On Tue, Dec 1, 2015 at 3:02 PM, Hanno Böck <ha...@hboeck.de> wrote: > On Tue, 1 Dec 2015 14:28:49 -0500 > Watson Ladd <watsonbl...@gmail.com> wrote: > >> https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls13QuicAttacks.pdf >> >> This one looks very nasty to fix. Short of disallowing the use of RSA >> certificates for TLS 1.2 with the RSA handshake and in TLS 1.3, I >> don't see a good fix. I haven't read this paper in detail yet. >> >> Cross-protocol attacks are the gift that keeps giving. > > Correct me if I'm wrong, but as I understand the result (and I had one > of the authors explaining it to me a few days ago) the problem appears > only if you have a TLS 1.2 implementation with an RSA keyexchange that > is vulnerable to a bleichenbacher attack. If it is not then you're fine. > > So as long as you make sure you implement all the proper > countermeasures against that you should be fine. (Granted: This is > tricky, as has been shown by previous results, even the OpenSSL > implementation was lacking proper countermeasures not that long ago, > but it's not impossible)
Can you describe the complete set of required countermeasures, and prove they work comprehensively? What if the code is running on shared hosting, where much better timing attacks are possible? What's shocking is that this has been going on for well over a decade: the right solution is to use robust key exchanges, and yet despite knowing that this is possible, we've decided to throw patch onto patch on top of a fundamentally broken idea. There is no fix for PKCS 1.5 encryption, just dirty hacks rooted in accidents of TLS. > > Deprecating the RSA keyexchange just became a bit harder with Google's > intent to deprecate DHE in Chrome and use RSA as the fallback if the > host doesn't do ECDHE. > > -- > Hanno Böck > http://hboeck.de/ > > mail/jabber: ha...@hboeck.de > GPG: BBB51E42 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls > -- "Man is born free, but everywhere he is in chains". --Rousseau. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
