[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption

John Kelsey kelsey.j at ix.netcom.com
Sun Feb 23 23:10:27 EST 2003

At 12:46 PM 2/21/03 -0500, Anton Stiglic wrote:
>If SSL required encrypt-then-MAC, a programmer
>would more naturally start by verifying the MAC, then decrypt
>the message, so Vaudenay's attack would be caught first by
>the MAC verification and the implementation would probably
>return an error after the MAC verification and not leak the
>information needed to discover the plaintext.

This works as long as the data the MAC is computed over includes everything 
needed to decrypt the message.  If there's context that's not included in 
the MAC, you can end up accepting a different plaintext than the one that 
was sent.  (That should be obvious, but I've seen it messed up once or 

>So even though the attack is not directly the result of the SSL
>protocol spec, a spec which would favor encrypt-then-MAC
>would be better in my point of view and the security holes
>relating to this SSLattack in implementations might have much
>less of a chance of existing.

I think this is a good general principle, for the same reason.  If you MAC 
the ciphertext, then the designer of the protocol has some extra work to 
do, proving that there's no way to accept the MAC but get a different 
plaintext than was sent.  If you MAC the plaintext, then the implementors 
have extra work to do, which won't be nearly as well reviewed or understood 
as the protocol.

>  --Anton

--John Kelsey, kelsey.j at ix.netcom.com

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list