Re: [TLS] Rizzo claims implementation attach, should be interesting
Eric Rescorla <ekr@rtfm.com> Fri, 23 September 2011 20:15 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 064D521F8C87 for <tls@ietfa.amsl.com>; Fri, 23 Sep 2011 13:15:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ddLqNq4ggfAp for <tls@ietfa.amsl.com>; Fri, 23 Sep 2011 13:15:29 -0700 (PDT)
Received: from mail-ey0-f172.google.com (mail-ey0-f172.google.com [209.85.215.172]) by ietfa.amsl.com (Postfix) with ESMTP id 4ED9121F8C82 for <tls@ietf.org>; Fri, 23 Sep 2011 13:15:29 -0700 (PDT)
Received: by eye4 with SMTP id 4so2654648eye.31 for <tls@ietf.org>; Fri, 23 Sep 2011 13:18:04 -0700 (PDT)
Received: by 10.213.32.194 with SMTP id e2mr21625ebd.135.1316809083705; Fri, 23 Sep 2011 13:18:03 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.213.22.211 with HTTP; Fri, 23 Sep 2011 13:17:23 -0700 (PDT)
In-Reply-To: <201109232002.p8NK2isF025222@fs4113.wdf.sap.corp>
References: <201109231851.p8NIp0Ub014156@taverner.cs.berkeley.edu> <201109232002.p8NK2isF025222@fs4113.wdf.sap.corp>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 23 Sep 2011 13:17:23 -0700
Message-ID: <CABcZeBOZKdmFuKb8y8EKKxQzUqv=S5Z66sRGmbwHFSoagZp5Xw@mail.gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org, David Wagner <daw@cs.berkeley.edu>
Subject: Re: [TLS] Rizzo claims implementation attach, should be interesting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Sep 2011 20:15:30 -0000
On Fri, Sep 23, 2011 at 1:02 PM, Martin Rex <mrex@sap.com> wrote: > Again, you're missing the point. The IVs in SSLv3&TLSv1.0 _are_ > random in exactly the fashion that CBC is designed to work. > The problem isn't the randomness, but that the first IV of > each new SSL record is _predictable_ by the attacker. > > For TLS, processing is normally done in quantities of > SSL records, so creating a single new random IV for the > start of the SSL record is sufficient. > > Other environments might be (ab-)using CBC in a directly-streaming > (i.e. data is sent as soon as the cipher block is full), and > such a usage scenario would need a random IV for EVERY cipher block > (i.e. it must not use CBC at all). Note that RFC4346 specifically prohibits that behavior in S 6.2.3.2: Note: With block ciphers in CBC mode (Cipher Block Chaining), it is critical that the entire plaintext of the record be known before any ciphertext is transmitted. Otherwise, it is possible for the attacker to mount the attack described in [CBCATT]. This restriction was added precisely to counter the attack you describe. -Ekr
- Re: [TLS] Rizzo claims implementation attach, sho… David Wagner
- [TLS] Rizzo claims implementation attach, should … Tim Dierks
- Re: [TLS] Rizzo claims implementation attach, sho… Peter Gutmann
- Re: [TLS] Rizzo claims implementation attach, sho… =JeffH
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Steingruebl, Andy
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Yoav Nir
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Yoav Nir
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Phillip Hallam-Baker
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Geoffrey Keating
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… =JeffH
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Yngve N. Pettersen
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Yngve N. Pettersen
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Yoav Nir