Re: [TLS] Rizzo claims implementation attach, should be interesting

Eric Rescorla <> Fri, 23 September 2011 20:15 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 064D521F8C87 for <>; Fri, 23 Sep 2011 13:15:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ddLqNq4ggfAp for <>; Fri, 23 Sep 2011 13:15:29 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 4ED9121F8C82 for <>; Fri, 23 Sep 2011 13:15:29 -0700 (PDT)
Received: by eye4 with SMTP id 4so2654648eye.31 for <>; Fri, 23 Sep 2011 13:18:04 -0700 (PDT)
Received: by with SMTP id e2mr21625ebd.135.1316809083705; Fri, 23 Sep 2011 13:18:03 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 23 Sep 2011 13:17:23 -0700 (PDT)
In-Reply-To: <>
References: <> <>
From: Eric Rescorla <>
Date: Fri, 23 Sep 2011 13:17:23 -0700
Message-ID: <>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc:, David Wagner <>
Subject: Re: [TLS] Rizzo claims implementation attach, should be interesting
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 23 Sep 2011 20:15:30 -0000

On Fri, Sep 23, 2011 at 1:02 PM, Martin Rex <> wrote:
>  Again, you're missing the point.  The IVs in SSLv3&TLSv1.0 _are_
> random in exactly the fashion that CBC is designed to work.
> The problem isn't the randomness, but that the first IV of
> each new SSL record is _predictable_ by the attacker.
> For TLS, processing is normally done in quantities of
> SSL records, so creating a single new random IV for the
> start of the SSL record is sufficient.
> Other environments might be (ab-)using CBC in a directly-streaming
> (i.e. data is sent as soon as the cipher block is full), and
> such a usage scenario would need a random IV for EVERY cipher block
> (i.e. it must not use CBC at all).

Note that RFC4346 specifically prohibits that behavior in S

   Note: With block ciphers in CBC mode (Cipher Block Chaining), it is
         critical that the entire plaintext of the record be known
         before any ciphertext is transmitted.  Otherwise, it is
         possible for the attacker to mount the attack described in

This restriction was added precisely to counter the attack you describe.