Journal of Society for e-Business Studies

Juliano Rizzo and Thai Duong, the authors of the BEAST attack [11, 12] on SSL, have proposed a new attack named CRIME [13] which is Compression Ratio Info-leak Made Easy. The CRIME exploits how data compression and encryption interact to discover secret information about the underlying encrypted data. Repeating this method allows an attacker to eventually decrypt the data and recover HTTP session cookies. This security weakness targets in SPDY and SSL/TLS compression. The attack becomes effective because the attacker is enable to choose different input data and observe the length of the encrypted data that comes out. Since Transport Layer Security (TLS) ensures integrity of data transmitted between two parties (server and client) and provides strong authentication for both parties, in the last few years, it has a wide range of attacks on SSL/TLS which have exploited various features in the TLS mechanism. In this paper, we will discuss about the CRIME and other versions of SSL/TLS attacks along with countermeasures, implementations. We also present direction for SSL/TLS attacks resistance in practice.

AlFardan, N. and Paterson, K., “Lucky Thirteen: Breaking the TLS and DTLS Record Protocols,” IEEE Symposium on Security and Privacy, http://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf, 2013.

AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., and Schuldt, J., “On the Security of RC4 in TLS and WPA,” http://www.isg.rhul.ac.uk/tls/RC4biases.pdf, 2013.

Bellare, M. and Rogaway, P., “Entity authentication and key distribution,” pp. 232-249, 1994.

Dierks, T. and Allen, C., “The TLS Protocol Version 1.0,” RFC 2246, Internet Engineering Task Force, 1999. Available at: http://www.ietf.org/rfc/rfc2246.txt.

Hwang, S. J. and Lee, C. H., “Padding Oracle Attack on Block Cipher with CBC|CBC-Double Mode of Operation using the BOZ-PAD,” The Journal of Society for e-Business Studies, Vol. 20, No. 1, pp. 89-97, 2015.

Jin, C. Y., Kim, A. C., and Lim, J. I., “Correlation Analysis in Information Security Checklist Based on Knowledge Network,” The Journal of Society for e-Business Studies, Vol. 19, No. 2, pp. 89-97, 2014.

Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., and Preneel, B., “A cross-protocol attack on the TLS protocol,” Proceedings of the 2012 ACM Conference in Computer and Communications Security, pp. 62-72, http://doi.acm.org/10.1145/2382196.23 82206, 2012.

Popov, A., “Prohibiting RC4 Cipher Suites,” Work in Progress, draft-ietf-tls-prohibiting-rc4-01, 2014.

Prado, A., Harris, N., and Gluck, Y., “The BREACH Attack,” http://breachattack.com, 2013.

Rescorla, E., “SSL and TLS: Designing and Building Secure Systems,” Addison-Wesley, 2001.

Rizzo, J. and Duong, T., “Browser Exploit Against SSL/TLS,” http://packetstormsecurity.com/files/105499/Browser-Exploit-Against-SSL-TLS.html, 2011.

Rizzo, J. and Duong, T., “Here Come The Ninjas,” Ekoparty Security Conference, 2012.

Rizzo, J. and Duong, T., “The CRIME Attack,” EKOparty Security Conference, 2012.

Rosenfeld, M., “Internet Explorer SSL Vulnerability,” 2008. Available at: http://www.thoughtcrime.org/ie-ssl-chain.txt.

Seok, O. N., Han, Y. S., Eom, C. W., Oh, K. S., and Lee, B. K., “Developing the Assessment Method for Information Security Levels,” The Journal of Society for e-Business Studies, Vol. 16, No. 2, pp. 159-169, 2011.