IETF Logo Mail Archive

Re: [TLS] DTLS implementation attack?

Eric Rescorla <ekr@rtfm.com> Tue, 06 December 2011 18:52 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7637421F8BDB for <tls@ietfa.amsl.com>; Tue, 6 Dec 2011 10:52:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.977
X-Spam-Level:
X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PlqO-M8V9hXM for <tls@ietfa.amsl.com>; Tue, 6 Dec 2011 10:52:34 -0800 (PST)
Received: from mail-vw0-f44.google.com (mail-vw0-f44.google.com [209.85.212.44]) by ietfa.amsl.com (Postfix) with ESMTP id 990A021F8BBA for <tls@ietf.org>; Tue, 6 Dec 2011 10:52:34 -0800 (PST)
Received: by vbbez10 with SMTP id ez10so2904558vbb.31 for <tls@ietf.org>; Tue, 06 Dec 2011 10:52:34 -0800 (PST)
Received: by 10.52.92.70 with SMTP id ck6mr8711077vdb.61.1323197554106; Tue, 06 Dec 2011 10:52:34 -0800 (PST)
MIME-Version: 1.0
Received: by 10.52.186.70 with HTTP; Tue, 6 Dec 2011 10:51:53 -0800 (PST)
X-Originating-IP: [74.95.2.173]
In-Reply-To: <201112061827.pB6IRpLW006958@fs4113.wdf.sap.corp>
References: <CABcZeBNuVVVrrsNSg=x09bfOxFdhDf1ea0V7_05edtGPHYNz3w@mail.gmail.com> <201112061827.pB6IRpLW006958@fs4113.wdf.sap.corp>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 06 Dec 2011 10:51:53 -0800
Message-ID: <CABcZeBNwCo0HtqUpaATwXZp7T4WwDZwqpFBfwBPJj3Hm=iu4YA@mail.gmail.com>
To: mrex@sap.com
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable
Cc: tls@ietf.org
Subject: Re: [TLS] DTLS implementation attack?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Dec 2011 18:52:35 -0000

On Tue, Dec 6, 2011 at 10:27 AM, Martin Rex <mrex@sap.com> wrote:
> Eric Rescorla wrote:
>>
>> On Tue, Dec 6, 2011 at 9:32 AM, Martin Rex <mrex@sap.com> wrote:
>> > Nikos Mavrogiannopoulos wrote:
>> >>
>> >> On Tue, Dec 6, 2011 at 5:56 PM, Marsh Ray <marsh@extendedsubset.com> wrote:
>> >>
>> >> > Anyone have more info on this?
>> >> > Even just a CVE or 'fixed in' version would be helpful.
>> >> > http://www.isoc.org/isoc/conferences/ndss/12/program.shtml#1a
>> >> >> Plaintext-Recovery Attacks Against Datagram TLS
>> >>
>> >> Concerning gnutls the 3.0.8 release reduces the timing information
>> >> revealed to an adversary to counter this attack. However, I'm still in
>> >> contact with the authors for more information on the issue.
>> >
>> > By following the "SHOULD silently discard" recommendation in DTLS
>> >  http://tools.ietf.org/html/rfc4347#page-9
>> >
>> >   In general, DTLS implementations SHOULD silently discard data with
>> >   bad MACs.  If a DTLS implementation chooses to generate an alert when
>> >   it receives a message with an invalid MAC, it MUST generate
>> >   bad_record_mac alert with level fatal and terminate its connection
>> >   state.
>> >
>> > in combination with a CBC-block cipher with explicit initial IV,
>> > you might be creating a decryption oracle, vaguely similar to the
>> > design defect in XML encryption with block ciphers in CBC-mode
>> > (XML encryption has an explicit IV, but no MAC at all -- which
>> > is suicidal in online scenarios, such as WS-Security).
>>
>> I'm not following why silent discard would create a problem. Can you explain
>> the threat you are concerned about?
>
> Nikos mentioned "timing information revealed to an adversary".
>
> Plaintext guessing attacks for block ciphers in CBC-mode exploit
> timing differences for padding errors and MAC-errors (a variation
> of Vaudenay).
>
> I know very little about DTLS.  Quickly glancing over the spec.
> The last paragraph of this
>   http://tools.ietf.org/html/rfc4347#section-4.1.2.5
>
> "MUST discard" sounds even more dangerous.
>
> How about replaying in a 1:1 interleave crafted records
> trying to determine timing differences and the client's Finished
> message, so that the latter will cause the server to resend the
> server finished message -- which may enable the attacker to measure
> differences in processing the crafted record.

I'm still not sure I understand the threat model you have in mind
here.

These attacks rely on the attacker using the peer as an oracle to
learn something he doesn't otherwise know. In the case of the
Vaudenay attacks, assuming I remember correctly, it's whether
a block is correctly CBC padded versus whether it's incorrectly
CBC padded (and hence will produce an invalid MAC). So, what's
important here is to treat CBC padding errors the same way
you treat MAC errors.

As far as I know, treating MAC errors differently from valid packets
doesn't leak useful information, since tampering with anything in the
TLS packet should produce an invalid MAC, a fact the attacker is
presumably aware of.

-Ekr

v2.23.0 | Report a Bug | By Email