Re: [TLS] SSL Renegotiation DOS

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 16 March 2011 14:46 UTC

Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1860F3A6920 for <tls@core3.amsl.com>; Wed, 16 Mar 2011 07:46:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.558
X-Spam-Level:
X-Spam-Status: No, score=-103.558 tagged_above=-999 required=5 tests=[AWL=0.041, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wdN7fYc97EuF for <tls@core3.amsl.com>; Wed, 16 Mar 2011 07:46:26 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id B88923A6911 for <tls@ietf.org>; Wed, 16 Mar 2011 07:46:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1300286873; x=1331822873; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20mrex@sap.com|Subject:=20Re:=20[TLS]=20SSL=20Renego tiation=20DOS|Cc:=20tls@ietf.org|In-Reply-To:=20<20110316 1402.p2GE2oFm023860@fs4113.wdf.sap.corp>|Message-Id:=20<E 1Pzs0s-000105-0f@login01.fos.auckland.ac.nz>|Date:=20Thu, =2017=20Mar=202011=2003:47:50=20+1300; bh=uY6Ks8kmmv2g1M6D/pugBlpjjfVEYeQHWJ5M3dVNMZU=; b=DxcMNJB+qsLEcQM62o+kpAhMW/kAnpUby+zMG3mUEyLDbgkuOzI4Qf9q dymRtfqF1U83wo/X+EXIAo8GrIl1PRepJ4YvUj1pcO0SuPH8xrZWwZmSm uOwFHBRX8BGOuoi8Uj+GNMuN59A6/hFY3E74x6fXncGlp9t5i6OjE/4z6 g=;
X-IronPort-AV: E=Sophos;i="4.63,194,1299409200"; d="scan'208";a="51484601"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 17 Mar 2011 03:47:50 +1300
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1Pzs0s-0006Dh-GK; Thu, 17 Mar 2011 03:47:50 +1300
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1Pzs0s-000105-0f; Thu, 17 Mar 2011 03:47:50 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: mrex@sap.com
In-Reply-To: <201103161402.p2GE2oFm023860@fs4113.wdf.sap.corp>
Message-Id: <E1Pzs0s-000105-0f@login01.fos.auckland.ac.nz>
Date: Thu, 17 Mar 2011 03:47:50 +1300
Cc: tls@ietf.org
Subject: Re: [TLS] SSL Renegotiation DOS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 14:46:27 -0000

Martin Rex <mrex@sap.com> writes:

>If a hostile client is targetting specific servers, it could create a valid
>PKCS#1 encrypted premaster secret once and then reuse it in all further
>handshakes -- saving the client the asymmetric crypto work on all additional
>connections, while still allowing the client to complete the TLS handshake
>successfully.

If you're just interested in a DoS then you don't even need to do that, just
shovel in 128 bytes of random noise and wait for the server's crypto engine to
collapse under the load.  You can't complete the handshake in this case, but
that's not the bit that you're targetting.

Peter.