon referred to as TLS( is no silver #ullet to o#scure the

#ehavior of a user on a net%or& ?hile the sound configuration of #oth endpoints of a connection isunderstood to prevent the decoding from ciphertext to plaintext %ithout having access to the private

eys(, transactions conducted over a channel em#edded in TLS lea various types of information&

These side$channel leas can #e the can #e the result of the delegation of actions re"uired for proper

data transmission on a net%or to protocols at a higher layer that offer no means of o#scuring ey

information, such as source and destination IP's encoded in the Internet Protocol layer, and source port,

destination port, payload fragmentation an so forth encoded in the TCP layer& !ther types of side$

channel information leas are consist of varia#ility introduced entirely outside of TLS's control, such as

spatial and temporal discrepancies for different payloads& +oreover, the aggregate of the properties of

pacets sent #ac and forth #et%een t%o TLS endpoints constitutes a se"uence that may #e uni"ue

lined to path and resource access on a %e# application& Some properties of a TLS session are left

uno#scured #y design, such as the exact ciphersuite used and the exact length of the plaintext %hen

stream ciphers are used&

lot of research has #een performed on ho% to stac up these different 'no%ns' in order to

meticulously reconstruct the user's actions, given that the encrypted streams are no%n to an o#server

%ho is or has #een listening in on the 'secure' transmission #et%een t%o endpoints&

In this paper I %ill sho% that for a presuma#ly large su#set of %e# applications, it is easy to infer the

length of parts of the plaintext, or certain attri#utes thereof, from a recorded stream of encrypted

messages& Having access to the private ey is not necessary& In fact, the actual ciphertexts em#edded inthe stream are irrelevant to the deduction, and entry$level arithmetic suffices&

This attac has the property of #eing entirely passive& That is, unlie attacs such as .0:CH %hich

relies on CS03 attacs(, the attacer doesn't need to interfere %ith a user's session& ?hile my attac

typically reveals less detailed information than .0:CH, its advantage of my attac lies in the fact



that it cannot raise alarm #ells, and that it can #e applied retroactively@ that is, encrypted streams

recorded years ago can still be picked apart in order to divulge confidential information&

3urthermore, the attac re"uires some information a#out the victim to #e no%n to the attacer& The

more information the attacer no%s, the more information a#out the victim's plaintexts can #e

deduced& .roadly speaing, the attac %ors #y su#tracting the lengths of no%n parts of the plaintext

from the total plaintext size& If no%ing the length of the user's pass%ord for a specific %e#site is theattacer's o#>ective, then the attacer must also no% the user name #elonging to that pass%ord, since

user name and pass%ord are often sent together in an authentication process& The attac can reveal the

length of the concatenation of the user name and the pass%ord& Su#tracting the length of the user name

from this value reveals the length of the pass%ord&

nother user property that is helpful to no% is the #ro%ser used& This aids in predicting %hich headers

a #ro%ser %ill send for various types of %e# resources& This shouldn't #e too difficult to determine in a

directed attac on a specific person, since >ust a single HTTP ie&, insecure( re"uest %ill reveal the

=ser$gent string&

The name TLS Bicycle Attack %as chosen #ecause of the conceptual similarity #et%een ho% encryption

hides content and gift %rapping hides physical o#>ects& +y attac relies heavily on the property of

stream$#ased ciphers in TLS that the size of TLS application data payloads is directly no%n to the

attacer and this inadvertently reveals information a#out the plaintext size@ similar to ho% a draped or

gift$%rapped #icycle is still identifia#le as a #icycle, #ecause cloaing it lie that retains the underlying

shape& The reason that I've named this attac at all is only to mae referring to it easier for everyone&

!. A note on TLS records and ci"er #odes

TLS record, in %hich encrypted data is encapsulated, has t%o fields that are of importance to the

attacer& !ne is the Content Type field& In this document I %ill focus exclusively on content types %ith

the values 12 <x/7(, since these types of records are used to em#ed the actual encrypted payloads& The

other field of interest to us is the 'length' field& This is a /6$#it field %hich reflects the exact size in

#ytes of the encrypted payload&

nother important property to #e a%are of is the ciphersuite #eing used, in particular %hether it

concerns a #loc cipher or a stream cipher& I %ill focus on stream ciphers, %hich have the convenient

property that their output lengths corresponds /5/ %ith the input plaintext( size, although they do not

necessarily have the same size& That is, each #yte added to the plaintext results in one #yte added theencrypted message, though the encrypted message may #e larger than the plaintext ie&, encryption may

add a constant num#er of #ytes, such as overhead(&



!. O$er$ie% of te attack

The attac consists of t%o components&

1. &in'er"rintin'

