[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption

[Anton Stiglic]

If I'm not mistaken, the OpenSSL spec says that you should
MAC the (compressed) message, and then encrypt the message
and the MAC.
This composition is not generically secure, on the other hand you
can prove some nice things about the composition encrypt-then-
MAC assuming certain conditions, see for example
David Wagner's post on sci.crypt for a discussion about
that:

http://groups.google.ca/groups?q=sci.crypt+encrypt+then+authenticate+Wagner&
hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=aj77jo%241ko%241%40agate.berkeley.edu&rnum=
1

(using CBC-DES with a random IV and then HMAC,
with a KDF that derives independent keys for the encryption
and the MACing (the KDF in SSL looks like it can do this)
would satisfy these conditions.)

I now always recommend encrypt-then-MAC.

If SSL required encrypt-then-MAC, a programmer
would more naturally start by verifying the MAC, then decrypt
the message, so Vaudenay's attack would be caught first by
the MAC verification and the implementation would probably
return an error after the MAC verification and not leak the
information needed to discover the plaintext.

So even though the attack is not directly the result of the SSL
protocol spec, a spec which would favor encrypt-then-MAC
would be better in my point of view and the security holes
relating to this SSLattack in implementations might have much
less of a chance of existing.

 --Anton


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com