[Cryptography] Points of compromise

John Gilmore gnu at toad.com
Mon Sep 9 23:03:02 EDT 2013

Phillip Hallam-Baker <hallam at gmail.com> wrote:
> 5) Protocol vulnerability that IETF might have fixed but was discouraged
> from fixing.

By the way, it was a very interesting exercise to actually write out
on graph paper the bytes that would be sent in a TLS exchange.  I did
this with Paul Wouters while working on how to embed raw keys in TLS
(that would be authenticated from outside TLS, such as via DNSSEC).

Or, print out a captured TLS packet exchange, and try to sketch around
it what each bit/byte is for.  The TLS RFCs, unlike most Jon Postel
style RFCs, never show you the bytes -- they use a "high level
description" with separate rules for encoding those descriptions on
the wire.

There is a LOT of known plaintext in every exchange!

Known plaintext isn't the end of the world.  But it makes a great crib
for cryptanalysts who have some other angle to attack the system with.
Systems with more known plaintext are easier to exploit than those
with less.  Is that why TLS has more known plaintext than average?
Only the NSA knows for sure.


More information about the cryptography mailing list