Re: [TLS] Rizzo claims implementation attach, should be interesting

Nico Williams <> Tue, 20 September 2011 21:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 41F3E21F85AA for <>; Tue, 20 Sep 2011 14:02:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.382
X-Spam-Status: No, score=-2.382 tagged_above=-999 required=5 tests=[AWL=-1.005, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, J_CHICKENPOX_32=0.6]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tYGAms7tGo7s for <>; Tue, 20 Sep 2011 14:02:00 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id B96C421F888A for <>; Tue, 20 Sep 2011 14:01:59 -0700 (PDT)
Received: from (localhost []) by (Postfix) with ESMTP id 6097E2F4059 for <>; Tue, 20 Sep 2011 14:04:26 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws;; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc: content-type; q=dns;; b=vXWB7ZrRChI/4xBGjwdbt 2dfgzJKRMOYXxsOuag1hwuLoLhfjh2DQnlFhOHXUy/iBN1/z8gvaqzanX4UYPZjv K+2EBmfXjbynealFDyAWCyj3sWHVN8egwsQTQJ2fiDqJ3cLroWjHqcUSKWpu9Xx7 8KBhxlKAIdDPJMXzHOU9mk=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed;; h= mime-version:in-reply-to:references:date:message-id:subject:from :to:cc:content-type;; bh=ycyBSfOggFeWKiAyWf3C Pvnwm9s=; b=tjVJw4vpzEK4alko77LhX1W65ZyJ5bh+Jo418ZxKA8pyx7AYFheL NevGrVWN31vgIU0osWSxXftKi0k+5HiqbdMu+jUZwNqlma/9+8Gr05QrEFkM/hMl Y3y3GYBAmAbiCre+7eHNrP7tK/19L+ItMSkHx3rOl6mE0tQq2+4Cdb8=
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: by (Postfix) with ESMTPSA id 4401D2F4057 for <>; Tue, 20 Sep 2011 14:04:26 -0700 (PDT)
Received: by pzk37 with SMTP id 37so272983pzk.9 for <>; Tue, 20 Sep 2011 14:04:25 -0700 (PDT)
MIME-Version: 1.0
Received: by with SMTP id 10mr141346pbf.198.1316552665780; Tue, 20 Sep 2011 14:04:25 -0700 (PDT)
Received: by with HTTP; Tue, 20 Sep 2011 14:04:25 -0700 (PDT)
In-Reply-To: <>
References: <> <> <>
Date: Tue, 20 Sep 2011 16:04:25 -0500
Message-ID: <>
From: Nico Williams <>
To: Phillip Hallam-Baker <>
Content-Type: text/plain; charset=UTF-8
Subject: Re: [TLS] Rizzo claims implementation attach, should be interesting
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Sep 2011 21:02:01 -0000

On Tue, Sep 20, 2011 at 3:04 PM, Phillip Hallam-Baker <> wrote:
> On Tue, Sep 20, 2011 at 11:21 AM, Martin Rex <> wrote:
>> SSL was NEVER designed with a promise that you could multiplex
>> data from an evil attack with data from a victim over the very same
>> SSL connection and be secure against adaptive chose plaintext
>> attacks trying to recover data from the victim.

I wasn't there.  I don't know what it was designed for.  But here's
the thing: why shouldn't the designers have assumed that some of the
data sent over SSL might be untrusted?  On what grounds would it have
been OK to say "no untrusted data, please"?  And where was this
restriction documented?

But let's grant that restriction.  That would have meant that we
should never have allowed IMAP over SSL, for example, and taking the
argument to extremes, we should never have allowed HTTP POST over SSL

This is really Marsh's point, I think, and I agree with it.

> SSL came before Javascript and even before cookies. So this is certainly
> outside the model.
> Adding AES in CBC mode probably came after the model had been changed
> though.

Yeah, sure, but I think it's fairer to say that the subject probably
didn't come up, not that SSL was not intended for this.

> If we want to avoid this type of attack we should probably change the
> encryption mode. I don't like stream ciphers in general, but SSL was
> designed round one and has been extensively verified when a stream cipher is
> used.
> From a design point of view, re-use of the same key to encrypt each block is
> bad news and turning a block cipher into a stream cipher is bad news. Anyone
> know why CBC is so popular vs PCBC?

Block ciphers in counter mode are as broken in the face of key&IV
reuse as any stream cipher, and for the same sorts of reasons.  This
is not a reason to not use counter modes.  It's a reason to use them
with care.

For example, in a situation like Kerberos' PDUs counter modes are
dangerous because there's no "connection" context for most of those
PDUs, thus no way to prevent key&IV reuse.  But for TLS, and even
DTLS, there's no such issue.