[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption
Anton Stiglic
astiglic at okiok.com
Tue Feb 25 10:41:51 EST 2003
Bodo Moeller wrote:
> Actually there are three choices:
>
> Pad-then-encrypt-then-MAC
> Pad-then-MAC-then-encrypt
> MAC-then-pad-then-encrypt
>
> It's true that pad-then-encrypt-then-MAC appears to be the safest
> approach in general, but pad-then-MAC-then-encrypt would also have
> avoided these attacks.
By Pad-t-MAC-t-encrypt, do you mean a scheme where
the MAC is also encrypted, or is left aside (the encrypt and
authenticate method).
There are problems with the latter as well, see appendix C of the
paper from Krawczyk...
If it's the first, then I guess that what you mean by
Pad-t-MAC-t-encrypt is that you first pad the message (and
IV and whatever other context) such that when you append the MAC
(e.g 160 bits with SHA1-MAC) to the ciphertext the resulting size is a
multiple of the block cipher size. So when you decrypt, you don't
check the padding, but then after verifying the MAC you would take
out the padding (and I guess verify it...). You can't play with the
padding, because the MAC will fail. But if you are using CBC-DES
as a MAC, you need to make sure that the MAC is verified first,
not check the padding first, if not you *might* fall in to a similar trap
(I'm not certain a vulnerability would exist in that context, but it sounds
plausible).
>[...]
>The attack demonstrated by
>Vaudenay et al. users a less subtle timing difference (the difference
>between a MAC on about 256 SHA-1 input blocks and no MAC
>at all), but switching to Pad-then-MAC-then-encrypt should be considered
>for TLS 1.1.
Pad-t-MAC-t-encrypt sounds like an interesting avenue, but why
would you propose that for TLS 1.1 instead of just proposing the safe
Pad-t-Encrypt-t-MAC? If there is going to be a change,
might as well go with something that is provably secure, or is there some
reason (compatibility or something) to prefer Pad-t-MAC-t-Encrypt
that I do not see here?
--Anton
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list