!nce an encrypted stream has #een intercepted, the attacer must employ some form of fingerprinting

in order to no% %hich resources in a %e# application %ere accessed& There are many %ays this can #e

achieved& This paper %ill not ela#orate extensively on fingerprinting strategies& 3or demonstration

purposes I %ill #e employing a simple fingerprinting mechanism, %hich consists of taing the full

se"uence of payload lengths of re"uests from the client to the server and calculating the Pearson

correlation coefficient of each su#$se"uence %ith a precomputed se"uence in order to locate the user's

retrieval of an authentication page&

3or instance, loading a page that consists of a couple of AavaScript, CSS and image files %ill #e

reflected as a se"uence of re"uests from the #ro%ser to the server %ith a distinct size& This se"uence of

distinct sizes must computed #y the attacer #efore the attac is executed& This means that the attacer

%ill have to load the page in their #ro%ser and record the size of each re"uest& This precomputation %ill

serve as a template& The attacer can compute the Pearson correlation coefficient from this template

se"uence and the se"uences found in the recorded encrypted stream& !nce a /5/ match is found, the

attacer can safely assume that the client has #een accessing the same page at this point in the

encrypted stream&

The method can #e summarized as follo%s5

Let S #e a se"uence of the values of the 'length' field of TLS pplication 9ata records of HTTPre"uests not responses( to a particular %e# application identified #y its IP address and the hostname

encoded in the TLS SBI extension(& :ach HTTP re"uest corresponds to a separate TLS pplication

9ata payload&

Let T #e the se"uence of re"uest sizes that is uni"ue for access to a particular resource&

Loading %ordpress*%p$login&php on a ?ordPress installation implies the loading of other resources and

results in five re"uests %ith the follo%ing sizes5

=0I Total size of corresponding

HTTP re"uest

https5**localhost*%ordpress*%ordpress*%p$login&php 26;

https5**localhost*%ordpress*%ordpress*%p$includes*css*#uttons&min&cssverD-&-

-<8

https5**localhost*%ordpress*%ordpress*%p$includes*css*dashicons&min&cssverD-&-

-//

https://localhost/wordpress/wordpress/wp-login.php

https://localhost/wordpress/wordpress/wp-includes/css/buttons.min.css?ver=4.4


https://localhost/wordpress/wordpress/wp-includes/css/dashicons.min.css?ver=4.4






https://localhost/wordpress/wordpress/wp-login.php



https5**localhost*%ordpress*%ordpress*%p$admin*css*login&min&cssverD-&-

-<-

https5**localhost*%ordpress*%ordpress*%p$admin*images*%ordpress$logo&svgverD1</2//<7

-4-

In this case T D E26;, -<8, -//, -<-, -4-F&

from scipy.stats import pearsonrimport random

S = [ 327, 470, 453, 351, 399, 368, 409, 411, 404, 454, 390, 430, 458, 318, 305] = [368, 409, 411, 404, 454]

for i in !ran"e#$en#S% & $en#% ' 1%( if pearsonr#, S[i(i'$en#%]% == #1.0, 0.0%( print )*ccess to +p&$o"in.pp detected at e$ement -i in se/ence S) - i

In this example the se"uence T is em#edded in se"uence S, %hich %ill #e detected #y comparing T to

each su#$se"uence in S of the same length as T 4(&

Bote that it is the Pearson correlation coefficient is not a one$to$one numeric comparison&

Setting T to these values5

[920.0, 1022.5, 1027.5, 1010.0, 1135.0]

in %hich each original value has #een multiplied #y 1&4( does not hamper detection of the su#$

se"uence& This is "uite useful #ecause the intercepted, encrypted se"uence might stem from plaintext

%ith headers of a different length than the attacer's precomputed se"uence& 3or instance, the plaintext

of the intercepted stream might contain a different =ser$gent header&

!. Len't deduction trou' subtraction

The attac %ors on the #asis of information deduction through length su#traction& .roadly speaing, it

deduces the length of a single unknown such as a pass%ord( #y su#tracting the no%n length of apayload from the total length of the payload&

