Is it possible to "read" secure (using SSL or TLS) messages if you know the message?

Question

If I am communicating over a secure line (secured using SSL or TLS) and I send the server a message.

Could someone eavesdropping tell what that message was if they knew before hand a list of messages I am likely to send.

E.g. I send a message saying "Execute order 66" over a secure line. Someone was eavesdropping and suspected that I was going to send this order. Could they verify that I just sent that specific message by comparing the sent message with the same message encrypted with the same public key.

For reference, the type of attack you're referring to is called a [known plaintext attack](http://en.wikipedia.org/wiki/Known-plaintext_attack). — user2752467, Apr 22 '15 at 22:55
`string decrypt_message(string ciphertext, string known_message) {return known_message;}` — user253751, Apr 23 '15 at 01:06

score 42 · Accepted Answer · answered Apr 22 '15 at 12:09

42

No, SSL uses a symmetric key so an attacker is unable to decrypt the message he has just captured.

However, SSL is vulnerable to a traffic analysis attack. E.g. If you have 2 messages of very different lengths like

"Execute order 66"
"This is a very very very very very very very very very very very very very very very very very very very very long message".

If the attacker knows that the message has to be one of the 2. Based on the length of the encrypted message, he will know which message you sent out.

More info on traffic analysis attack: http://webcache.googleusercontent.com/search?q=cache:KKy5MbfirYkJ:https://www.cs.berkeley.edu/~daw/teaching/cs261-f98/projects/final-reports/ronathan-heyning.ps+&cd=4&hl=en&ct=clnk&gl=us

answered Apr 22 '15 at 12:09

limbenjamin

3,944
50
72
1,281

2

Outside the parameters of the original question, bua Additional information can also be gained from traffic analysis. If different messages go to different recipients, and the attacker knows this correlation, she can deduce which message(s) it could be based on the IP address of the destination. If each message is only sent at certain times of the day ('order pizza' only in evenings, 'coffee!' only in the morning), she could also use this to deduce the message. Rate of sending messages is also useful. "order coffee" will likely occur less often/at less consistent intervals than a GOS tracker. – atk Apr 22 '15 at 17:15
That was "GPS" not GOS tracker. Typo noticed after 5 min, so cannot be corrected. – atk Apr 22 '15 at 19:11
Would make more sense to use as example _"Execute order 66"_ vs. _"Execute order 666"_, then. If this exploit works with just 1-byte difference. – o0'. Apr 22 '15 at 22:25
Also note that most ciphersuites are block ciphers (e.g. AES-CBC), which require padding, unlike stream ciphers (RC4, AES-GCM). For example with 16 byte padding, that would make it harder to guess the original message length. Either way, if this message length distinction is a (protential) problem I would suggest to pad the message yourself in your application. For example, pad on ~ 1Kbyte message blocks, so that the application data still fits in a single Ethernet frame. However, I think this could/should be part of the TLS socket, which could solve issues like this. – gertvdijk Apr 23 '15 at 09:14

score 13 · Answer 2 · answered Apr 22 '15 at 11:16

13

No.

See How does SSL/TLS work?: basically, every time you transfer data, it's encrypted with a symmetric key generated for that particular transaction. The public key is only used to verify the server's identity, so even if the attacker knows it, they can't tell what message you sent simply by looking at the ciphertext.

answered Apr 22 '15 at 11:16

Mark

34,513
9
86
135

3

And if your connection is using [PFS](http://en.wikipedia.org/wiki/Forward_secrecy) the guarantee goes even further than that. – Boris the Spider Apr 22 '15 at 13:44

score 7 · Answer 3 · answered Apr 22 '15 at 11:12

Well in the case of SSL, it would not be possible because of the way SSL works. The message would not be encrypted with the public key.

Instead, the public key would be used to share information between the two persons in order to agree on a symmetric session key. This key will then be used to encrypt the "order", so you can't replicate this on your own since the exchanged key is unknown.

score 5 · Answer 4 · answered Apr 22 '15 at 17:06

To answer a different part of your question: No, even if the message was encrypted using the public key, real asymmetric encryption systems will not let the attacker easily try their list of possibilities and look for a match with the ciphertext. This exact concern is why asymmetric encryption is always done using a probabilistic encryption scheme, in which some randomness is injected into the encryption process so the same message doesn't always encrypt the same way. In RSA this is done using padding schemes; some other systems include randomness in the core operation, but in all cases the encryption process includes "pick a random number." An absolute baseline requirement for a public-key system to be considered secure is that the attacker can't tell which of two messages a ciphertext corresponds to even if they chose the two messages and have the ability to encrypt whatever they want.

score 4 · Answer 5 · answered Apr 22 '15 at 12:08

As the other answered, it is generally not possible.

However, there is always the possibility of having some information leaking depending on how the message is structured: an observer could read the encrypted message flow between party and obtain some of the meaning of these messages based on size or flow.

Is it possible to "read" secure (using SSL or TLS) messages if you know the message?

5 Answers5