[12582] in cryptography@c2.net mail archive
Re: [Bodo Moeller ] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption
daemon@ATHENA.MIT.EDU (Bodo Moeller)
Tue Feb 25 10:07:39 2003
X-Original-To: cryptography@wasabisystems.com
X-Original-To: cryptography@wasabisystems.com
Date: Tue, 25 Feb 2003 13:12:35 +0100 (CET)
From: moeller@cdc.informatik.tu-darmstadt.de (Bodo Moeller)
To: cryptography@wasabisystems.com
Cc: Anton Stiglic <astiglic@okiok.com>, ietf-tls@lists.certicom.com
In-Reply-To: <004701c2d9d1$1f0049a0$4b956395@p1038mobile>
Anton Stiglic <astiglic@okiok.com>:
> If SSL required encrypt-then-MAC, a programmer
> would more naturally start by verifying the MAC, then decrypt
> the message, so Vaudenay's attack would be caught first by
> the MAC verification and the implementation would probably
> return an error after the MAC verification and not leak the
> information needed to discover the plaintext.
Actually there are three choices:
Pad-then-encrypt-then-MAC
Pad-then-MAC-then-encrypt
MAC-then-pad-then-encrypt
It's true that pad-then-encrypt-then-MAC appears to be the safest
approach in general, but pad-then-MAC-then-encrypt would also have
avoided these attacks. Unfortunately, SSL 3.0 and TLS 1.0 use
MAC-then-pad-then-encrypt.
> So even though the attack is not directly the result of the SSL
> protocol spec,
In a sense it is: as the block cipher padding is not to be included in
the MAC computation, you don't really know what bytes to compute a MAC
on before you have looked at the padding. If the adversary can count
exactly how many input blocks are fed to HMAC, then you have a problem
that you cannot easily work around. The attack demonstrated by
Vaudenay et al. users a less subtle timing difference (the difference
between a MAC on about 256 SHA-1 input blocks and no MAC at all), but
switching to Pad-then-MAC-then-encrypt should be considered for TLS 1.1.
--
Bodo Möller <moeller@cdc.informatik.tu-darmstadt.de>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
