W3C home > Mailing lists > Public > ietf-http-wg@w3.org > January to March 2013

Updated delta-encoding of values

From: RUELLAN Herve <Herve.Ruellan@crf.canon.fr>
Date: Fri, 22 Mar 2013 18:22:04 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <6C71876BDCCD01488E70A2399529D5E5163F3D8F@ADELE.crf.canon.fr>
Within delta-encoding of header values, the usage a shared prefix between an indexed value and a new value to encode is prone to a CRIME-like attack, even if to a lesser extend (in the current HeaderDiff specification, delta-encoding is only allowed for headers sharing the same name).

Therefore, we worked on some modifications of the delta-encoding mechanisms to remove this threat.

The first modification is to bound the end of the shared prefix: the last character of the shared prefix must belong to a predefined set of characters. This set of characters contains characters used as boundaries inside the header values. An example of set of characters is: "/?= ,". Using this set, the compaction loss is minimal. By bounding the end of the shared prefix, the mechanisms is similar to a more fined-grained indexing. This limitation prevents an attacker from guessing a header value character by character as in the CRIME attack.

A second modification is to limit the number of times an indexed value is used as a reference for delta-encoding another value. Experiments have shown that using a limit of 2 references enables the compaction loss to be marginal. Without the possibility of referring many times to the same value, CRIME-like attacks are no more possible.

We updated our implementation to include these modifications.

Received on Friday, 22 March 2013 18:22:37 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 1 March 2016 11:11:10 UTC