Re: [TLS] History of TLS analysis (was Re: TLS 1.2 Long-term Support Profile draft posted)

Bodo Moeller <bmoeller@acm.org> Mon, 21 March 2016 09:57 UTC

MIME-Version: 1.0
In-Reply-To: <CACsn0c=r7m94xOg0T=sxXn0JMfDq0us2iuEWi29uFEgE+r4SLw@mail.gmail.com>
References: <CACsn0c=r7m94xOg0T=sxXn0JMfDq0us2iuEWi29uFEgE+r4SLw@mail.gmail.com>
Date: Mon, 21 Mar 2016 10:57:46 +0100
Message-ID: <CADMpkcLi5akSi5Hk8bnK0kzScmmF1tMtYVLStARdiKjYTvk6+A@mail.gmail.com>
From: Bodo Moeller <bmoeller@acm.org>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="001a113fc32cf6d2db052e8c203b"
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/btr5v7sfnU79mtny0x8uiLtWiRA>
Cc: "<tls@ietf.org>" <tls@ietf.org>
Subject: Re: [TLS] History of TLS analysis (was Re: TLS 1.2 Long-term Support Profile draft posted)
Precedence: list

Watson Ladd <watsonbladd@gmail.com>:

The use of predictable IVs in TLS 1.0 was first commented on by
> Rogaway in 1995. (I'm hunting down the source, but this is from a
> presentation of Patterson)


I think you mean
http://web.cs.ucdavis.edu/~rogaway/papers/draft-rogaway-ipsec-comments-00.txt,
which discussed the problem of predictable IVs in the context of work
towards IPSEC, without making the connection to SSL.  Note that this was
before TLS 1.0 and, I think, before SSL 3.0.  SSL 2.0 already had
predictable CBC IVs but placed the MAC before the payload in the
to-be-encrypted data, which, through sheer luck, avoided the problem.

Bodo

[TLS] History of TLS analysis (was Re: TLS 1.2 Lo… Watson Ladd
Re: [TLS] History of TLS analysis (was Re: TLS 1.… Peter Gutmann
Re: [TLS] History of TLS analysis (was Re: TLS 1.… Yuhong Bao
Re: [TLS] History of TLS analysis (was Re: TLS 1.… Watson Ladd
Re: [TLS] History of TLS analysis (was Re: TLS 1.… Nikos Mavrogiannopoulos
Re: [TLS] History of TLS analysis (was Re: TLS 1.… Bodo Moeller