Re: [TLS] SSL Renegotiation DOS
Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 16 March 2011 06:53 UTC
Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 9FF453A6808 for <tls@core3.amsl.com>;
Tue, 15 Mar 2011 23:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.557
X-Spam-Level:
X-Spam-Status: No, score=-103.557 tagged_above=-999 required=5 tests=[AWL=0.042,
BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uhs-6qdhSOvD for
<tls@core3.amsl.com>; Tue, 15 Mar 2011 23:53:32 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41])
by core3.amsl.com (Postfix) with ESMTP id 313CC3A680B for <tls@ietf.org>;
Tue, 15 Mar 2011 23:53:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz;
i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1300258499; x=1331794499;
h=from:to:subject:cc:in-reply-to:message-id:date;
z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz>
|To:=20mrex@sap.com|Subject:=20Re:=20[TLS]=20SSL=20Renego
tiation=20DOS|Cc:=20tls@ietf.org|In-Reply-To:=20<20110315
1607.p2FG7g47008253@fs4113.wdf.sap.corp>|Message-Id:=20<E
1PzkdD-0000jT-4G@login01.fos.auckland.ac.nz>|Date:=20Wed,
=2016=20Mar=202011=2019:54:55=20+1300;
bh=5JLDcQu41any3DBhyoc+tci9SNl1kXa9muZooyUq/To=;
b=k778W9G2FFUaZTumGzpw+0KhsZAt1TAoYRzKSGtLy3xJVHRdKOUNkcgw
muxiDc2urcSyNEynMtcbisbPA2ZzZjvTQPRpyGhkA0ZIWk8kHQpN1i0iO
tJoVoSK8MORfx33L5Goz6ZmCkaJgHM8BPAU3o+7+49G5DO07qCIEhm/u0 s=;
X-IronPort-AV: E=Sophos;i="4.63,193,1299409200"; d="scan'208";a="51451187"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by
mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 16 Mar 2011 19:54:55 +1300
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by
mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim
4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1PzkdD-0008Pd-Gl;
Wed, 16 Mar 2011 19:54:55 +1300
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69)
(envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1PzkdD-0000jT-4G;
Wed, 16 Mar 2011 19:54:55 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: mrex@sap.com
In-Reply-To: <201103151607.p2FG7g47008253@fs4113.wdf.sap.corp>
Message-Id: <E1PzkdD-0000jT-4G@login01.fos.auckland.ac.nz>
Date: Wed, 16 Mar 2011 19:54:55 +1300
Cc: tls@ietf.org
Subject: Re: [TLS] SSL Renegotiation DOS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
<mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 06:53:33 -0000
Martin Rex <mrex@sap.com> writes: >A DoS-client could simply open new connections to the SSL server and blindly >fire away precompiled static SSL handshake messages, forcing the server to do >crypto work. You should be able to make most servers perform RSA decrypts on >arbitrary data, and a significant number to perform DHE computations. Exactly. You can do this with virtually no effort using netcat, I continue to be surprised that we've never seen this deployed in the wild (not wanting to give any hints to Anonymous, but LOIC is 1990s script-kiddie technology compared to the DoSes you could use if you gave it a few minutes thought). What makes it even worse is the Bleichenbacher-attack defense that says you have to complete the handshake, at full crypto cost, even if it's obvious that you're just processing garbage. (Every time this comes up I'm tempted to release some quick tool to exploit the problem, on the basis that if the good guys don't point it out now, the bad guys will take advantage of it later. So far I've resisted the temptation...). Peter.
- [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Nikos Mavrogiannopoulos
- Re: [TLS] SSL Renegotiation DOS Steve Dispensa
- Re: [TLS] SSL Renegotiation DOS Joe Orton
- Re: [TLS] SSL Renegotiation DOS Dr Stephen Henson
- Re: [TLS] SSL Renegotiation DOS Steve Dispensa
- Re: [TLS] SSL Renegotiation DOS Martin Rex
- Re: [TLS] SSL Renegotiation DOS Eric Rescorla
- Re: [TLS] SSL Renegotiation DOS Marsh Ray
- Re: [TLS] SSL Renegotiation DOS Martin Rex
- Re: [TLS] SSL Renegotiation DOS Steve Dispensa
- Re: [TLS] SSL Renegotiation DOS Peter Gutmann
- Re: [TLS] SSL Renegotiation DOS Martin Rex
- Re: [TLS] SSL Renegotiation DOS Peter Gutmann
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles
- Re: [TLS] SSL Renegotiation DOS Jorge A. Orchilles