The deduction process consists of t%o components5

/& The preparation5 the attacer must use the application themselves and record the exact re"uests

their #ro%ser sends for specific actions such as authentication(

https://localhost/wordpress/wordpress/wp-admin/css/login.min.css?ver=4.4


https://localhost/wordpress/wordpress/wp-admin/images/wordpress-logo.svg?ver=20131107








1& The analysis5 using addition and su#traction of no%ns and unno%ns in order to determine the

length of a single unno%n& This is an iterative process&

Ste" 1( "re"aration

The attacer can load %ordpress*%p$login&php in their #ro%ser and see that the follo%ing files are

loaded as %ell5

+ordpress+ordpress+p&inc$/descss/ttons.min.csser=4.4+ordpress+ordpress+p&inc$/descssdasicons.min.csser=4.4+ordpress+ordpress+p&admincss$o"in.min.csser=4.4+ordpress+ordpress+p&adminima"es+ordpress&$o"o.s"er=20131107

The re"uests loo lie this5

+ordpress+ordpress+p&inc$/descss/ttons.min.csser=4.4 1.1ost( $oca$ostser&*"ent( o:i$$a5.0 #;11< /nt/< in/! !86>64< r(43.0% ec?o20100101

@irefo!43.0*ccept( te!tcss,AA<=0.1*ccept&an"/a"e( en&S,en<=0.5*ccept&ncodin"( ":ip, def$ateBeferer( ttps($oca$ost+ordpress+ordpress+p&$o"in.ppCoo?ie( +ordpress>test>coo?ie=D'Coo?ie'cec?Connection( ?eep&a$ie

+ordpress+ordpress+p&inc$/descssdasicons.min.csser=4.4 1.1ost( $oca$ostser&*"ent( o:i$$a5.0 #;11< /nt/< in/! !86>64< r(43.0% ec?o20100101@irefo!43.0

*ccept( te!tcss,AA<=0.1*ccept&an"/a"e( en&S,en<=0.5*ccept&ncodin"( ":ip, def$ateBeferer( ttps($oca$ost+ordpress+ordpress+p&$o"in.ppCoo?ie( +ordpress>test>coo?ie=D'Coo?ie'cec?Connection( ?eep&a$ie

+ordpress+ordpress+p&admincss$o"in.min.csser=4.4 1.1ost( $oca$ostser&*"ent( o:i$$a5.0 #;11< /nt/< in/! !86>64< r(43.0% ec?o20100101@irefo!43.0*ccept( te!tcss,AA<=0.1*ccept&an"/a"e( en&S,en<=0.5

*ccept&ncodin"( ":ip, def$ateBeferer( ttps($oca$ost+ordpress+ordpress+p&$o"in.ppCoo?ie( +ordpress>test>coo?ie=D'Coo?ie'cec?Connection( ?eep&a$ie

+ordpress+ordpress+p&adminima"es+ordpress&$o"o.s"er=20131107 1.1ost( $oca$ost



ser&*"ent( o:i$$a5.0 #;11< /nt/< in/! !86>64< r(43.0% ec?o20100101@irefo!43.0*ccept( ima"epn",ima"eA<=0.8,AA<=0.5*ccept&an"/a"e( en&S,en<=0.5*ccept&ncodin"( ":ip, def$ateBeferer( ttps($oca$ost+ordpress+ordpress+p&admincss$o"in.min.csser=4.4Coo?ie( +ordpress>test>coo?ie=D'Coo?ie'cec?Connection( ?eep&a$ie

Trying to log in as user 'guido' and pass%ord 'pass%ord' yields the follo%ing re"uest5

ES +ordpress+ordpress+p&$o"in.pp 1.1*ccept( te!ttm$,app$ication!tm$'!m$,app$ication!m$<=0.9,AA<=0.8*ccept&ncodin"( ":ip, def$ate*ccept&an"/a"e( en&S,en<=0.5Connection( ?eep&a$ieCoo?ie( +p&settin"s&time&1=1451442362< +ordpress>test>coo?ie=D'Coo?ie'cec?ost( $oca$ostBeferer( ttps($oca$ost+ordpress+ordpress+p&$o"in.ppser&*"ent( o:i$$a5.0 #;11< /nt/< in/! !86>64< r(43.0% ec?o20100101

@irefo!43.0Content&ype( app$ication!&+++&form&/r$encodedContent&en"t( 126

$o"="/idoFp+d=pass+ordF+p&s/mit=o"'GnFredirect>to=ttps-3*-2@-2@$oca$ost-2@+ordpress-2@+ordpress-2@+p&admin-2@Ftestcoo?ie=1

