Abstract
Security experts confront new attacks on TLS/SSL every year. Ever since the compression side-channel attacks CRIME and BREACH were presented during security conferences in 2012 and 2013, online users connecting to HTTP servers that run TLS version 1.2 are susceptible of being impersonated. We set up three Randomized Lempel-Ziv Models, which are built on Lempel-Ziv77, to confront this attack. Our three models change the deterministic characteristic of the compression algorithm: each compression with the same input gives output of different lengths. We implemented SSL/TLS protocol and the Lempel-Ziv77 compression algorithm, and used them as a base for our simulations of compression side-channel attack. After performing the simulations, all three models successfully prevented the attack. However, we demonstrate that our randomized models can still be broken by a stronger version of compression side-channel attack that we created. But this latter attack has a greater time complexity and is easily detectable. Finally, from the results, we conclude that our models couldn’t compress as well as Lempel-Ziv77, but they can be used against compression side-channel attacks.
M. Yang—Currently working with Google.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Rescorla, E.: The Transport Layer Security (TLS) protocol version 1.3 (draft). RFC TBD, RFC Editor, July 2017
Kelsey, J.: Compression and information leakage of plaintext. In: Daemen, J., Rijmen, V. (eds.) FSE 2002. LNCS, vol. 2365, pp. 263–276. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45661-9_21
Duong, T., Rizzo, J.: The CRIME attack. In: Presentation at ekoparty Security Conference (2012)
Gluck, Y., Harris, N., Prado, A.: BREACH: reviving the CRIME attack. Unpublished manuscript (2013)
SSL Pulse: TLS Compression/CRIME, June 2019. https://www.ssllabs.com/ssl-pulse/
Ziv, J., Lempel, A.: Compression of individual sequences via variable-rate coding. IEEE Trans. Inf. Theory 24(5), 530–536 (1978)
Rescorla, E.: HTTP over TLS. RFC 2818, RFC Editor, May 2000
Deutsch, P.: DEFLATE compressed data format specification version 1.3. RFC 1951, RFC Editor, May 1996
Deutsch, P.: GZIP file format specification version 4.3. RFC 1952, RFC Editor, May 1996
Golomb, S.W.: Shift register sequences: secure and limited-access code generators. Efficiency Code Generators, Prescribed Property Generators, Mathematical Models. World Scientific (2017)
Fan, X., Mandal, K., Gong, G.: WG-8: a lightweight stream cipher for resource-constrained smart devices. In: Singh, K., Awasthi, A.K. (eds.) QShine 2013. LNICST, vol. 115, pp. 617–632. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-37949-9_54
Matsumoto, M., Nishimura, T.: Mersenne twister: a 623-dimensionally equidistributed uniform pseudo-random number generator. ACM Trans. Model. Comput. Simul. (TOMACS) 8(1), 3–30 (1998)
Rijmen, V., Daemen, J.: Advanced encryption standard. In: Proceedings of Federal Information Processing Standards Publications, pp. 19–22. National Institute of Standards and Technology (2001)
Chen, L., Gong, G.: Communication System Security. CRC Press, Boca Raton (2012)
Gong, G., Youssef, A.M.: Cryptographic properties of the Welch-Gong transformation sequence generators. IEEE Trans. Inf. Theory 48(11), 2837–2846 (2002)
Diffie, W., Hellman, M.: New directions in cryptography. IEEE Trans. Inf. Theory 22(6), 644–654 (1976)
Cover, T.M., Thomas, J.A.: Elements of Information Theory. Wiley, Hoboken (2012)
Hollenbeck, S.: Transport layer security protocol compression methods. RFC 3749, RFC Editor, May 2004
Ziv, J., Lempel, A.: A universal algorithm for sequential data compression. IEEE Trans. Inf. Theory 23(3), 337–343 (1977)
Acknowledgements
The work was supported by NSERC SPG grants.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Yang, M., Gong, G. (2020). Lempel-Ziv Compression with Randomized Input-Output for Anti-compression Side-Channel Attacks Under HTTPS/TLS. In: Benzekri, A., Barbeau, M., Gong, G., Laborde, R., Garcia-Alfaro, J. (eds) Foundations and Practice of Security. FPS 2019. Lecture Notes in Computer Science(), vol 12056. Springer, Cham. https://doi.org/10.1007/978-3-030-45371-8_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-45371-8_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45370-1
Online ISBN: 978-3-030-45371-8
eBook Packages: Computer ScienceComputer Science (R0)