[2885] in cryptography@c2.net mail archive
Re: PKCS#1 Attack Summary
daemon@ATHENA.MIT.EDU (Tom Weinstein)
Sat Jun 27 10:18:32 1998
Date: Sat, 27 Jun 1998 06:32:00 -0700
From: Tom Weinstein <tomw@netscape.com>
To: Bill Stewart <bill.stewart@pobox.com>
CC: cypherpunks@cyberpass.net, cryptography@c2.net
Bill Stewart wrote:
>
> The basic countermeasures are to reduce the probability that
> "stuff" will be good enough for the recipient to continue
> processing it (e.g. use the RSA-decrypted session key
> to try to decrypt the credit-card number or other message)
> to make the error messages less informative to the sender,
> and to refuse to process huge numbers of bad attempts
> from a given sender. (Email, for instance, isn't very vulnerable,
> since you typically don't send back error messages saying the
> mail didn't decrypt, and most mail clients are used by humans,
> who will generally get some clue that there's a problem
> if they receive millions of bad messages, even if their
> mail servers or mail clients don't crash first.)
For SSL, the data is a secret that is used to generate session keys.
Our fix is to generate a random value to use as the secret in the event
of any errors with the decrypted block. The result of this is that the
client can't distinguish between a badly formed block and a well formed
block with a bogus key. This eliminates the information leak, which is
superior to simply increasing the complexity of the attack such as you'd
get by adding more checks on the block formatting.
--
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice. You must understand Tao before | tomw@netscape.com
transcending structure. -- The Tao of Programming |