Ste" !( analysis

!nce the attacer isolates a P!ST re"uest to %p$login&php #y the victim using fingerprinting, then the

follo%ing information is no%n5

1. ES +ordpress+ordpress+p&$o"in.pp 1.12. *ccept( te!ttm$,app$ication!tm$'!m$,app$ication!m$<=0.9,AA<=0.83. Content&ype( app$ication!&+++&form&/r$encoded4. Content&en"t( 1!!HIJIEDI *KBSL5.6. $o"="/idoFp+d=F+p&s/mit=o"'GnFredirect>to=ttps-3*-2@-2@$oca$ost-2@+ordpress-2@+ordpress-2@+p&admin-2@Ftestcoo?ie=1

Line /5 #ecause fingerprinting %as employed, the attacer no%s that the resource #eing accessed is

%p$login&php& The rest of the line can #e no%n from the preparation step /(&

Line 15 If it is no%n that the user's #ro%ser is 3irefox, the attacer can assume that the #ro%ser sends

this ccept header&

Line 2 and -5 Gno%n from the preparation step /(&

Line 45 C0L3 to separate headers and data



Line 65 If the attacer no%s #eforehand that the username is 'guido', the rest of the string can #e

reconstructed from the preparation step /(&

The length rest of the headers, such as Cooie and =ser$gent might not #e directly no%n to the

attacer& 3or this the attacer has to loo at other re"uests made to the same %e# application&

In the encrypted stream, isolate the re"uest for *%ordpress*%ordpress*%p$

includes*css*dashicons&min&cssverD-&- and tae the plaintext size from the re"uest&

3rom this size, su#tract the length of the lines in #lue5

+ordpress+ordpress+p&inc$/descssdasicons.min.csser=4.4 1.1ost( $oca$ostser&*"ent( o:i$$a5.0 #;11< /nt/< in/! !86>64< r(43.0% ec?o20100101@irefo!43.0*ccept( te!tcss,AA<=0.1 *ccept&an"/a"e( en&S,en<=0.5*ccept&ncodin"( ":ip, def$ateBeferer( ttps($oca$ost+ordpress+ordpress+p&$o"in.ppCoo?ie( +ordpress>test>coo?ie=D'Coo?ie'cec?

Connection( ?eep&a$ie

The length of the first #lue line is 77 #ytes this includes carriage return line feed(&

The length of the second #lue line is 1; #ytes this includes carriage return line feed(&

The sum of these values is 77 1; D /<4 #ytes&

Say the plaintext size of the intercepted re"uest for dashicons&min&cssverD-&- is -<8 #ytes& Then -<8

/<4 D -<2& This is exactly the size of the length of the unno%n headers in the P!ST re"uest5

1. ES +ordpress+ordpress+p&$o"in.pp 1.12. *ccept( te!ttm$,app$ication!tm$'!m$,app$ication!m$<=0.9,AA<=0.83. Content&ype( app$ication!&+++&form&/r$encoded4. Content&en"t( 1!!HIJIEDI *KBSL $en"t = 304 ytes5.6. $o"="/idoFp+d=F+p&s/mit=o"'GnFredirect>to=ttps-3*-2@-2@$oca$ost-2@+ordpress-2@+ordpress-2@+p&admin-2@Ftestcoo?ie=1

Bo% tae the plaintext size of the intercepted P!ST re"uest issued #y the client, and from it su#tract all

the no%n lengths5

1. ES +ordpress+ordpress+p&$o"in.pp 1.1 $en"t = 49 ytes #inc$/desCSB@%

2. *ccept( te!ttm$,app$ication!tm$'!m$,app$ication!m$<=0.9,AA<=0.8 $en"t =73 ytes #inc$/des CSB@%3. Content&ype( app$ication!&+++&form&/r$encoded $en"t = 49 ytes #inc$/desCSB@%4. Content&en"t( 1!! $en"t = 21 ytes #inc$/des CSB@%HIJIEDI *KBSL $en"t = 304 ytes5. $en"t = 2 ytes #CSB@%6. $o"="/idoFp+d=F+p&s/mit=o"'GnFredirect>to=ttps-3*-2@-2@$oca$ost-2@+ordpress-2@+ordpress-2@+p&admin-2@Ftestcoo?ie=1 $en"t = 118 ytes



