Re: [TLS] Rizzo claims implementation attach, should be interesting

Martin Rex <> Thu, 29 September 2011 13:41 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id DF1E021F84AB for <>; Thu, 29 Sep 2011 06:41:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.064
X-Spam-Status: No, score=-10.064 tagged_above=-999 required=5 tests=[AWL=0.185, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id SnOXh0j6QhQe for <>; Thu, 29 Sep 2011 06:41:45 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 20C9421F8D3C for <>; Thu, 29 Sep 2011 06:41:44 -0700 (PDT)
Received: from by (26) with ESMTP id p8TDiVdv012601 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 29 Sep 2011 15:44:31 +0200 (MEST)
From: Martin Rex <>
Message-Id: <>
To: (Marsh Ray)
Date: Thu, 29 Sep 2011 15:44:31 +0200 (MEST)
In-Reply-To: <> from "Marsh Ray" at Sep 19, 11 09:31:18 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
X-SAP: out
Subject: Re: [TLS] Rizzo claims implementation attach, should be interesting
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Sep 2011 13:41:50 -0000

Marsh Ray wrote:
> >    - avoid CBC-based cipher suites (at least when SSLv3 or TLSv1.0
> >      is negotiated), and use RC4-128 instead.
> Does TLS's use of RC4 still take the first bytes after initialization 
> with the key? Or does it discard the proper amount?
> I believe there was a mitigation put in place by OpenSSL: sending an 
> empty (just padding) message before each app data message. The document 
> at suggests that this could be a server-side 
> only change. I don't see how that would work since the session cookie 
> recovery attack is clearly happening on the client->server channel.
> I read somewhere that this mitigation was off by default in OpenSSL 
> because it some software (an old MSIE IIRC).

Why using a EMPTY (just padding) SSL record?  That looks like an
obvious untested border case.

How about using an initial SSL record with one byte of real data
for SSLv3 and TLSv1.0 SSL with CBC cipher suites?

Since the (H)MAC is using a secret MAC key and directly following the
data (the CBC padding is at the end), there will be significant
unknown distortion in the resulting plaintext to make the BEAST
attack impractical, I assume.  And it could be done immediately
on the browser side, without having to wait for the Servers
to implement TLSv1.1.