SSL/TLS attacks: Part 2 – CRIME Attack

Compression Ratio Info-leak Made Easy (CRIME) attack:

In the previous section we saw how the Chosen Plain-text attack was used to weaken the SSL/TLS protocol. In this section we look at another attack on the SSL/TLS protocol. The attack was presented by Juliano Rizzo and Thai Duong; same pair of researchers who demonstrated BEAST attack. This attack is dubbed as Compression Ratio Info-leak Made Easy (CRIME) attack.

The CRIME attack is used to extract session tokens protected by the SSL/ TLS protocol. CRIME exploits the data compression feature of SSL and TLS. As the compression is at the SSL/TLS level both the header and body are subjected to compression. SSL/TLS and SPDY compression use an algorithm called DEFLATE which compresses HTTP requests by eliminating duplicate strings. CRIME takes advantage of the way duplicate strings are eliminated to guess session tokens by systematically brute forcing them.

Every instance of a duplicate string is replaced by a pointer to the first occurrence of the string. Thus the amount of redundancy in data will influence the amount of compression. More redundant data will lead to more compression and thus smaller will be the length of the HTTP request. The attacker exploits this logic.

How the CRIME attack works?

1. The attacker forces the victim’s browser to send HTTP requests to the same SSL/TLS enabled website that the user is communicating with. These packets are specially crafted to exploit the compression used by SSL/TLS to guess the session tokens.
2. With each request the attacker tries to increase the redundant data in the request viz. in the value of the session token.
3. The attacker then analyzes the variation in the length of the requests after they’ve been compressed in order to determine the value of the victim’s session cookie.
4. If the attacker’s guess is correct then the redundancy in the request increases and thus length of the modified request will be less than the length of a normal request.
5. The attacker has thus guessed the first character of the session token.
6. The attacker repeats the above process to extract remaining characters of the token.

CRIME Attack: Example

Consider that the following cookie is being sent by the client to the server:
Cookie: secret=341267
The attacker knows that the session token contains Cookie: secret=. He might use JavaScript to initiate requests to the SSL enabled servers.
The request may look something like this

POST / HTTP/1.1 Host: importantserver.com … Cookie: secret=341267 … Cookie: secret=1

Steps in CRIME Attack:

Following are the steps which are required for CRIME attack:

• DEFLATE recognizes that there is more than one occurrence of the Cookie: secret= part and replaces the second instance with a small token that points to the location of the Cookie: secret= of the first string.
• This results in the request being smaller by 15 i.e. the length of the string Cookie: secret= .An attacker who is sniffing the network can observe the change in length even though he cannot observe the actual data. The attacker repeats the process with secret=1, secret=2, secret=3 and so on.
• When secret=3 the request’s length decreases by 16. Thus the attacker realizes that he has retrieved the first character of the cookie.
• The same process is repeated only now the value of the Cookie in the body becomes Cookie: secret=3 and the second value is to be retrieved.
• The same process is repeated until the entire cookie value is retrieved.

Impact of CRIME attack

No version of TLS is immune to the attack

Mitigation of CRIME attack

Disabling SSL/TLS compression stops the attack very effectively. In the next section we shall have a look at BREACH attack.