Implementing a client-server setting to prevent the browser reconnaissance and exfiltration via adaptive compression of hypertext attacks
| dc.contributor.author | Alawatugoda, J. | |
| dc.contributor.author | Weerasooriya, I. | |
| dc.contributor.author | Jayawardhana, D. | |
| dc.contributor.author | Amarasinghe, N. | |
| dc.contributor.author | Ragel, R. | |
| dc.date.accessioned | 2025-10-31T06:22:11Z | |
| dc.date.available | 2025-10-31T06:22:11Z | |
| dc.date.issued | 2016-11-05 | |
| dc.description.abstract | The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) attack is a compression-based side-channel attack, which targets sensitive pieces of data compressed-then-encrypted in the HTTP responses. The BREACH attack was firstly demonstrated in Black Hat Europe 2013. The HTTP compression is the process of compressing the content in the HTTP responses from the server-side, before sending them to the client. The HTTP compression is normally performed through the DEFLATE algorithm, which is a combination of the LZ77 algorithm and Huffman coding. The main reason that makes the BREACH attack possible is that the adaptive compression-dictionary used in the DEFLATE algorithm, which enables the algorithm to develop a compression-dictionary based on the content to be compressed. After compressing with the DEFLATE algorithm, even when encrypted, the length of the compressed data is still visible. In the BREACH attack, the attacker injects his guesses of the secrets into the HTTP response bodies. Due to the adaptive compression-dictionary, if the guessed bytes match with the actual secrets, responses would be highly compressed and hence the output length differs. As the length of the responses would reveal information on how much overlap has happened, the attacker can measure how much of the attacker-injected bytes are contained in the sensitive pieces of data in the system. The BREACH attack can be mitigated by using a non-adaptive fixed dictionary for compression, because the dictionary is independent from the inputs, and hence the attacker- injected guesses cannot affect the dictionary; the data will be compressed if they match with the dictionary entries, otherwise not. This idea was first proposed with security proofs in a reasonable model in Financial Cryptography and Data Security 2015. In this research we implemented and deployed a non-adaptive fixed-dictionary compression algorithm into the real-world client-server setting, and facilitate a realistic mechanism to prevent the BREACH attack. Further, we verified the correctness of data recovery in the client-side. | |
| dc.description.sponsorship | This project is supported by the National Research Council (Grant NRC 16-020). | |
| dc.identifier.citation | Proceedings of the Peradeniya University International Research Sessions (iPURSE) – 2016, University of Peradeniya, P 282 | |
| dc.identifier.isbn | 978-955-589-225-4 | |
| dc.identifier.uri | https://ir.lib.pdn.ac.lk/handle/20.500.14444/5855 | |
| dc.language.iso | en_US | |
| dc.publisher | University of Peradeniya, Sri Lanka | |
| dc.subject | BREACH | |
| dc.subject | HTTP | |
| dc.subject | DEFLATE algorithm | |
| dc.subject | LZ77 algorithm | |
| dc.subject | BREACH attack | |
| dc.title | Implementing a client-server setting to prevent the browser reconnaissance and exfiltration via adaptive compression of hypertext attacks | |
| dc.type | Article |