Re: [TLS] Rizzo claims implementation attach, should be interesting

Yoav Nir <ynir@checkpoint.com> Tue, 20 September 2011 04:10 UTC

Return-Path: <ynir@checkpoint.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1B20821F86F6 for <tls@ietfa.amsl.com>; Mon, 19 Sep 2011 21:10:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.393
X-Spam-Level:
X-Spam-Status: No, score=-10.393 tagged_above=-999 required=5 tests=[AWL=0.206, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gnmFV3Ixmg7H for <tls@ietfa.amsl.com>; Mon, 19 Sep 2011 21:10:28 -0700 (PDT)
Received: from michael.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id E226321F85B1 for <tls@ietf.org>; Mon, 19 Sep 2011 21:10:27 -0700 (PDT)
X-CheckPoint: {4E781FC6-3-1B221DC2-FFFF}
Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by michael.checkpoint.com (8.13.8/8.13.8) with ESMTP id p8K4COGS019162; Tue, 20 Sep 2011 07:12:25 +0300
Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Tue, 20 Sep 2011 07:12:25 +0300
From: Yoav Nir <ynir@checkpoint.com>
To: Marsh Ray <marsh@extendedsubset.com>
Date: Tue, 20 Sep 2011 07:12:23 +0300
Thread-Topic: [TLS] Rizzo claims implementation attach, should be interesting
Thread-Index: Acx3S3+gssyfqBPgRnS2DXCwJXM/Bg==
Message-ID: <2B2DBCE0-2B5A-42BC-B3F9-C215393320C5@checkpoint.com>
References: <201109200053.p8K0r5Pv012913@fs4113.wdf.sap.corp> <4E77FAF6.90707@extendedsubset.com>
In-Reply-To: <4E77FAF6.90707@extendedsubset.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-kse-antivirus-interceptor-info: scan successful
x-kse-antivirus-info: Clean
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: Steingruebl Andy <asteingruebl@paypal-inc.com>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Rizzo claims implementation attach, should be interesting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2011 04:10:29 -0000

On Sep 20, 2011, at 5:31 AM, Marsh Ray wrote:

> On 09/19/2011 07:53 PM, Martin Rex wrote:
> 
> I believe there was a mitigation put in place by OpenSSL: sending an 
> empty (just padding) message before each app data message. The document 
> at eprint.iacr.org/2006/136 suggests that this could be a server-side 
> only change. I don't see how that would work since the session cookie 
> recovery attack is clearly happening on the client->server channel.
> 
> I read somewhere that this mitigation was off by default in OpenSSL 
> because it some software (an old MSIE IIRC).

Yes, Internet Explorer 6 has that problem. Also SSL-using services running under XP.

> 
> Does anyone believe there would be support for a TLS 1.0 Hello extension 
> that could compatibly negotiate the use of empty messages in each 
> direction as a mitigation for this attack?

If you're going to upgrade to a browser that supports the extension, might as well upgrade to IE7. It can deal with the empty fragment.

> 
> I've not been told the details of Duong and Rizzo's attack and haven't 
> seen "the BEAST" in action yet, so I'm not sure if that would be 
> sufficient to fix CBC in TLS 1.0. I am slightly annoyed at these guys 
> for dribbling out the information one hint at a time like this.

A time like what?