[cryptography] Duong-Rizzo TLS attack (was 'Re: SSL is not "broken by design"')

Jack Lloyd lloyd at randombit.net
Mon Sep 19 20:02:39 EDT 2011

On Mon, Sep 19, 2011 at 02:57:21PM -0400, Kevin W. Wall wrote:
> So does anyone know anymore details on this? Specifically is it an
> implementation flaw or a design flaw?
> Duong & Rizzo's previous work relied on padding oracle attacks whereas
> this one is categorized as a chosen-plaintext attack, so it looks like it's
> not building on their previous work.
> Lastly, would anyone care to speculate whether (for instance) using RC4
> intead of AES/CBC protect you from this chosen-plaintext attack? The
> article cited by the URL that Marsh mentioned only mentions AES
> so perhaps other cipher choices are immune. Just not a lot of details
> available yet. Guess will have to wait until Friday.

According to this article [1] in The Register (caveat lector), it only
affects TLS 1.0, not 1.1/1.2, and "exploits a vulnerability in TLS
that has long been regarded as mainly a theoretical weakness", so I'm
guessing it has to do with the CBC block carryover used in SSLv3 and
TLS 1.0. If that is the case, then using RC4 would not be vulnerable.

On this basis, I'm wondering if the workaround Opera deployed is to
simply not negotate !RC4 when using TLS 1.0. This could be done by
either disabling DES/AES entirely, or try a 1.1/1.2 handshake and then
if the server hello comes back with 1.0 and a non-RC4 ciphersuite to
drop the handshake and retry with only RC4 ciphersuites and carry on
from there.


[1] http://www.theregister.co.uk/2011/09/19/beast_exploits_paypal_ssl/

More information about the cryptography mailing list