The total length of the no%ns is -872-81/2<-1//; D 6/6 #ytes

Total plaintext size 6/6 D length of pass%ord&

). I#"lications

The attac does not reveal plaintext contents, #ut only lengths of parts of the plaintext& !n the upside,

the attac is entirely passive and may #e executed retro$actively ie&, on encrypted streams recorded in

the past(& 3rom access to %e# applications %hose authentication process is vulnera#le to this attac, the

pass%ord length of a targeted user can #e no%n, %hich can give the attacer an indication of %hat the

pass%ord is, or indicate the feasi#ility of a #rute$force attac& It may also #e executed on a larger scale

on T!0 exit nodes, JPB's, proxies and other Internet traffic conduits in order to detect %ea or short

pass%ords suscepti#le to a #rute$force or an attac #ased on a dictionary of often$used pass%ords&

The example descri#ed a#ove extracts credentials from a P!ST re"uest, #ut the range of application for

this attac is much %ider& It can also #e used to extract the length of user names from pages %here all

content is static or no%n except for a string K?elcome #ac, usernameMN(, or the user's account

#alance on pages in an online #aning application, or the num#er of ne% messages in an online

messaging system& !ne particular avenue that %ould #e interesting to explore is HTTP PI's& HTTP

PI's typically have a limited amount of unpredicta#le header lengths, and PI's are designed to

efficiently communicate isolated #its of information #ac and forth, so re"uests and responses are

typically not cluttered #y unpredicta#le dynamic content&

*. Oter e+a#"les

1. Location leaks trou' encry"ted ,PS coordinates

1. educin' location fro# ,PS coordinate len't

)PS coordinates consist of a latitude, longitude( tuple& There are a total of /;< possi#le degrees

latitude $8< to 8<( and a total of 26< possi#le degrees longitude $/;< to /;<(& The minus sign is used

to denote negative degrees& The coordinates usually also have a floating point part& The floating point

part typically consists of 6 digits, regardless %hether it may #e shortened so /1&< is %ritten as

/1&<<<<<<(& 3rom this it follo%s that latitude consists of at least ; characters5 a single digit #efore the

dot, the dot, and 6 digits after the dot, for example 6&<<<<<<&



To put it differently, a latitude constists of these parts5

/( n optional minus sign $

1( an integer from < to 8<@ so either / or 1 digits

2( a mandatory dot

-( an integer consisting of 6 characters digits(

longitude consists of these parts5

/( n optional minus sign $

1( n integer from < to /;<@ so either /, 1 or 2 digits

2( mandatory dot

-( n integer consisting of 6 characters digits(

The only varia#le fragment in either encoding is the second part the num#er of degrees(@ the integerranging from < to 8< and /;<, respectively&

Length of degrees in characters 0anges this length encodes as tuples

/ <, 8(

1 /<, 88(, $8, $/(

2 $88, $/<(

Length of degrees in characters 0anges this length encodes as tuples

/ <, 8(

1 /<, 88(, $8, $/(

2 /<<, /;<(, $88, $/<(

- $/<<, $/;<(

3rom these t%o sets, the follo%ing Cartesian product can #e constructed5

[##0.0, 9.0%, #0.0, 9.0%%,##0.0, 9.0%, #10.0, 99.0%%,##0.0, 9.0%, #&9.0, &1.0%%,##0.0, 9.0%, #100.0, 180.0%%,##0.0, 9.0%, #&99.0, &10.0%%,##0.0, 9.0%, #&100.0, &180.0%%,##10.0, 99.0%, #0.0, 9.0%%,##10.0, 99.0%, #10.0, 99.0%%,##10.0, 99.0%, #&9.0, &1.0%%,##10.0, 99.0%, #100.0, 180.0%%,##10.0, 99.0%, #&99.0, &10.0%%,



##10.0, 99.0%, #&100.0, &180.0%%,##&9.0, &1.0%, #0.0, 9.0%%,##&9.0, &1.0%, #10.0, 99.0%%,##&9.0, &1.0%, #&9.0, &1.0%%,##&9.0, &1.0%, #100.0, 180.0%%,##&9.0, &1.0%, #&99.0, &10.0%%,##&9.0, &1.0%, #&100.0, &180.0%%,##&99.0, &10.0%, #0.0, 9.0%%,

