2
9
@D
CB A
K
KB
J
@ A@
?
92 E
9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
=
=
=
=
=
=
4
DES
3
DES
)231
8 bytes
8 bytes
CBC-PAD
2
9
@D
CB A
K
KB
@ A@
?
92 E
9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=< 6
;
=< 6
;
4
3
65 :987
@
.. .
A@
.. .
DES
8 bytes
)231
8 bytes
DES
8 bytes
DES
8 bytes
DES
8 bytes
DES
8 bytes
CBC-PAD
;
=
4
3
)231
Text
TLS and CBC-PAD : Example
;
=
4
3
)231
¥
§
¦
¡
¢
MAC
¤
£
Text
TLS and CBC-PAD : Example
block 1
block 2
;
=
4
3
)231
¥
¢
MAC
¤
£
Text
TLS and CBC-PAD : Example PAD
block 1
TLS and CBC-PAD : Example
Verify.
Text
block 1
¡ ¨
block 3
block 2
9
K
KB
@D
CB A
92 E
2
? 9
9 ;? 5
>=
4
3
65 :987
@
¤
)231
A@
¨
¨ ¥
§
¦
¢
Decrypt.
DES-CBC
MAC
£
Text
PAD
TLS and CBC-PAD : Example
«
Text
9
K
KB
@D
CB A
92 E
2
? 9
9 ;? 5
>=
4
3
65 :987
@
±
±
¯
±
±
±
± )231
A@
®
¢
ª
block 3
block 2
©
block 1
°
Verify.
±
Decrypt.
¬
DES-CBC
MAC
±
Text
PAD
TLS and CBC-PAD : Example
Verify.
Text
block 1 block 2
K
KB
< G/F HI>
9
92 E
@D
@ 2
? 9
9 ;? 5
>=
9
92 E
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
@D 92 E
2
? 9
9 ;? 5
>=
@D 92 E
2
? 9
9 ;? 5
>=
9
92 E
2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
9
92 E
@D
CB A
A@
@ 2
? 9
9 ;? 5
>=
@D
CB A
92 E
2
? 9
9 ;? 5
>=
@D
CB A
A@
92 E
2
? 9
9 ;? 5
>=
=
4
3
65 :987
@
Client and attacker on the same LAN
23 1
L
ò
î
ï
ö
ò
ë
í
ôõ
ï
óñ ò
ì
í
ï
ðñ
ø
L
Timing Attack: Experimental Values
In our experiments, we have used the following values: ÷
ðö
ôõ ó
ù
Client and attacker on the same LAN
9
K
Ñ KB J
@D
CB A
A@
92 E
2
? 9
9 ;? 5
>=
4
3
65 :987
@
Server on a different LAN
23 1
L
L
ò
î
ï
ö
ò
ë
í
ôõ
ï
óñ ò
ì
í
ï
ðñ
ø
L
Timing Attack: Experimental Values
In our experiments, we have used the following values: ÷
ðö
ôõ ó
ù
Client and attacker on the same LAN Server on a different LAN
9
K
Ñ KB J
@D
CB A
A@
92 E
2
? 9
9 ;? 5
>=
4
3
65 :987
@
2 switches and a firewall between the 2 LANs
23 1
L
L
L
ò
î
ï
ö
ò
ë
í
ôõ
ï
óñ ò
ì
í
ï
ðñ
ø
L
Timing Attack: Experimental Values
times and collect timings
K
KB Ò
J
< G/F HI>
9
92 E
@D
CB A
@ 2
? 9
9 ;? 5
>=
4
3
23 1
@
ú
ÿ
L
ú
Query the oracle üò û ý
L
Timing Attack: Basic Attack
j
º
% &
$
#
"
!
%
#
º
#
º
By using the theory of hypothesis testing with sequential distinguishers (see Junod,Eurocrypt’03), a more efficient algorithm is obtained with the following STOP and ACCEPT tests.
!
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 AB CC 9
are two given thresholds.
