Scott C. Johnson
Cryptography II Term Paper
Recent 'CRIME' Attacks on TSL/SSL
Abstract
Recently TSL/SSL have come under attack. This attack has been called
the 'CRIME' attack, or Compression Ratio Info-leak Made Easy. This attack
takes advantage of the compressing of encrypted data to obtain the key
used to encode the data. By looking at the ways a system compresses
various types and sizes of data, the attacker can find patterns that allows
them to obtain the key of data sent by that host.
This is done by the attacker tricking a user to load a specific Javascript.
This script will craft special SSL requests to a system the attackee
already has a connection with. These carefully crafted scripts will allow
the attacker to obtain compression patterns. With these patterns the
attacker can decompress and decode the header of the attackees incoming
transmissions. Allowing the attacker to obtain the special key shared by
the attackee and host they are connected with.
Paper
Paper
Presentation
Presentation
Potential Sources
Note: Scholarly sources are limited on this topic at this time, due to the new nature of this attack. Any suggested sources are welcomed.
https://media.blackhat.com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.pdf
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929
http://www.privatewifi.com/from-beast-to-crime-another-attack-exposes-https-vulnerability/
http://www.networkworld.com/news/2013/031413-researchers-resurrect-and-improve-crime-267698.html?page=1