##&99.0, &10.0%, #10.0, 99.0%%,##&99.0, &10.0%, #&9.0, &1.0%%,##&99.0, &10.0%, #100.0, 180.0%%,##&99.0, &10.0%, #&99.0, &10.0%%,##&99.0, &10.0%, #&100.0, &180.0%%]

ll the uni"ue sums ie&, the uni"ue sums of the character length of the degrees in #oth the latitude and

the longitude(5

E1, 2, -, 4, 6, 7F

In other %ords, for each possi#le )PS coordinate encoded using the method descri#ed earlier, the sum

of the num#er of characters %hich constitute the degrees latitude eg, $-4, %hich are 2 characters( and

the degrees longitude eg& /1, %hich are 1 characters( is either 1, 2, -, 4, 6 or 7 in this example it is 1

2 D 4(&

3rom the tuples of ranges produced #y the Cartesian product of each possi#le latitude and longitude

length 6 different regions on the %orld map can #e demarcated&







!. +"loitation

If the attacer no%s that a certain application is leveraging a geocoding PI to translate a set of )PS

coordinates to a physical location, the deduction descri#ed previously may #e applied to passively

recorded and encrypted "ueries containing )PS coordinates to a geocoding PI in order to determine a

rough estimate of the region on the %orld map that the callee the application invoing the PI( is

in"uiring a#out& This could #e used as part of a de$anonimization effort on T!0 exit node or JPB

out#ound data& mo#ile or other( application that has retrieved its o%n )PS coordinates and

su#se"uently sends it to an PI in order to reverse this data to a human$reada#le location string, or to

store its current location in the cloud, leas information a#out its location&

3or example, say an application is no%n to "uery )oogle's geocoding PI in the follo%ing manner5

ttps(maps."oo"$eapis.commapsapi"eocodeMson$at$n"=Hde"reesL.H6di"itsL,Hde"reesL.H6 di"itsL

https://maps.googleapis.com/maps/api/geocode/json?latlng

https://maps.googleapis.com/maps/api/geocode/json?latlng



3or example5

ttps(maps."oo"$eapis.commapsapi"eocodeMson$at$n"=40.714224,&73.961452

Intercepting and storing the encrypted data transmitted over the %ire to maps&googleapis&com %hileexecuting this command5

c/r$ ttps(maps."oo"$eapis.commapsapi"eocodeMson$at$n"=40.714224,&73.961452

results in a capture similar to this one5

s you can see, the length of the application data is set to /46& )C+$#ased ciphersuite is used, so to

determine the length of the original plaintext, su#tract #y 1- D /21, %hich is exactly the size of the curl

re"uest5

mapsapi"eocodeMson$at$n"=40.714224,&73.961452 1.1ser&*"ent( c/r$7.35.0ost( maps."oo"$eapis.com

https://maps.googleapis.com/maps/api/geocode/json?latlng=40.714224,-73.961452






*ccept( AA

This re"uest, minus the latitude and longitude degrees -< and $72(, can #e regarded as the constant or

known part of the re"uest@ from their preparation, the attacer can no% %hich headers an application

al%ays sends as part of its re"uest to the geocoding PI, and %hat their length is& If it is also no%n

that the fractional part of the coordinates is al%ays coded using 6 digits, then the latitude and longitudedegrees are the only varia#les&

!nce fingerprinting has #een used to locate a re"uest to the )oogle geocoding PI, the attacer can

tae the payload length minus the constant part to retrieve the varia#le part& In this example, the

constant length is /18 #ytes@ this is the entire HTTP re"uest sent minus the actual degrees& This leaves

us %ith a total degree length of 4 characters -< $72 D 4 characters(& =sing the precomputed loo$up

ta#le, it can #e determined %hich part of the %orld is corresponds to the aggregate degree length of 4&

). isclai#er

Calculations might #e slightly off due to the ellipsoid shape of the earth and other factors&

!. Len't of IP$* addresses leaks ran'es

Similar to ho% you can convert the length of )PS coordinates to area's on the %orld map, you can also

map the length of an IPv- address to an actual set of IP ranges5

en"t( 7 && red/ces candidate poo$ to 0.000233- of ori"ina$0.0.0.0

en"t( 8 && red/ces candidate poo$ to 0.008382- of ori"ina$

0.00.0.00.0.00.00.0.0.0000.0.0.0

en"t( 9 && red/ces candidate poo$ to 0.127684- of ori"ina$0.0.0.0000.000.0.000.00.0.000.0.0.00000.0.0.000.0.00.00.0.00.000.00.0.000.0.000.0

