dc.description.abstract |
The Transport Layer Protocol (TLS) ensures con dentiality and integrity of tra c between
communicating parties over internet. Almost all web applications commonly use TLS. A block
cipher (such as AES, Camellia etc.) is used in a mode of operation (such as CBC, GCM etc.) to
achieve con dentiality. If the message length is not a multiple of the block size of the underlying
cipher in CBC mode, then message is padded suitably to make it of the right length. Although
CTR mode does not necessarily require message padding but if the sender wishes to hide exact
message length from attackers, then message padding can be used even in this mode.
Chen et. al at IEEE SP (2010) described techniques based on di erent packet sizes generated
as various events take place in web applications to infer the state of the web-application. This
attack could allow an attacker to breach the privacy of the user. At PETS 2012, Liu. et. al.
proposed a scheme to pad messages in a group to make all the packets of the same size to achieve
k-indistinguishability. They claimed that this scheme could withstand the attacks described in
Chen et. al's work.
In this work, we analyze privacy and security aspects of encryption modes, padding schemes
and order of padding of messages in TLS during encrypted communication between client and
web-application on the server. We show that using padding schemes to pad all packets to
hide message sizes during communication without considering underlying encryption modes and
padding methodology is not safe .
We consider the technique of Liu et. al when certain combinations of encryption modes and
padding schemes are used in TLS. We show that k-indistinguishability of packets does not
always hold. In particular, we describe a chosen ciphertext attack to show that the MACPAD-
ENCRYPT model to generate ciphertext in the TLS record protocol helps the attacker in
disrupting privacy of tra c under certain conditions. We also show how a similar attack can
be carried out on CCMP protocol used in WPA2 to maintain con dentiality and integrity in
wireless networks if MAC-PAD-ENCRYPT is followed. |
en_US |