[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption

Anton Stiglic astiglic at okiok.com
Tue Feb 25 10:41:51 EST 2003

Bodo Moeller wrote:

> Actually there are three choices:
>      Pad-then-encrypt-then-MAC
>      Pad-then-MAC-then-encrypt
>      MAC-then-pad-then-encrypt
> It's true that pad-then-encrypt-then-MAC appears to be the safest
> approach in general, but pad-then-MAC-then-encrypt would also have
> avoided these attacks.  

By Pad-t-MAC-t-encrypt, do you mean a scheme where
the MAC is also encrypted, or is left aside (the encrypt and 
authenticate method).

There are problems with the latter as well, see appendix C of the
paper from Krawczyk...

If it's the first, then I guess that what you mean by 
Pad-t-MAC-t-encrypt is that you first pad the message (and 
IV and whatever other context) such that when you append the MAC
(e.g 160 bits with SHA1-MAC) to the ciphertext the resulting size is a 
multiple of the block cipher size.  So when you decrypt, you don't
check the padding, but then after verifying the MAC you would take
out the padding (and I guess verify it...).  You can't play with the
padding, because the MAC will fail.  But if you are using CBC-DES
as a MAC, you need to make sure that the MAC is verified first, 
not check the padding first, if not you *might* fall in to a similar trap 
(I'm not certain a vulnerability would exist in that context, but it sounds

>The attack demonstrated by
>Vaudenay et al. users a less subtle timing difference (the difference
>between a MAC on about 256 SHA-1 input blocks and no MAC 
>at all), but switching to Pad-then-MAC-then-encrypt should be considered 
>for TLS 1.1.

Pad-t-MAC-t-encrypt sounds like an interesting avenue, but why 
would you propose that for TLS 1.1 instead of just proposing the safe
Pad-t-Encrypt-t-MAC?  If there is going to be a change, 
might as well go with something that is provably secure, or is there some 
reason (compatibility or something) to prefer Pad-t-MAC-t-Encrypt 
that I do not see here?


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list