0.00.00.0en"t( 10 && red/ces candidate poo$ to 1.071207- of ori"ina$

000.0.0.00000.0.00.00.00.0.00000.00.00.00.00.000.000.000.0.0



0.000.0.0000.00.0.00000.00.0.000.0.000.000.0.0.0000.0.00.0000.0.000.000.00.00.00

0.000.00.000.0.00.00

en"t( 11 && red/ces candidate poo$ to 5.398029- of ori"ina$000.00.0.00000.0.000.000.00.0.000000.00.00.00.0.000.00000.00.000.000.00.00.000.000.0.0000.000.00.0000.000.0.00000.000.0.00.00.00.0000.000.000.0000.0.00.000.00.000.0000.0.000.00000.0.0.00000.0.00.00000.000.00.0

en"t( 12 && red/ces candidate poo$ to 16.710833- of ori"ina$0.00.000.0000.000.00.00000.000.000.000.000.00.00

000.00.000.0000.000.00.0000.0.00.0000.000.000.0000.00.000.0000.000.0.00000.00.00.000000.00.0.000000.000.0.00000.0.000.00000.00.00.0000.0.000.000

en"t( 13 && red/ces candidate poo$ to 31.073257- of ori"ina$

00.000.00.000000.000.000.0000.000.00.00000.000.0.00000.000.000.0000.00.000.000000.00.000.000.000.000.000000.00.00.000



000.0.000.000en"t( 14 && red/ces candidate poo$ to 31.821191- of ori"ina$

000.00.000.00000.000.000.000000.000.000.00000.000.00.000

en"t( 15 && red/ces candidate poo$ to 13.789183- of ori"ina$000.000.000.000

If you manage to isolate an IPv- address %ith string length 7 for example /&1&2&-( em#edded in

encrypted traffic, you can no% that the plaintext IP is in the range <$8&<$8&<$8&<&8& The total IPv-

space constitutes 146O146O146O146 D -18-867186 different addresses& !#server that an IP %ith string

length 7 is sent reduces this space to /<O/<O/<O/< D /<<<<& This is only <&<<<121;2<6-264- percent

of the original space&

If the attacer manages to isolate a page on a %e# application %here an IPv- address is displayed, and

the rest of the page is static or known thin of a %e# application that displays the IPv- address from

%here the last login %as performed(, then an estimate can #e made as to %hich set of IP ranges itconcerns& The pool may #e further reduced #y mapping the resultant IP ranges to utonomous

Systems/ S( and discarding those utonomous Systems that are not Internet Service Providers in the

case the attacer no%s that the IP address they see to reveal #elongs to a home connection and not a

company server, for instance(&

/. Pre$ention

1. Hasin' before trans#ission

n o#vious one$size$fits$all solution is compute a hash of the pass%ord inside the user's #ro%ser using

AavaScript #efore it is sent off to the server&

N eco &n Opass+ordO P sa256s/m5e884898da28047151d0e56f8dc6292773603d0d6aadd62a11ef721d1542d8N eco &n Oapass+ordtatism/c$on"erO P sa256s/m36a9268776dc62211aa00e768052a628d564e3d0548c1aa65af6c0cfa6570d4

.oth pass%ords result in a hash %ith a length of 6- #ytes&

This happens to have the additional advantage that the plaintext pass%ord is never stored any%here

except temporarily in the user's #ro%ser, as opposed to collectively in the #ro%ser, encrypted( transit,

and on your server prior to storing it encrypted in your data#ase& The do%nside of this approach is that

you can't evaluate the pass%ord strength on the server side& ou could construct a list of a certain

/ https5**en&%iipedia&org*%ii*utonomousQsystemQR1;InternetR18

https://en.wikipedia.org/wiki/Autonomous_system_(Internet)

https://en.wikipedia.org/wiki/Autonomous_system_(Internet)



amount of pass%ords that are no%n to #e very common or too short, compute their hashes and fail to

proceed once a user tries to change their pass%ord into one of these strings& Ho%ever, you cannot

verify %hether the user has #een using all of your re"uired sets of characters such as letters, num#ers

and special characters(& !#viously, validation can #e performed %ithin the #ro%ser using AavaScript&

=sers may undermine this #y tampering %ith the AavaScript #ut this is #eside the point #ecause it is

specifically the user %hose safety is attempted to #e strengtened #y taing these measures, and theiro%n attempts at overthro%ing our security considerations are #ut their o%n responsi#ility&

theoretical issue that automatically emerges is that the lea of pass%ord length is moved from the

spatial to the temporal domain& That is to say, no% the o#server %ill not #e a#le to infer the length of

the pass%ord, #ut the length might influence the time and resources re"uired to compute the hash&

