[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sat Feb 22 00:19:34 EST 2003


An extremely trivial observation, but may be useful to some:

>The attack assumes that multiple SSL or TLS connections involve a common
>fixed plaintext block, such as a password.

There's been a discussion about how this affects POP over SSL on a private
list.  My suggestion was:

-- Snip --

- Don't retry a connection repeatedly if it fails the first time (I guess you
  don't do that anyway, but some programs like Outlook try automated repeated
  connects).

- Add random whitespace to the initial messages so the password isn't always
  at a fixed location (that is, sprinkle extra spaces and tabs and whatnot
  around in the lines you send up to and including the password).

-- Snip --

This changes the padding on each message containing the password, making the
attack rather more difficult, and has the advantage that you don't need to
convince the party running the server to update their software.  Depending on
how much stuff you can send per message, you can vary it by quite a bit.  In
the POP case the "PASS xxx" would be a single message so you don't have quite
that much leeway, but it looks like you can add enough whitespace to make the
padding random.  Someone else on the list posted a followup to say he'd tried
it on two servers and they had no trouble with the whitespace.

Peter.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list