Practical New Developments in the BREACH Attack

Presented at Black Hat Asia 2016, Unknown date/time (Unknown duration)

In 2013, BREACH was the sensation of Black Hat USA, introducing a still not mitigated attack vector that exploited compression to compromise SSL connections. In this talk, we propose new methods to practically extend the attack against the most commonly used encryption ciphers. We describe a command-and-control technique to exploit plain HTTP connections in order to perform the attack in a persistent manner. We also present new statistical methods that can be used to bypass noise present in block ciphers as well as to avoid noise present in usual web applications. Parallelization and optimization techniques are also explored. We will close the talk by proposing novel mitigation techniques. Finally, we will reveal our tool implementation, as well as experimental results on popular web services.

Presenters:

• Dionysios Zindros - University of Athens
  Dionysis Zindros is a cryptography researcher and a PhD candidate in the Cryptography & Security group at the University of Athens. He completed his Electrical & Computer Engineering degree at the National Technical University of Athens. He has worked in the product security team of Twitter in San Francisco, Google's Incident Response Development team in Zürich, and deviantART's software engineering team in Los Angeles. He is one of the co-founders of OpenBazaar, a decentralized anonymous marketplace. His research interests include decentralized systems, bitcoin, blockchain technologies, anonymizing networks, and political applications of cryptography.
• Dimitris Karakostas - National Technical University of Athens
  Dimitris Karakostas is a software engineer and a cryptography researcher. His work on cryptographic compression attacks concludes his degree in Electrical and Computer Engineering at the National Technical University of Athens, where he is currently a Teaching Assistant in cryptography. Dimitris works as a software engineer at Nokia. His research interests include decentralized systems, web security, systems engineering, and data analysis.

Links:

• https://www.blackhat.com/asia-16/briefings.html#practical-new-developments-in-the-breach-attack
• https://www.youtube.com/watch?v=T4iTwNLPv4g
• https://www.blackhat.com/docs/asia-16/materials/asia-16-Karakostas-Practical-New-Developments-In-The-BREACH-Attack.pdf
• https://www.blackhat.com/docs/asia-16/materials/asia-16-Karakostas-Practical-New-Developments-In-The-BREACH-Attack-wp.pdf

Similar Presentations:

• Black Hat USA 2013 / SSL, Gone in 30 Seconds - A BREACH beyond CRIME
• Black Hat Europe 2016 / CTX: Eliminating BREACH with Context Hiding