IETF Logo Mail Archive

Re: [TLS] NIST TLS recomendations (PKCS#1 encryption attacks)

Martin Rex <martin.rex@sap.com> Mon, 27 November 2006 20:27 UTC

Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gon4u-0006kR-Ti; Mon, 27 Nov 2006 15:27:48 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Gon4t-0006jd-DE for tls@lists.ietf.org; Mon, 27 Nov 2006 15:27:47 -0500
Received: from smtpde02.sap-ag.de ([155.56.68.170]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Gon4s-0007XF-0S for tls@lists.ietf.org; Mon, 27 Nov 2006 15:27:47 -0500
Received: from sap-ag.de (smtpde02) by smtpde02.sap-ag.de (out) with ESMTP id VAA08117; Mon, 27 Nov 2006 21:27:18 +0100 (MEZ)
From: Martin Rex <martin.rex@sap.com>
Message-Id: <200611272027.VAA14146@uw1048.wdf.sap.corp>
Subject: Re: [TLS] NIST TLS recomendations (PKCS#1 encryption attacks)
To: Pasi.Eronen@nokia.com
Date: Mon, 27 Nov 2006 21:27:16 +0100
In-Reply-To: <B356D8F434D20B40A8CEDAEC305A1F240374881B@esebe105.NOE.Nokia.com> from "Pasi.Eronen@nokia.com" at Nov 27, 6 03:05:14 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
X-SAP: out
X-SAP: out
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 4d87d2aa806f79fed918a62e834505ca
Cc: tls@lists.ietf.org
X-BeenThere: tls@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: martin.rex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/tls>
List-Post: <mailto:tls@lists.ietf.org>
List-Help: <mailto:tls-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@lists.ietf.org?subject=subscribe>
Errors-To: tls-bounces@lists.ietf.org

Pasi.Eronen@nokia.com wrote:
> 
>    Note: Attacks discovered by Bleichenbacher [BLEI] and Klima et al. 
>       [KPR03] can be used to attack a TLS server that reveals whether
>       a particular message, when decrypted, is properly PKCS#1
>       formatted, contains a valid PreMasterSecret structure, or has
>       the correct version number.
> 
>       The best way to avoid these vulnerabilities is to treat
>       incorrectly formatted messages in a manner indistinguishable
>       from correctly formatted RSA blocks. In other
> 
>       1. Generate a string R of 46 random bytes
> 
>       2. Decrypt the message M
> 
>       3. If the PKCS#1 padding is not correct, or the length of 
>          message M is not exactly 48 bytes:
>             premaster secret = ClientHello.client_version || R
>          else If ClientHello.client_version <= TLS 1.0, and
>          version number check is explicitly disabled:
>             premaster secret = M
>          else:
>             premaster secret = ClientHello.client_version || M[2..47]
> 
>       In any case, a TLS server MUST NOT generate an alert if
>       processing an RSA-encrypted premaster secret message fails, or
>       the version number is not as expected. Instead, it MUST continue
>       the handshake with a randomly generated premaster secret. Care
>       must also be taken to avoid leaking information about the error
>       situation via log files, or other channels.

I once had to analyze a handshake problem with a particular's vendor
SSL accellerator (server-side middle-box), where that box contained
an error in the RSA encryption and every once in a while sent garbage,
i.e. there was no recognizable PKCS#1 padding when RSA-decrypting
on the backend server.  I was lucky that our SSL implementation did
not use the OpenSSL approach, where this kind of error is not only
hidden from the peer, but also from the local caller.

Completely hiding the decryption failure from the local caller
creates a serious supportablility issue, so please be more careful
with the recommendation.  One should be careful, though, that the
local error reporting, which may be as simple as setting an integer
value to a particular value, does not result in a measurable timing
difference.  It is important that the local caller is able to
retrieve the real reason why the session establishment failed,
not "MAC failure" (as the SSL alert on the wire suggests") but
RSA-decryption failure.


-Martin

_______________________________________________
TLS mailing list
TLS@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls

v2.29.0 | Report a Bug | By Email | System Status