[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption
Donald Eastlake 3rd
dee3 at torque.pothole.com
Sun Feb 23 19:33:08 EST 2003
There was even an OS that, for a time until the patch got out, when you
handed it a pointer to a user name and a pointer to a password,
conveniently returned to you the password pointer updated to point at
the first bad character in the password for that account.
Thanks,
Donald
======================================================================
Donald E. Eastlake 3rd dee3 at torque.pothole.com
155 Beaver Street +1-508-634-2066(h) +1-508-851-8280(w)
Milford, MA 01757 USA Donald.Eastlake at motorola.com
On 21 Feb 2003, Eric Rescorla wrote:
> Date: 21 Feb 2003 09:32:53 -0800
> From: Eric Rescorla <ekr at rtfm.com>
> To: Steven M. Bellovin <smb at research.att.com>
> Cc: cryptography at wasabisystems.com
> Subject: Re: [Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory:
> Timing-based attacks on SSL/TLS with CBC encryption
>
> "Steven M. Bellovin" <smb at research.att.com> writes:
>
> > I'm struck by the similarity of this attack to Matt Blaze's master key
> > paper. In each case, you're guessing at one position at a time, and
> > using the response of the security system as an oracle. What's crucial
> > in both cases is the one-at-a-time aspect -- that's what makes the
> > attack linear instead of exponential.
> Indeed.
>
> And of course, both attacks resemble the old password guessing
> attack on character by character passwords where you time how
> long password verification takes. (The details are pretty
> hazy but ISTR that you arranged for the password to cross
> a page boundary to increase the time discrimination).
>
> -Ekr
>
>
>
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list