Ho%ever, the detection of such microscopic details is usually confined to la#oratory settings, and as

long as the client$side code isn't programmed to signal the server that it is currently computing the hash

and allo%ing the o#server to discern the exact amount of time elapsed #et%een computation and form

su#mission(, this shouldn't really #e a pro#lem&

!. Paddin' te secret

n alternative to this approach is to simply pad the pass%ord right #efore form su#mission to a length

that you consider to #e a safe maximum$size constraint for a user pass%ord, say, a /<<< characters&

Ho% to actually implement the padding might not #e straight$for%ard&

Trailing spaces might #e part of the actual pass%ord the user has thought up& Trailing spaces might #e

truncated #y some #ro%sers&

Padding it %ith zeros as in the SCII character <x<<( might #rea some things as %ell&

:m#edding the zero padding in AS!B %on't %or either, #ecause AS!B %ill replace those %ith

=nicode escapes such as u<<<<, %hich again leas pass%ord lengths&

dding an additional parameter to the P!ST su#mission, say, '', %hich %ill #e represented as

'D&&&&&&' the and the is$e"ual sign are 1 characters( and padding this %ith /<<< minus 1 minus

pass%ordQlength characters is a hac using hard$coded values and it's ugly&

?hat I suggest is to pad the pass%ord string %ith zeros as in the SCII character <x<<(, then convert

to a reada#le hexadecimal representation, and su#mit&

So if the pass%ord is 'pass%ord' and the padding length is /4 for the sae of demonstration(, then5

LLL p+ = )pass+ord) ' #cr#0!00%A7%LLL $en#p+%15LLL p+2 = )).Moin#e!#ord#c%%[2(].:fi$$#2% for c in p+%LLL p+2O70617373776f726400000000000000OLLL $en#p+2%



30

). On $ariable-len't "addin' sce#es

If you decide to implement some padding mechanism, #e%are of varia#le$length padding schemes& .y

padding a string %ith a different and random( amount of characters upon each consecutive run does

not mae it safer #ut in fact introduces insecurity5

1 QR/srinen pyton2 import random34 )))5 is is te serer, +ic, in an attempt to t+art a man in te midd$e6 from inferrin" te si:e of te secret, pads it +it a aria$e and7 random amo/nt of ytes efore eac transmission.8 )))9 def serer#%(10 secret = )tesecret)1112 secret '= ) ) A random.randint#0,50%1314 ret/rn secret1516 )))17 is is te man in te midd$e, passie$y ta?in" note of a$$ pay$oad18 si:es emitted y te serer.19 Ence a s/fficient amo/nt of pay$oads +it aria$e&$en"t paddin" ae20 een transmitted, an acc/rate "/ess at te si:e of te secret can21 e made.

22 )))23 def oserer#%(24 $en"ts = []25 for i in !ran"e#1000%(26 padded>secret = serer#%27 $en"ts '= [ $en#padded>secret% ]28 proa$e>paddin">$en"t = ma!#$en"ts% & min#$en"ts%29 proa$e>secret>$en"t = ma!#$en"ts% & proa$e>paddin">$en"t30 print )en"t of te secret is proa$y( T).format#31 proa$e>secret>$en"t%3233 oserer#%

.y o#serving a page that contains a varia#le$length padded secret, a sufficient amount of encrypted

transmissions of this page in this example /<<< times( allo%s the o#server to determine the upper and

the lo%er limit of the varia#le$length padding, %hich in this case can #e expressed as the tuple <, 4<(&

!nce these have #een determined, the o#server can deduce the length of the secret&

In order to su#vert a padding scheme %ith a lo%er limit larger than < the attacer %ill first need to



o#serve no%n values of the secret to #e transmitted in order to determine the lo%er limit, or figure this

out #y scrutinizing the inner %orings of the %e# application itself&

*. 0sin' constant-len't identifiers to refer to obects

Bumeric identifiers are often used to refer to various data#ase o#>ects@ index&phppageidD/< loads adifferent page than index&phppageIdD/<<& The use of identifiers of constant length, such as ==I9's,

can prevent the lining of identifier lengths to particular sets of( resources&

Documents

Bicycle Attack by Guido Vranken