IETF Logo Mail Archive

Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Hanno Böck <hanno@hboeck.de> Fri, 15 December 2017 16:57 UTC

Return-Path: <hanno@hboeck.de>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 322A8129407 for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 08:57:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4nFXJ3Z13Fgl for <tls@ietfa.amsl.com>; Fri, 15 Dec 2017 08:57:54 -0800 (PST)
Received: from zucker2.schokokeks.org (zucker2.schokokeks.org [178.63.68.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12808129400 for <tls@ietf.org>; Fri, 15 Dec 2017 08:57:53 -0800 (PST)
Received: from pc1 ([2001:2012:127:3e00:b3bf:56a1:a140:6086]) (AUTH: LOGIN hanno-default@schokokeks.org, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by zucker.schokokeks.org with ESMTPSA; Fri, 15 Dec 2017 17:58:01 +0100 id 000000000000001F.000000005A33FF19.000052F1
Date: Fri, 15 Dec 2017 17:57:48 +0100
From: Hanno Böck <hanno@hboeck.de>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: Nikos Mavrogiannopoulos <nmav@redhat.com>, "<tls@ietf.org>" <tls@ietf.org>
Message-ID: <20171215175748.4e54ace8@pc1>
In-Reply-To: <CAHbuEH4CDdQyNdwK=JYLkw_tK+3u=GKeEs0EUt2byoVUwekqCA@mail.gmail.com>
References: <CAAF6GDeeo2xjv1Xu7SFXVZ_zM=XUVJHT=eqH4_-G3+4UHsfvgg@mail.gmail.com> <CACsn0cmMbbT1iAfmxnXHe00dNiqBMyoNkk7e2CyTKWrcdRTtcQ@mail.gmail.com> <CAAF6GDf+GxToBAN83O3NtLO4zJ-8Qax8KjMCGhXv_EhY+NDsKg@mail.gmail.com> <20171215020116.04f9ae15@pc1> <CADh2w8TDJxaruU0M2B1kXsLDzopZBpha0_T1cT8NcMqo0S29Gg@mail.gmail.com> <CAHbuEH4CDdQyNdwK=JYLkw_tK+3u=GKeEs0EUt2byoVUwekqCA@mail.gmail.com>
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/9VfbHgJ9r-vk-QCJ8UC8kWXwxpw>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Dec 2017 16:57:57 -0000

On Fri, 15 Dec 2017 11:47:54 -0500
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote:

> Is there a reason why a migration to PCKS #1 v2.2 doesn't help for TLS
> 1.2 and prior? I haven't noticed any discussion on that previously. Is
> it just the code base and not those using it being unwilling to
> upgrade supporting libraries?

It depends... particularly if we talk about encryption or signatures.

With Bleichenbacher attacks there are plenty of cross-protocol attack
possibilities, this was one of the papers at the TRON workshop:
https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf


While I believe we certainly can't get rid of PKCS #1 1.5 signatures
any time soon, I think we can get rid of PKCS #1 1.5 encryption (at
least on the server side for HTTPS). The number of legit connections is
really low.

If you run servers please check if you can do that. (I'm also
considering writing an RSA-kex-diediedie RFC when I find time for it.)

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

v2.23.0 | Report a Bug | By Email