Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS

Hanno Böck <> Fri, 15 December 2017 16:57 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 322A8129407 for <>; Fri, 15 Dec 2017 08:57:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 4nFXJ3Z13Fgl for <>; Fri, 15 Dec 2017 08:57:54 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 12808129400 for <>; Fri, 15 Dec 2017 08:57:53 -0800 (PST)
Received: from pc1 ([2001:2012:127:3e00:b3bf:56a1:a140:6086]) (AUTH: LOGIN, TLS: TLSv1/SSLv3, 256bits, ECDHE-RSA-AES256-GCM-SHA384) by with ESMTPSA; Fri, 15 Dec 2017 17:58:01 +0100 id 000000000000001F.000000005A33FF19.000052F1
Date: Fri, 15 Dec 2017 17:57:48 +0100
From: Hanno =?UTF-8?B?QsO2Y2s=?= <>
To: Kathleen Moriarty <>
Cc: Nikos Mavrogiannopoulos <>, "<>" <>
Message-ID: <20171215175748.4e54ace8@pc1>
In-Reply-To: <>
References: <> <> <> <20171215020116.04f9ae15@pc1> <> <>
X-Mailer: Claws Mail 3.15.1-dirty (GTK+ 2.24.31; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] A closer look at ROBOT, BB Attacks, timing attacks in general, and what we can do in TLS
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 15 Dec 2017 16:57:57 -0000

On Fri, 15 Dec 2017 11:47:54 -0500
Kathleen Moriarty <> wrote:

> Is there a reason why a migration to PCKS #1 v2.2 doesn't help for TLS
> 1.2 and prior? I haven't noticed any discussion on that previously. Is
> it just the code base and not those using it being unwilling to
> upgrade supporting libraries?

It depends... particularly if we talk about encryption or signatures.

With Bleichenbacher attacks there are plenty of cross-protocol attack
possibilities, this was one of the papers at the TRON workshop:

While I believe we certainly can't get rid of PKCS #1 1.5 signatures
any time soon, I think we can get rid of PKCS #1 1.5 encryption (at
least on the server side for HTTPS). The number of legit connections is
really low.

If you run servers please check if you can do that. (I'm also
considering writing an RSA-kex-diediedie RFC when I find time for it.)

Hanno Böck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42