Securing Against Compression Side-Channel Attacks: Threats, Techniques, and Mitigation Strategies

In cybersecurity, side-channel attacks exploit the subtle nuances of a computer system’s physical or software-based characteristics. This approach bypasses direct exploitation of flaws within encryption algorithms or code weaknesses, instead leveraging information leakage from the implementation itself. Among these attacks, compression side-channel attacks stand out as a particularly clever way to bypass security protocols, even in encrypted, high-security environments such as healthcare, finance, and web search platforms that use HTTPS.

These attacks, including well-known variants like CRIME and BREACH, take advantage of data compression to infer sensitive information from the size of the compressed data. By understanding the underlying principles of compression algorithms, attackers can decipher protected data, revealing insights about a user’s interactions with a web application or even their login credentials. Let’s break down how these attacks work, and the techniques used to mitigate them.

How Compression Algorithms Work

Compression algorithms are designed to make data smaller by eliminating redundancies. When a phrase repeats within a text, it is stored only once, and any subsequent instances are replaced by references to the original. This process significantly reduces the overall data size. For example, if a piece of text includes both a user-inputted string and a secret, the compression algorithm can be manipulated to reveal parts of that secret based on the compressed data’s length.

This technique becomes exploitable when the attacker can control some portion of the data and observe the compressed output size. By modifying their input to align with known patterns, attackers can detect which parts of the data are efficiently compressed and thereby infer sensitive information through compression patterns. Two key attacks, CRIME and BREACH, take advantage of these principles but in different ways.

CRIME Attack: Exploiting TLS Compression

In 2012, researchers Thai Duong and Juliano Rizzo revealed the CRIME attack, an attack vector targeting TLS (Transport Layer Security) compression. This side-channel attack allows an attacker to decrypt data by observing the compression ratio of TLS requests, effectively enabling them to capture critical information like session cookies. With access to these cookies, attackers can hijack a user’s session, impersonate them, and gain access to secure web applications such as online banking portals.

To perform a CRIME attack, the attacker needs to inject specific data into a victim’s requests, observe the size of the encrypted traffic, and exploit the compressed data patterns. This attack was mitigated by disabling TLS-level compression, which was seldom used by browsers at the time. Major browsers like Chrome and Firefox released patches soon after the CRIME attack was publicized, rendering this specific threat ineffective by disabling TLS compression.

BREACH Vulnerability: Attacking HTTP-Level Compression

In 2013, the BREACH attack extended the principles of CRIME to HTTP-level compression, making it even more challenging to defend against. Unlike CRIME, which specifically exploited TLS compression, BREACH targets HTTP responses that use compression algorithms like gzip. Presented by researchers Angelo Prado, Neal Harris, and Yoel Gluck at Black Hat USA, BREACH doesn’t depend on any specific version of TLS or SSL, making it a broader threat.

To execute a BREACH attack, an attacker needs three elements:

1. HTTP-level compression enabled on the server.
2. Reflection of user inputs in HTTP response bodies.
3. Sensitive information (such as CSRF tokens) embedded within those HTTP responses.

BREACH works by injecting guesses into the HTTP request and analyzing the length of the compressed response. By carefully crafting requests that include both attacker-controlled and target-specific data, the attacker can use compression patterns to “guess” the contents of sensitive information one character at a time. This is particularly problematic for sites that use gzip compression and do not segregate user data from sensitive information.

For example, if an attacker guesses a character in a CSRF token correctly, the response becomes slightly smaller, indicating that the character is indeed part of the token. Repeating this process can allow the attacker to fully recover a secret like a token within seconds using a few thousand requests.

Real-World Implications and Other Compression Attacks

Beyond CRIME and BREACH, similar attacks like TIME and HEIST further demonstrate how compression-based side channels can reveal data indirectly. TIME and HEIST utilize timing information from the browser to measure data size, enabling attacks without requiring a man-in-the-middle position. These newer methods showcase how compression side-channel vulnerabilities continue to evolve and present a broader range of threats to web applications that rely on HTTP compression.

Given the sensitive nature of the data these attacks can target, particularly in industries like healthcare and finance, it is crucial for web applications to assess the risk and consider implementing mitigation strategies.

Mitigation Strategies

Fortunately, several strategies can reduce the risk of compression side-channel attacks:

1. Disable Compression: Disabling compression on sensitive pages can fully mitigate this attack vector. However, this approach may reduce page load speeds for users.
2. Separate User Data and Sensitive Information: By ensuring that sensitive data is never included in responses containing user data, the risk of these attacks is minimized. For example, cookies and CSRF tokens can be kept in separate requests that don’t include user inputs.
3. Randomize Secrets Per Request: By generating unique CSRF tokens for each request, attackers cannot reuse a previously successful guess.
4. Masking Secrets: XOR-based masking of sensitive data with random values on each request provides additional protection, as this effectively scrambles the secret with new values each time.
5. Length Hiding: Adding random bytes to HTTP responses can obscure the exact length, making it difficult for attackers to determine patterns.
6. Same-Site Cookies: Setting cookies as same-site helps ensure they are only sent in requests from the same domain, mitigating the risk of cross-origin attacks.

While each of these mitigations provides a layer of protection, a combination of strategies is often necessary to protect fully against various forms of compression side-channel attacks.

How can Encryption Consulting help?

Given the evolving nature of attacks like CRIME and BREACH, Encryption Consulting’s Encryption Advisory Services team can provide expert recommendations on best practices, such as disabling compression, separating sensitive data, and implementing strategies like masking secrets or length hiding. Our expertise helps organizations tailor their defences to minimize the risks associated with such vulnerabilities. In an environment where encryption alone isn’t enough, Encryption Consulting ensures that organizations implement the necessary layers of protection to stay ahead of potential threats and secure sensitive information.

Conclusion

Compression side-channel attacks like CRIME and BREACH highlight the need for rigorous security measures even when using industry-standard protocols like HTTPS. These attacks demonstrate that encryption alone is not always enough; additional layers of security are required to safeguard user data in today’s complex web environments.

With proper understanding and mitigation techniques, organizations can reduce their exposure to compression-based attacks and better protect sensitive information from exploitation. As attackers develop more sophisticated techniques, the importance of staying informed and implementing robust security practices becomes all the more essential.