How effective is open source crypto?
Anne & Lynn Wheeler
lynn at garlic.com
Sun Mar 16 12:17:39 EST 2003
At 08:40 AM 3/16/2003 -0800, Eric Rescorla wrote:
>You still need a round trip in order to prevent replay attacks. The
>fastest that things can be while still preserving the security
>properties of TLS is:
>
>ClientHello ->
>ClientKeyExchange ->
>Finished ->
> <- ServerHello
> <- Finished
>Data ->
>
>See Boneh and Schacham's "Fast-Track SSL" paper in Proc.ISOC NDSS 2002
>for a description of a scheme where the client caches the server's
>parameters for future use, which is essentially isomorphic
>to having the keys in the DNS as far as the SSL portion goes.
>
>In any case, the optimization you describe provides almost no
>performance improvement for the server because the load on the server
>derives almost entirely from the cryptography, not from transmitting
>the ServerHello [0]. What it does is provide reduced latency,
>but this is only of interest to the client, not the server,
>and really only matters on very constrained links.
>
>-Ekr
>
>[0] With the exception of the ephemeral modes, but they're simply
>impossible in the scheme you describe.
Sorry, there were two pieces being discussed.
The part about SSL being a burden/load on servers ....
and the shorten SSL description taken from another discussion. The shorten
SSL description was (in fact) from a discussion of the round-trips and
latency ... not particularly burden on the server. In the original
discussion there was mention about HTTP requires TCP setup/teardown which
is minimum seven packet exchange .... and any HTTPS chatter is in addition
to that. VMTP, from rfc1045 is minimum five packet exchange, and XTP is
minimum three packet exchange. A cached/dns SSL is still minimum seven
packet exchange done over TCP (although XTP would reduce that to three
packet exchange).
So what kind of replay attack is there. Looking at purely e-commerce ...
there is no client authentication. Also, since the client always chooses a
new, random key .... there is no replay attack on the client ... since the
client always sends something new (random key) every time. That just leaves
replay attacks on the server (repeatedly sending the same encrypted data).
As follow-up to doing the original e-commerce stuff ... we then went on to
look at existing vulnerabilities and solutions .... and (at least) the
payment system has other methods already in place with regard to getting
duplicate transaction .... aka standards body for all payments (credit,
debit, stored-value, etc) in all (electronic) environments (internet,
point-of-sale, self-serve, face-to-face, etc), X9.59
http://www.garlic.com/~lynn/index.html#x959 (standard)
http://www.garlic.com/~lynn/index.html#aadsnacha (debit/atm network pilot)
Replay for simple information retrieval isn't particularly serious except
as DOS .... but serious DOS can be done whether flooding is done with
encrypted packets or non-encrypted packets. Another replay attack is
transaction based ... where each transaction represents something like
performing real world transaction (send a shirt and debit account). If it
actually involves payment ... the payment infrastructure has provisions in
place to handle repeat/replay and will reject. So primarily what is left
.... are simple transaction oriented infrastructures that don't have their
own mechanism for detecting replay/repeats and are relying on SSL.
I would also contend that this is significantly smaller exposure than
self-signed certificates.
--
Anne & Lynn Wheeler http://www.garlic.com/~lynn/
Internet trivia 20th anv http://www.garlic.com/~lynn/rfcietff.htm
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list