Re: [TLS] SSL Renegotiation DOS

Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 16 March 2011 06:53 UTC

Return-Path: <pgut001@login01.cs.auckland.ac.nz>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9FF453A6808 for <tls@core3.amsl.com>; Tue, 15 Mar 2011 23:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.557
X-Spam-Level:
X-Spam-Status: No, score=-103.557 tagged_above=-999 required=5 tests=[AWL=0.042, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uhs-6qdhSOvD for <tls@core3.amsl.com>; Tue, 15 Mar 2011 23:53:32 -0700 (PDT)
Received: from mx2-int.auckland.ac.nz (mx2-int.auckland.ac.nz [130.216.12.41]) by core3.amsl.com (Postfix) with ESMTP id 313CC3A680B for <tls@ietf.org>; Tue, 15 Mar 2011 23:53:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=pgut001@cs.auckland.ac.nz; q=dns/txt; s=uoa; t=1300258499; x=1331794499; h=from:to:subject:cc:in-reply-to:message-id:date; z=From:=20Peter=20Gutmann=20<pgut001@cs.auckland.ac.nz> |To:=20mrex@sap.com|Subject:=20Re:=20[TLS]=20SSL=20Renego tiation=20DOS|Cc:=20tls@ietf.org|In-Reply-To:=20<20110315 1607.p2FG7g47008253@fs4113.wdf.sap.corp>|Message-Id:=20<E 1PzkdD-0000jT-4G@login01.fos.auckland.ac.nz>|Date:=20Wed, =2016=20Mar=202011=2019:54:55=20+1300; bh=5JLDcQu41any3DBhyoc+tci9SNl1kXa9muZooyUq/To=; b=k778W9G2FFUaZTumGzpw+0KhsZAt1TAoYRzKSGtLy3xJVHRdKOUNkcgw muxiDc2urcSyNEynMtcbisbPA2ZzZjvTQPRpyGhkA0ZIWk8kHQpN1i0iO tJoVoSK8MORfx33L5Goz6ZmCkaJgHM8BPAU3o+7+49G5DO07qCIEhm/u0 s=;
X-IronPort-AV: E=Sophos;i="4.63,193,1299409200"; d="scan'208";a="51451187"
X-Ironport-HAT: APP-SERVERS - $RELAYED
X-Ironport-Source: 130.216.33.150 - Outgoing - Outgoing
Received: from mf1.fos.auckland.ac.nz ([130.216.33.150]) by mx2-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 16 Mar 2011 19:54:55 +1300
Received: from login01.fos.auckland.ac.nz ([130.216.34.40]) by mf1.fos.auckland.ac.nz with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1PzkdD-0008Pd-Gl; Wed, 16 Mar 2011 19:54:55 +1300
Received: from pgut001 by login01.fos.auckland.ac.nz with local (Exim 4.69) (envelope-from <pgut001@login01.cs.auckland.ac.nz>) id 1PzkdD-0000jT-4G; Wed, 16 Mar 2011 19:54:55 +1300
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: mrex@sap.com
In-Reply-To: <201103151607.p2FG7g47008253@fs4113.wdf.sap.corp>
Message-Id: <E1PzkdD-0000jT-4G@login01.fos.auckland.ac.nz>
Date: Wed, 16 Mar 2011 19:54:55 +1300
Cc: tls@ietf.org
Subject: Re: [TLS] SSL Renegotiation DOS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 16 Mar 2011 06:53:33 -0000

Martin Rex <mrex@sap.com> writes:

>A DoS-client could simply open new connections to the SSL server and blindly
>fire away precompiled static SSL handshake messages, forcing the server to do
>crypto work.  You should be able to make most servers perform RSA decrypts on
>arbitrary data, and a significant number to perform DHE computations.

Exactly.  You can do this with virtually no effort using netcat, I continue to
be surprised that we've never seen this deployed in the wild (not wanting to
give any hints to Anonymous, but LOIC is 1990s script-kiddie technology
compared to the DoSes you could use if you gave it a few minutes thought).
What makes it even worse is the Bleichenbacher-attack defense that says you
have to complete the handshake, at full crypto cost, even if it's obvious that
you're just processing garbage.

(Every time this comes up I'm tempted to release some quick tool to exploit
the problem, on the basis that if the good guys don't point it out now, the
bad guys will take advantage of it later.  So far I've resisted the
temptation...).

Peter.