)(**'
and
where
Timing Attack: Using Sequential Decision Rules
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 DE CC 9
)(**'
Multisession Attack
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 DA CC 9
Here we solve the problem of the broken sessions in performing the attack on TLS
)(**'
F
Multisession Attack
Here we solve the problem of the broken sessions in performing the attack on TLS Assume that each session includes a critical plaintext block which is always the same (e.g. password)
)(**'
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 DA CC 9
G
F
F
Multisession Attack
Here we solve the problem of the broken sessions in performing the attack on TLS Assume that each session includes a critical plaintext block which is always the same (e.g. password) HM
HM N
)(**'
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 DA CC 9
I
G
L
"J
!
K
Assume we intercept the corresponding ciphertext . (Here is the previous ciphertext block following the CBC mode.)
H
F
G
F
F
Multisession Attack
Here we solve the problem of the broken sessions in performing the attack on TLS Assume that each session includes a critical plaintext block which is always the same (e.g. password) L
G
and
HM
is constant in every session, but
H
The target
G
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 DA CC 9
depend on the session.
)(**'
F
I
H
HM
!
"J
HM N
Assume we intercept the corresponding ciphertext . (Here is the previous ciphertext block following the CBC mode.) K
F
G
F
F
Multisession Attack
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 DD CC 9
We have performed two types of attacks:
)(**'
O
Multisession Attack
We have performed two types of attacks:
)(**'
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 DD CC 9
P
Case 1: the target block is uniformily distributed in an alphabet of size P
O
O
Multisession Attack
We have performed two types of attacks:
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 DD CC 9
Case 2: we know the a priori distribution of the characters of the block we want to decrypt (dictionary attack)
)(**'
O
P
Case 1: the target block is uniformily distributed in an alphabet of size P
O
O
Multisession Attack
t
^ R ] Q f ^ R Q lm [ a f ^ [ T S h T S h h ^ R Z Q hi h [ T S
2
q
1 f
j
l
l
j
l
j
j R^ Q ^ ^ T S l
l
1
1 t
1
^R Q [V g T S ff
2
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 CD CC 9
q
|}{ ~
j
2
)(**'
w
_ ^R Q _ ^ W b T S jk ^R Z Q b W cb T S
3
x zyu
p
b
1 2
wxx
o
_ ^R Q _ WV ` b T S _
1
srq v1u t
n
R UQ WV ` T S _ R XQ WV a T S R YQ WV c b T S R YZ Q W a T S R XQ [V d T S R YQ [V e T S R \] Q [ a T S R ZX Q [ d T S R \Z Q [ e T S
Multisession Attack : Dictionary Case
3
2
1
1
2
n
Multisession Attack
n
n
n
n
o
where
)(**'
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 D CC 9
n
Note : is the average complexity to decrypt a block when asking only one question to the oracle and is the probability of success
Multisession Attack 0.7
0.8
0.9
0.99
166
181
199
223
261
380
0.5
0.6
0.7
0.8
0.9
0.99
4239
4750
5353
6139
7397
11335
)(**'
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 D¦ CC 9
¤
,
¡¢£
Uniform distribution,
¡¥
0.6
0.5
Dictionary,
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 D§ CC 9
)(**'
Experiments and Discussions
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 D¨ CC 9
IMAP client: Outlook Express 6.x from Microsoft under Windows XP
)(**'
O
Password Interception
IMAP client: Outlook Express 6.x from Microsoft under Windows XP
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 D¨ CC 9
IMAP Rev 4 server (Taken from Pine, Washington University)
)(**'
O
O
Password Interception
IMAP client: Outlook Express 6.x from Microsoft under Windows XP IMAP Rev 4 server (Taken from Pine, Washington University)
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 D¨ CC 9
Outlook checks (by default) for messages automatically every 5 minutes each folder created on the IMAP user account
)(**'
O
O
O
Password Interception
IMAP client: Outlook Express 6.x from Microsoft under Windows XP IMAP Rev 4 server (Taken from Pine, Washington University) Outlook checks (by default) for messages automatically every 5 minutes each folder created on the IMAP user account E.g. five folders (in, out, trash, read, and draft) 60 sessions every hour )(**'
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 D¨ CC 9
O
O
O
O
Password Interception
Multisession Attack 0.7
0.8
0.9
0.99
166
181
199
223
261
380
0.5
0.6
0.7
0.8
0.9
0.99
4239
4750
5353
6139
7397
11335
)(**'
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 D© CC 9
¤
,
¡¢£
Uniform distribution,
¡¥
0.6
0.5
Dictionary,
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 BD CC 9
Outlook uses the RC4_MD5 algorithm by default (despite RFC2246 and RFC2595 suggest that 3DES_EDE_CBC_SHA should be supported by default).
