Bicycle attack

An HTTPS Bicycle Attack refers to a method of discovering password length on packets encrypted with TLS/SSL protocols.[1] In preparation for a bicycle attack, the attacker must load the target page to compute the sizes of headers in the request made by a given web browser to the server. Once the attacker intercepts and browser fingerprints a victim's request, the length of the password can be deduced by subtracting known header lengths from the total length of the request.[2]

The term was first coined on December 30, 2015 by Guido Vranken, who wrote:

"The name TLS Bicycle Attack was chosen because of the conceptual similarity between how encryption hides content and gift wrapping hides physical objects. My attack relies heavily on the property of stream-based ciphers in TLS that the size of TLS application data payloads is directly known to the attacker and this inadvertently reveals information about the plaintext size; similar to how a draped or gift-wrapped bicycle is still identifiable as a bicycle, because cloaking it like that retains the underlying shape. The reason that I've named this attack at all is only to make referring to it easier for everyone."[2] [emphasis added]

The bicycle attack makes brute-forcing of passwords much easier, because only passwords of the known length need to be tested. It demonstrates that TLS-encrypted HTTP traffic does not completely obscure the exact size of its content.

See also

References

  1. ^ Harsha, Benjamin; Morton, Robert; Blocki, Jeremiah; Springer, John; Dark, Melissa (2021-01-01). "Bicycle attacks considered harmful: Quantifying the damage of widespread password length leakage". Computers & Security. 100 102068. arXiv:2002.01513. doi:10.1016/j.cose.2020.102068. ISSN 0167-4048. S2CID 211032131.
  2. ^ a b Vranken, Guido (December 30, 2015). "HTTPS Bicycle Attack" (PDF). Retrieved 2021-10-15.

Content Disclaimer

Informasi ini disarikan dari Wikipedia dan disajikan kembali untuk tujuan edukasi. Konten tersedia di bawah lisensi CC BY-SA 3.0. Kami tidak bertanggung jawab atas ketidakakuratan data yang bersumber dari kontribusi publik tersebut.

  1. The information displayed on this website is sourced in part or in whole from Wikipedia and has been adapted for the purpose of restating it. We strive to provide accurate and relevant information, however:
  2. There is no guarantee of absolute accuracy. Wikipedia is an open, collaborative project that can be edited by anyone, so information is subject to change.
  3. It is not intended to constitute professional advice. The content displayed is for informational and educational purposes only. For important decisions (e.g., medical, legal, or financial), please consult a professional.
  4. Content copyright. Wikipedia is licensed under the Creative Commons Attribution-ShareAlike License (CC BY-SA). This means that content may be reused with appropriate attribution and shared under a similar license.
  5. Responsible use. Any risk arising from the use of information from this website is entirely the responsibility of the user.