The one-channel nature of web proxies, anonymizers or Virtual Private Networks (VPNs), results in all Internet traffic from one machine traveling over the same SSL channel. We show this provides a feasible ``point of entry'' for this attack. Moreover, we show that the location of target data among block boundaries can have a profound impact on the number of guesses required to recover that data, especially in the low-entropy case.
The attack in this paper is an application of the blockwise-adaptive chosen-plaintext attack paradigm, and is the only feasible attack to use this paradigm with a reasonable probability of success. The attack will work for all versions of SSL, and TLS version 1.0. This vulnerability and others are closed in TLS 1.1 (which is still in draft status) and OpenSSL after 0.9.6d. It is hoped this paper will encourage the deprecation of SSL and speed the adoption of OpenSSL or TLS 1.1/1.2 when they are finially released.
Category / Keywords: implementation / Blockwise Adaptive, Chosen Plaintext Attack (CPA), Secure Sockets Layer (SSL), Transport Layer Security (TLS), Cryptanalysis, HTTP-proxy, Initialization Vectors (IV), Cipher Block Chaining (CBC), Virtual Private Networks (VPN). Publication Info: Not yet published. See E-print 2004/111 which is similar in theory but very different in the actual attack. Date: received 5 Apr 2006, last revised 17 Apr 2006 Contact author: gregory bard at ieee org Available format(s): PDF | BibTeX Citation Note: Changes relating to the directions of traffic of the adversary and target. Also some formatting changes. Version: 20060418:024950 (All versions of this report) Short URL: ia.cr/2006/136 Discussion forum: Show discussion | Start new discussion