“CRIME”的意思、由来-开放百科全书

The vulnerability exploited is a combination of chosen plaintext attack and inadvertent information leakage through data compression similar to that described in 2002 by the cryptographer John Kelsey.^[2] It relies on the attacker being able to observe the size of the ciphertext sent by the browser while at the same time inducing the browser to make multiple carefully crafted web connections to the target site. The attacker then observes the change in size of the compressed request payload, which contains both the secret cookie that is sent by the browser only to the target site, and variable content created by the attacker, as the variable content is altered. When the size of the compressed content is reduced, it can be inferred that it is probable that some part of the injected content matches some part of the source, which includes the secret content that the attacker desires to discover. Divide and conquer techniques can then be used to home in on the true secret content in a relatively small number of probe attempts that is a small multiple of the number of secret bytes to be recovered.^[3]^[4]

The CRIME exploit was hypothesized by Adam Langley,^[5] and first demonstrated by the security researchers Juliano Rizzo and Thai Duong, who also created the BEAST exploit.^[7] The exploit was due to be revealed in full at the 2012 ekoparty security conference.^[6] Rizzo and Duong presented CRIME as a general attack that works effectively against a large number of protocols, including but not limited to SPDY (which always compresses request headers), TLS (which may compress records) and HTTP (which may compress responses).

Prevention

CRIME can be defeated by preventing the use of compression, either at the client end, by the browser disabling the compression of SPDY requests, or by the website preventing the use of data compression on such transactions using the protocol negotiation features of the TLS protocol. As detailed in The Transport Layer Security (TLS) Protocol Version 1.2,^[7] the client sends a list of compression algorithms in its ClientHello message, and the server picks one of them and sends it back in its ServerHello message. The server can only choose a compression method the client has offered, so if the client only offers 'none' (no compression), the data will not be compressed. Similarly, since 'no compression' must be allowed by all TLS clients, a server can always refuse to use compression.

Mitigation

Note that as of December 2013 the CRIME exploit against HTTP compression has not been mitigated at all.{{citation needed|date=May 2016}} Rizzo and Duong have warned that this vulnerability might be even more widespread than SPDY and TLS compression combined.{{citation needed|date=May 2016}}

BREACH

At the August 2013 Black Hat conference, researchers Gluck, Harris and Prado announced a variant of the CRIME exploit against HTTP compression called BREACH (short for Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext). It uncovers HTTPS secrets by attacking the inbuilt HTTP data compression used by webservers to reduce network traffic.^[11]

References

1. ^http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2012-4929
2. ^{{Cite book | last1 = Kelsey | first1 = J. | chapter = Compression and Information Leakage of Plaintext | doi = 10.1007/3-540-45661-9_21 | title = Fast Software Encryption | series = Lecture Notes in Computer Science | volume = 2365 | pages = 263 | year = 2002 | isbn = 978-3-540-44009-3 | url = https://www.iacr.org/cryptodb/data/paper.php?pubkey=3091| pmid = | pmc = }}
3. ^¹{{cite web|url=https://threatpost.com/crime-attack-uses-compression-ratio-tls-requests-side-channel-hijack-secure-sessions-091312/|title=CRIME Attack Uses Compression Ratio of TLS Requests as Side Channel to Hijack Secure Sessions |publisher=ThreatPost |date=September 13, 2012 |first=Dennis |last=Fisher |accessdate=September 13, 2012}}
4. ^{{cite web|url=http://security.stackexchange.com/questions/19911/crime-how-to-beat-the-beast-successor/19914 |date=September 8, 2012 |title=CRIME - How to beat the BEAST successor? |publisher=StackExchange.com |accessdate=September 13, 2012}}
5. ^https://groups.google.com/d/msg/spdy-dev/B_ulCnBjSug/rcU-SIFtTKoJ
6. ^{{cite web|url=https://docs.google.com/presentation/d/11eBmGiHbYcHR9gL5nDyZChu_-lCa2GizeuOfaLU2HOU/edit|title=The CRIME attack|first=Juliano |last=Rizzo |first2=Thai |last2=Duong |publisher=Ekoparty |via=Google Docs |accessdate=September 21, 2012}}
7. ^{{ cite web|url=http://tools.ietf.org/html/rfc5246#appendix-A.4.1|title=The Transport Layer Security (TLS) Protocol Version 1.2 - Appendix A.4.1 (Hello messages) |date=August 2008 |last=Dierks |first=T. |last2=Resorla |first2= E. |publisher=IETF |accessdate=July 10, 2013}}
8. ^¹{{cite web|url=https://arstechnica.com/security/2012/09/crime-hijacks-https-sessions/|title=Crack in Internet's foundation of trust allows HTTPS session hijacking|publisher=Ars Technica|first=Dan|last= Goodin |date=September 13, 2012 |accessdate=September 13, 2012}}
9. ^{{cite web|url=https://www.theregister.co.uk/2012/09/14/crime_tls_attack/|title=The perfect CRIME? New HTTPS web hijack attack explained|date=September 14, 2012|accessdate=September 16, 2012 |work=The Register |first=John |last=Leyden}}
10. ^{{cite web|url=http://mailman.nginx.org/pipermail/nginx/2012-September/035600.html|title=Nginx mailing list: crime tls attack|publisher=nginx.org|last=Sysoev |first=Igor |date=September 26, 2012 |accessdate=July 11, 2013}}
11. ^{{cite news |url=https://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/ |title=Gone in 30 seconds: New attack plucks secrets from HTTPS-protected pages|first=Dan |last=Goodin |date=August 1, 2013}}

Details

Prevention

Mitigation

BREACH

References