Leaking Sensitive Data in Security Protocols

What is Ring-Road?

The Ring-Road Bug is a serious vulnerability in security protocols that leaks the length of passwords allowing attackers to bypass user authentication. The Internet Engineering Task Force for HTTP/2 led by Google is working to create a patch to protect security protocols vulnerable to Ring-Road.
Researchers a part of Purdue University identified a major security issue with Google's QUIC protocol (Quick UDP Internet Connections, pronounced quick). For background, QUIC is designed to improve the speed and performance of Chrome and all Google services. The team was astonished to find that Google's QUIC protocol leaks the exact length of sensitive information when transmitted over the Internet. This could allow an eavesdropper to learn the exact length of someone's password when signing into a website like Google's E-mail system called G-mail. In part, this negates the purpose of the underlying encryption, which is designed to keep data confidential--including the length of your password.

Speed At The Cost of Security

Over the last five years, the Internet has been transformed with a new suite of performance improving communication protocols such as SPDY, HTTP/2 and QUIC. These new protocols are being rapidly implemented to improve the speed and performance of the Internet. More than 10% of the top 1 Million websites are already using some of these technologies, including much of the 10 highest traffic sites.
Security protocols like QUIC are using a mode of encryption called Advanced Encryption Standard Galois/Counter Mode (AES-GCM) for its speed and performance. By default, AES-GCM’s cipher text is the same length as the original plaintext. For transmitting sensitive communications like passwords, an eavesdropper could use the Ring-Road vulnerability to identify the length of your password and increase their chances to guess your password and successfullly login into your account.


How wide spread is the Ring-Road vulnerability?

QUIC is used by over 1 billion users and potentially could impact those that use passwords commonly used in the past. The Purdue team is still working to quantify the results. Our initial results have shown we can bypass authentication for 1 out of 10 users in G-mail. This estimate puts at least 10s of millions of G-mail users at risk and could be upwards of 100s of millions. AES-GCM is also used by TLS version 1.2. We have been unable to verify the Ring-Road vulnerability in TLS due to time constraints, but we strongly encourage other researchers to study TLS version 1.2 to see if Ring-Road exists.

Has this been abused in the wild?

Given the ease of finding this vulnerability, the Purdue team believes others have identified this bug.

How to stop exposure to sensitive data?

The team suggests to not use security protocols that have chosen to use AES-GCM to pass sensitive information like credentials over the Internet. Unfortunately, users do not have control over this option in some situations until alternatives or patches are developed.

We recommend the following steps:

Step 1: Users should disable QUIC in Chrome

Step 2: Users should enable two step verification with their G-mail account

Step 3: We suggest system administrators to block QUIC with their firewall

What is being done?

This vulnerability was reported to the United States Computer Emergency Response Team (US-CERT), Google, Apple, and Microsoft.

Google is working with the Internet Engineering Task Force (IETF) to look at ways to patch this bug potentially through the HTTP/2 standards forum and have notified the companies supporting major web browsers.

Apple has decided to use alternatives such as Advanced Encryption Standard, Cipher Block Chaining (AES-CBC) + Keyed Hash Authentication (HMAC) to achieve both confidentiality and integrity for sensitive data transmitted over the Internet.

Why is the bug called Ring-Road?

Ring-Roads is a road or a series of connected roads encircling an area, town, or city. Ring-Roads are used to help bypass congested areas and provide a faster route. In a similar fashion, QUIC and other security protocols that use AES-GCM are also designed to create a faster route on the Internet. Unfortunately, we do not believe using AES-GCM is the safest method when transmitting sensitive data such as passwords.

Who supported this research?

This research is a part of the Information Security Research and Education (INSuRE) project.

This work was funded under NSF grants award No. 1344369 and No. 1027493.

Any opinions, findings, or conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the National Science Foundation, Purdue University, or the National Security Agency.