Approaching BREACH: new attacks have seen readable encrypted network data

Researchers claim that a new hacker technology named "BREACH" is hot-hitting to extract login tokens, session IDs, and other sensitive information from SSL/TLS encrypted network traffic.

Confidential data has now become an important basis for online banking and online shopping systems, but the emergence of new technologies can interpret the specific content within 30 seconds.

BREACH attacks common Deflate data compression algorithms. This algorithm is the main protection method for network communication bandwidth. The new technology is inspired by the early compression ratio information leakage (CRIME) mechanism, which compresses users' encrypted network requests.

Security researchers Angelo Prado, Neal Harris, and Yoel Gluck disclosed the code deciphering results behind BREACH at the Black Hat conference in Las Vegas.

Three researchers found that BREACH could pose a huge threat to all versions of TLS/SSL, regardless of the encryption algorithm or password mechanism used.

Attackers only need to guide users to access the website under their control through fraud tags in advance, so that they can continuously Snoop encrypted traffic between victims and network servers.

Attackers use the scripts hosted in the trap website to drive the second-stage attack: the victim's browser is forced to repeatedly visit the target website thousands of times, and each time it appends different additional data combinations. As long as the bytes controlled by the attacker match any original encrypted bytes in the data stream, the compression mechanism of the browser will be involved to reduce the data transmission volume, this process is equivalent to sending a "successful" notification to the attacker.

This data leakage threat is a type of Oracle attack, which means that eavesdroppers can splice the e-mail addresses or security tokens in HTTPS exchanges in bytes. According to the Ars Technica website, the duration of the attack and the number of requests sent are determined by the size of the target confidential information.

The leaked data contains a large amount of data, which is sufficient for attackers to decrypt cookies or other target content that users want to protect. Once the cookies are successfully restored, it is equivalent to opening a door for attackers to disguise themselves as victims and organize Web session hijacking and other attacks. The British Computer Society (BCS) as stated in a blog post.

The actual effects of new technologies are amazing, all tokens and other sensitive information sent over SSL connections-including email encrypted content and one-time order commands on e-commerce websites-can be cracked and become a victim. Prado, Harris, and Gluck also released several tools to help you test whether your website will be cracked by BREACH. Of course, they also developed techniques to defend against such attacks at this Black Hat conference.

Security work cannot rely on luck

BREACH is only one of the ever-expanding encryption methods of HTTPS (currently regarded as the golden standard for secure Internet communication). Other attacks include CRIME, BEAST, and Lucky 13.

During the discussion at the Black Hat conference, security researchers expressed their concerns, it is believed that popular algorithms such as RSA and Diffie-Hellman are increasingly weak due to the development of attack methods such as confidential analysis and BREACH.

"Although the current signs are not very obvious, to ensure security, RSA and non-ECC Diffie-Hellman may not be able to provide trustable protection in the next two to five years, "Alex Stamos of Artemis Internet, iSEC Partners business department, warned. "But this is not always the case ."

The Threatpost blog of Kaspersky Lab has discussed more about this attack mechanism. Stamos is not the only expert who worries about existing encryption tools and technologies. Although its execution performance is still commendable, a mechanism like RSA has been in existence for 40 years, and the future life cycle may not be too long.

Adi Shamir (the 's' among the three founders of RSA) was held at the RSA meeting Meeting on March this year, security researchers are urged to come up with a feasible "post-encryption age" security assurance solution as soon as possible.