blob: 75c5696a110f23bb8ae6f9491a902733282b3dac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
\subsection{Weaknesses and countermeasures}
\index{TLS protocols!Record}
Some weaknesses that may affect the security of the Record layer have been
found in \tlsI{} protocol. These weaknesses can be exploited by active attackers,
and exploit the facts that
\begin{enumerate}
\item \tls{} has separate alerts for ``decryption\_failed'' and ``bad\_record\_mac''
\item the decryption failure reason can be detected by timing the response time
\item the IV for CBC encrypted packets is the last block of the previous encrypted packet
\end{enumerate}
\gnutls{} implements all the known counter-measures for these attacks. For the first
two cases, \gnutls{} does only have one error code for both of the decryption failures,
and processes the message normally even if a padding error occured. This avoids
both of these attacks.
For the latter, an empty record can be sent before every record packet, and this is
believed to avoid the known attacks in CBC encrypted packets. See the function
\printfunc{gnutls_record_set_cbc_protection}{gnutls\_record\_set\_cbc\_protection}
for more information.
For a detailed discussion see the archives of the TLS Working Group mailing list
and the paper \cite{CBCATT}.
|
