[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption
John Kelsey
kelsey.j at ix.netcom.com
Sun Feb 23 23:10:27 EST 2003
At 12:46 PM 2/21/03 -0500, Anton Stiglic wrote:
...
>If SSL required encrypt-then-MAC, a programmer
>would more naturally start by verifying the MAC, then decrypt
>the message, so Vaudenay's attack would be caught first by
>the MAC verification and the implementation would probably
>return an error after the MAC verification and not leak the
>information needed to discover the plaintext.
This works as long as the data the MAC is computed over includes everything
needed to decrypt the message. If there's context that's not included in
the MAC, you can end up accepting a different plaintext than the one that
was sent. (That should be obvious, but I've seen it messed up once or
twice.)
>So even though the attack is not directly the result of the SSL
>protocol spec, a spec which would favor encrypt-then-MAC
>would be better in my point of view and the security holes
>relating to this SSLattack in implementations might have much
>less of a chance of existing.
I think this is a good general principle, for the same reason. If you MAC
the ciphertext, then the designer of the protocol has some extra work to
do, proving that there's no way to accept the MAC but get a different
plaintext than was sent. If you MAC the plaintext, then the implementors
have extra work to do, which won't be nearly as well reviewed or understood
as the protocol.
> --Anton
--John Kelsey, kelsey.j at ix.netcom.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list