point, if the attacker already knows the username of the user, he may subtract that length from the remaining components and deduce the length of the user’s password.
How can an attacker deduce actual passwords from the length of passwords?
Suppose the attacker could deduce that a particular user’s password is of length 8. Now, one option is to use a brute force approach and try to log in to the target website with all passwords comprised of 8 characters and numerals. If the password strength is weak enough, the attacker can deduce the actual password.
Another option is using the dictionary attack. Often, users create passwords using dictionary words. So, if the attacker can try to log in with all dictionary words with 8 characters, he will easily deduce the actual password.
The attacker may also use some other information specific to the user and try with a set of specific passwords of length 8 and deduce the password easily.
What sensitive data can be deduced using the HTTPS bicycle attack?
Many sensitive data can be deduced using the HTTPS bicycle attack. Even TLS packets that have been captured long ago can be exploited to deduce sensitive data. Some of the sensitive data that the HTTPS bicycle attack can deduce includes :
- The length of passwords can be deduced from which the actual password may be revealed.
- Small differences in the length of encrypted GPS coordinates can be used to estimate the location on the world map.
- Differences in the length of encrypted IPv4 addresses can reveal specific IP address ranges that can later be used to deduce the actual IP address.
How to prevent HTTPS bicycle attacks?
There are a couple of steps that can be taken to mitigate the attack.
- The user can use a strong password comprised of a mixture of special characters, numerals, and random characters. That will make it difficult for the attacker to deduce the actual password even though the attacker knows the length of the password.
- Two-step authentication, which uses a password and other information like One Time Password, etc, to authenticate the user, can mitigate the attack.
- The HTTPS bicycle attack is done on TLS that uses stream ciphers because there is a 1:1 relation between input plaintext and encrypted output for stream ciphers. If one byte is added to the plaintext, one byte will be added to the output. So, it makes it much easier for the attacker to deduce the length of sensitive data. So, turning off the support of TLS stream ciphers may be a good option to mitigate this attack.
- Using the latest version of TLS can prevent this attack.
- Sensitive information transferred can be hashed up to a fixed length so that the attacker cannot deduce information on the length of sensitive data.
0 Comments