)(**'
F
Cipher Problem
Outlook uses the RC4_MD5 algorithm by default (despite RFC2246 and RFC2595 suggest that 3DES_EDE_CBC_SHA should be supported by default).
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 BD CC 9
We had to force the IMAP server to only offer block ciphers in CBC mode.
)(**'
F
F
Cipher Problem
Outlook uses the RC4_MD5 algorithm by default (despite RFC2246 and RFC2595 suggest that 3DES_EDE_CBC_SHA should be supported by default). We had to force the IMAP server to only offer block ciphers in CBC mode.
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 BD CC 9
Other applications (e.g. stunnel) use block ciphers by default.
)(**'
F
F
F
Cipher Problem
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 CE CC 9
A critical piece of information is repeatedly encrypted at a predictable place.
)(**'
O
Conditions for a Successful Attack
A critical piece of information is repeatedly encrypted at a predictable place.
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 CE CC 9
A block cipher in CBC mode is chosen.
)(**'
O
O
Conditions for a Successful Attack
A critical piece of information is repeatedly encrypted at a predictable place. A block cipher in CBC mode is chosen.
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 CE CC 9
The attacker can sit in the middle and perform active attacks.
)(**'
O
O
O
Conditions for a Successful Attack
A critical piece of information is repeatedly encrypted at a predictable place. A block cipher in CBC mode is chosen. The attacker can sit in the middle and perform active attacks.
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 CE CC 9
The attacker can distinguish time differences between two types of errors.
)(**'
O
O
O
O
Conditions for a Successful Attack
²³
²
²±
)(**'
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 C AC 9 C
®
® ¯«°
A countermeasure for TLS has been implemented in OpenSSL 0.9.6d and following versions: error message is sent when an only the incorrect padding or an incorrect MAC are detected. ¬«ª
F
Countermeasures
²³
²
²±
®
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 C AC 9 C
This countermeasure is not enough because of timing attacks.
)(**'
F
® ¯«°
A countermeasure for TLS has been implemented in OpenSSL 0.9.6d and following versions: error message is sent when an only the incorrect padding or an incorrect MAC are detected. ¬«ª
F
Countermeasures
²³
²
²±
®
This countermeasure is not enough because of timing attacks.
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 C AC 9 C
A new countermeasure was implemented in OpenSSL 0.9.6i: we always check a MAC even if the padding is not correct.
)(**'
F F
® ¯«°
A countermeasure for TLS has been implemented in OpenSSL 0.9.6d and following versions: error message is sent when an only the incorrect padding or an incorrect MAC are detected. ¬«ª
F
Countermeasures
²³
²
²±
®
This countermeasure is not enough because of timing attacks. A new countermeasure was implemented in OpenSSL 0.9.6i: we always check a MAC even if the padding is not correct. Other possible countermeasure:
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 C AC 9 C
invert the padding and the MAC! )(**'
F F F
® ¯«°
A countermeasure for TLS has been implemented in OpenSSL 0.9.6d and following versions: error message is sent when an only the incorrect padding or an incorrect MAC are detected. ¬«ª
F
Countermeasures
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 C DC 9 C
TLS implements a nice protocol for secure tunnel set up
)(**'
O
Conclusions
TLS implements a nice protocol for secure tunnel set up
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 C DC 9 C
Despite the TLS maturity and popularity, it is not flaw free
)(**'
O
O
Conclusions
TLS implements a nice protocol for secure tunnel set up Despite the TLS maturity and popularity, it is not flaw free
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 C DC 9 C
We can make timing attacks over a LAN
)(**'
O
O
O
Conclusions
TLS implements a nice protocol for secure tunnel set up Despite the TLS maturity and popularity, it is not flaw free We can make timing attacks over a LAN
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 C DC 9 C
The order MAC-PAD-Encrypt should be reconsidered
)(**'
O
O
O
O
Conclusions
Thank You
)(**'
+-, 10/. -3 2 543 0 26 0, 6 ( 877 :9 8 7; 001(< 3 >= ?@5 CC CC 9
Special thank you to the IACR and Greg Rose for having made it possible for me to be here at Crypto.