yeah, if knowing the leading 192 bits of the plaintext (24 octets, per article) lets an attacker break a session encrypted with 256-bit AES, you've got bigger problems than a known-plaintext attack, methinks. :)

Well, it eliminates most of the possible keys. Out of 2^256 possible keys, only 2^64 are now possible.

This would be serious if someone found a way to easily identify which keys were still possible. From there, you could find the real key simply by a process of elimination. It would be somewhat lengthy, but not unreasonably so. But so far as I know, nobody yet knows how to easily identify which keys are still possible.

Note: I'm ignoring IVs here, partly because I don't know if HTTP2 uses them. They may make the process of elimination impossible (at least in realistic amounts of time).

This looks like exactly the kind of vulnerability that Tony Arcieri is, correctly, saying doesn't happen with modern ciphers.

HTTP2 doesn't "use IVs" at all, in that encryption in HTTP2 is provided by TLS. TLS does use random IVs, and modern TLS uses them correctly.

Isn't supposed to happen. It would be a break of AES if it were to be shown to be possible. However it would mean that such a break would be instantly exploitable, rather than having defense in depth by requiring multiple independent failures. Our crypto systems should not be so fragile...

No. As has been repeatedly pointed out: HTTP is positively loaded with much longer runs of known plaintext.

This may be true for a single session, but it would seem that having every session begin with the same long text could allow correlations to be drawn on large data sets, potentially leading to full recovery of the sessions.

Do you know of the proof that rules out such a possibility?

No, that is not a realistic vulnerability. I am now regretting nerding out about AES upthread, since I seem to have created the impression that there is some risk to having every HTTP request start with a fixed string. There is not.

>I seem to have created the impression that there is some risk to having every HTTP request start with a fixed string

Every HTTP request does not start with a fixed string. Every HTTP2 request apparently does (if I have read correctly).

>There is not.

Why not? What allows AES to escape such an attack?

There is not. This is something the first few lectures in Boneh's Coursera class should address for you.

> Why not? What allows AES to escape such an attack?

What attack? A known plaintext attack is just a type of attack. There aren’t any such known attacks against AES currently. http://crypto.stackexchange.com/a/10837/7264 is related.

Fair enough. Maybe there is some disagreement between the participants of this thread in what "known-known" means. I would say that without a proof that a known-plaintext attack cannot exist, one cannot say "There is not (a known-plaintext attack)." One could say, however, "I do not know of a known-plaintext attack against AES, however I do not know of a proof that rules one out."

Also, HTTP/2 traffic may be encrypted using another scheme (which may be vulnerable to large constant blocks in known locations). I don't think HTTP refers or deals at all with encryption. I'm not sure about HTTP2. My understanding is that they are application protocols only and that message integrity protocols occur at a different layer.

> Also, HTTP/2 traffic may be encrypted using another scheme (which may be vulnerable to large constant blocks in known locations).

This isn’t really a situation worth caring about when designing a protocol. If you’re choosing to encrypt something with weak encryption, you had better be darn sure that its vulnerabilities don’t apply. (And… why would you do that to begin with? No compelling performance reasons, even.)

If you use randomness (like in say CBC mode) that should suffice to give you IND-CPA security, no? And I believe GCM mode gives you IND-CCA2 security as well.

Actually CBC is a great mode for demonstrating how constructions built on secure primitives can introduce vulnerabilities. We can prepend a specific block to one with known plaintext in CBC mode to end up with garbage + plaintext we control.

There is a reason HTTP/2 requires GCM or other AEAD. TLS's MAC-before-encrypt is flawed because of these kinds of attacks.

Not actually requiring something to start with a fixed string doesn't really mean anything when every message begins with a fixed string because it's just the way to do.

doesn't HTTP require "VERB URL HTTP/VERSION" ?

Yes, but there are many VERBs and URLs.

but "GET / HTTP/1.1" is likely the most common.

I'd believe it might be the most common (though, I'd guess "GET /favicon.ico HTTP/1.1" to be a real contender). I highly doubt either are anywhere more than a small fraction of the total HTTP requests though.

What is it about this particular text that makes it not vulnerable? That it is short?