Presented at
Black Hat Europe 2016,
Nov. 4, 2016, noon
(60 minutes)
The BREACH attack presented at Black Hat USA 2013 still has not been mitigated, despite new developments and optimizations presented at Black Hat Asia 2016. This class of attacks presents itself in all practical web applications which use compression, together with encryption, and has not been fixed in even the most recent versions of TLS 1.3.<br> <br> In this talk, we present a generic defence method which eliminates compression-detectability features of existing protocols. We introduce CTX, Context Transformation Extension, a cryptographic method which defends against BREACH, CRIME, TIME, and generally any compression side-channel attack. CTX uses context hiding in a per-origin manner to separate secrets from different origins in order to avoid cross-compressibility. In this talk, we will show a demo of the defence and illustrate how it eliminates the attack implemented in Rupture. We will release an open source implementation of CTX in popular web frameworks both for client-side and server-side web applications. Our implementation runs at the application layer, is opt-in, and does not require modifications to web standards or the underlying web server.
Presenters:
-
Aggelos Kiayias
- Chair in Cyber Security and Privacy, University of Edinburgh
Aggelos Kiayias is chair in Cyber Security and Privacy at the University of Edinburgh. His research interests are in computer security, information security, applied cryptography and foundations of cryptography with a particular emphasis in blockchain technologies and distributed systems, e-voting and secure multiparty protocols as well as privacy and identity management. His research has been funded by the Horizon 2020 programme (EU), the European Research Council (EU), the Secretariat of Research and Technology (Greece), the National Science Foundation (USA), the Department of Homeland Security (USA), and the National Institute of Standards and Technology (USA). He has received an ERC Starting Grant, a Marie Curie fellowship, an NSF Career Award, and a Fulbright Fellowship. He holds a Ph.D. from the City University of New York and he is a graduate of the Mathematics department of the University of Athens. He has over 100 publications in journals and conference proceedings in the area. He currently serves as the program chair of the Financial Cryptography and Data Security conference.
-
Eva Sarafianou
- Security Researcher, University of Athens
Eva Sarafianou is a security researcher at the Security and Crypto lab at the University of Athens focusing on network security. She completed her Electrical and Computer Engineering degree at the National Technical University of Athens with her master thesis on compression side-channel attacks which is her major research interest. With her team in Athens she has developed Rupture, a generic modular TLS attack framework implementing popular attacks such as BREACH and CRIME.
-
Dionysis Zindros
- Security Researcher, University of Athens
Dionysis Zindros is a cryptography researcher and a PhD candidate in the Cryptography & Security group at the University of Athens. He completed his Electrical & Computer Engineering degree at the National Technical University of Athens. He has worked in the product security team of Twitter in San Francisco, Google's Incident Response Development team in Zürich, and deviantART's software engineering team in Los Angeles. In Black Hat Asia 2016, he presented Rupture, a generic compression side-channel attack framework. He is one of the co-founders of OpenBazaar, a decentralized anonymous marketplace. His research interests include decentralized systems, bitcoin, blockchain technologies, anonymizing networks, and political applications of cryptography.
-
Dimitris Karakostas
- Security Researcher, University of Athens
Dimitris Karakostas is a software engineer and a cryptography researcher at the Security and Crypto lab at the University of Athens. His work on cryptographic compression attacks concludes his degree in Electrical and Computer Engineering at the National Technical University of Athens. He has previously worked for Nokia. In Black Hat Asia 2016, he presented Rupture, a generic compression side-channel attack framework. His research interests include decentralized systems, web security, systems engineering, and data analysis.
Links:
Similar Presentations: