Re: [TLS] Rizzo claims implementation attach, should be interesting
Martin Rex <mrex@sap.com> Tue, 20 September 2011 21:29 UTC
Return-Path: <mrex@sap.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E790E1F0C87 for <tls@ietfa.amsl.com>; Tue, 20 Sep 2011 14:29:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.439
X-Spam-Level:
X-Spam-Status: No, score=-9.439 tagged_above=-999 required=5 tests=[AWL=-0.390, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_29=0.6, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V4T4xaO-FjdZ for <tls@ietfa.amsl.com>; Tue, 20 Sep 2011 14:29:37 -0700 (PDT)
Received: from smtpde02.sap-ag.de (smtpde02.sap-ag.de [155.56.68.140]) by ietfa.amsl.com (Postfix) with ESMTP id D8DE91F0C62 for <tls@ietf.org>; Tue, 20 Sep 2011 14:29:31 -0700 (PDT)
Received: from mail.sap.corp by smtpde02.sap-ag.de (26) with ESMTP id p8KLVqkY017599 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 20 Sep 2011 23:31:52 +0200 (MEST)
From: Martin Rex <mrex@sap.com>
Message-Id: <201109202131.p8KLVpd0024045@fs4113.wdf.sap.corp>
To: nico@cryptonector.com
Date: Tue, 20 Sep 2011 23:31:51 +0200
In-Reply-To: <CAK3OfOiHddQxi_HGQ94w7tPCQ4Mcr1dRJOABBpcxd95RfNFF9A@mail.gmail.com> from "Nico Williams" at Sep 20, 11 04:04:25 pm
MIME-Version: 1.0
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 8bit
X-SAP: out
Cc: asteingruebl@paypal-inc.com, tls@ietf.org
Subject: Re: [TLS] Rizzo claims implementation attach, should be interesting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: mrex@sap.com
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Sep 2011 21:29:38 -0000
Nico Williams wrote: > > On Tue, Sep 20, 2011 at 3:04 PM, Phillip Hallam-Baker <hallam@gmail.com> wrote: > > On Tue, Sep 20, 2011 at 11:21 AM, Martin Rex <mrex@sap.com> wrote: > >> SSL was NEVER designed with a promise that you could multiplex > >> data from an evil attack with data from a victim over the very same > >> SSL connection and be secure against adaptive chose plaintext > >> attacks trying to recover data from the victim. > > I wasn't there. I don't know what it was designed for. But here's > the thing: why shouldn't the designers have assumed that some of the > data sent over SSL might be untrusted? On what grounds would it have > been OK to say "no untrusted data, please"? And where was this > restriction documented? It is a design limit that should be obvious to the conscious reader with background knowledge about cryptography. > > But let's grant that restriction. That would have meant that we > should never have allowed IMAP over SSL, for example, and taking the > argument to extremes, we should never have allowed HTTP POST over SSL > either. > > This is really Marsh's point, I think, and I agree with it. No, you're entirely confusing things. Independent TLS connection states (even for the same cached TLS session) do not share traffic encryption and mac keys, so these are protected from each other. But when you start multiplexing adaptively chosen plaintext from an attacker with data from a victim, then you're creating an oracle. For TLS cipher suites using block ciphers in CBC mode, there is a fixed encryption key for all blocks of data. Now if the block of data for which the attacker wants to recover the exact plaintext is sufficiently short (e.g. DES-based = 64-bit), and this block of contains a small amount of unknown entropy, and the attacker is permitted sufficient guesses at the original plaintext, the attacker may perform a guessing attempt at that unknown victim data. > > > SSL came before Javascript and even before cookies. So this is certainly > > outside the model. > > Adding AES in CBC mode probably came after the model had been changed > > though. > > Yeah, sure, but I think it's fairer to say that the subject probably > didn't come up, not that SSL was not intended for this. It was not a design requirement at that time, so that property does not exist in the original SSLv3 (and TLS) design. When cipher suites with stream ciphers are not affected, then this is a lucky coincidence, not a result of a conscious design (based on a requirement). > > Block ciphers in counter mode are as broken in the face of key&IV > reuse as any stream cipher, and for the same sorts of reasons. This > is not a reason to not use counter modes. It's a reason to use them > with care. For every block with a known IV and known plaintext, the attacker learns equal to the blocksize IV+plaintext pairs for a static key. (flip the same bit in IV and plaintext and you get the same ciphertext). For CBC, the IV is the ciphertext on the wire from the previous block (except for the first IV on the first record in all version of TLS). > > For example, in a situation like Kerberos' PDUs counter modes are > dangerous because there's no "connection" context for most of those > PDUs, thus no way to prevent key&IV reuse. But for TLS, and even > DTLS, there's no such issue. I actually feel more uncomfortable with cryptographic protocols that are used in automated online scenarios and do not employ replay protection (which probably means that communication with the Kerberos KDC is theoretically vulnerable, and what's missing is only attractive attacks that exploit this.) -Martin
- Re: [TLS] Rizzo claims implementation attach, sho… David Wagner
- [TLS] Rizzo claims implementation attach, should … Tim Dierks
- Re: [TLS] Rizzo claims implementation attach, sho… Peter Gutmann
- Re: [TLS] Rizzo claims implementation attach, sho… =JeffH
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Steingruebl, Andy
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Yoav Nir
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Yoav Nir
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Phillip Hallam-Baker
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Geoffrey Keating
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… =JeffH
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Marsh Ray
- Re: [TLS] Rizzo claims implementation attach, sho… Nico Williams
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Eric Rescorla
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Yngve N. Pettersen
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Yngve N. Pettersen
- Re: [TLS] Rizzo claims implementation attach, sho… Martin Rex
- Re: [TLS] Rizzo claims implementation attach, sho… Yoav Nir