[Bodo Moeller <bodo at openssl.org>] OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption

Bodo Moeller moeller at cdc.informatik.tu-darmstadt.de
Tue Feb 25 10:55:46 EST 2003


On Tue, Feb 25, 2003 at 10:41:51AM -0500, Anton Stiglic wrote:
> Bodo Moeller wrote:

>> Actually there are three choices:
>> 
>>      Pad-then-encrypt-then-MAC
>>      Pad-then-MAC-then-encrypt
>>      MAC-then-pad-then-encrypt
>> 
>> It's true that pad-then-encrypt-then-MAC appears to be the safest
>> approach in general, but pad-then-MAC-then-encrypt would also have
>> avoided these attacks.  

> By Pad-t-MAC-t-encrypt, do you mean a scheme where
> the MAC is also encrypted, or is left aside (the encrypt and 
> authenticate method).

The former.

> If it's the first, then [...]            if you are using CBC-DES
> as a MAC, you need to make sure that the MAC is verified first, 
> not check the padding first, if not you *might* fall in to a similar trap 
> (I'm not certain a vulnerability would exist in that context, but it sounds
> plausible).

Yes, I meant that implementations should proceed like this for
pad-then-MAC-then-encrypt.  For such a scheme it is the more natural
way anyway to first decrypt, then verify the MAC, then look at the
padding.  (In the case of MAC-then-pad-then-encrypt, on the other
hand, you can't verify the MAC before having handled the padding.)


>> [...] switching to Pad-then-MAC-then-encrypt should be considered 
>> for TLS 1.1.

> Pad-t-MAC-t-encrypt sounds like an interesting avenue, but why 
> would you propose that for TLS 1.1 instead of just proposing the safe
> Pad-t-Encrypt-t-MAC?  If there is going to be a change, 
> might as well go with something that is provably secure, or is there some 
> reason (compatibility or something) to prefer Pad-t-MAC-t-Encrypt 
> that I do not see here?

For CBC (with explicit IVs, which we don't yet have in SSL 3.0 and
TLS 1.0) and for stream ciphers, both variants achieve probable
security.  The reason to prefer pad-then-MAC-then-encrypt is just
compatibility -- more specifically, ease of implementation (having
an improved protocol is much more useful if it makes it into many
actual products).


-- 
Bodo Möller <moeller at cdc.informatik.tu-darmstadt.de>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com



More information about the cryptography mailing list