RE: [TLS] NIST TLS recomendations (PKCS#1 encryption attacks)

[<Pasi.Eronen at nokia.com>]

Peter Gutmann:

> Another thing that should really be mentioned in the text (which
> I've pointed out before) is that the requirement to continue makes
> for a marvellous DoS attack, just blindly send a string of TLS
> handshake packets with a garbage value for the RSA-encrypted data
> and the server has to go through the entire rest of the handshake.
> In some situations (e.g. low-powered devices) this "defensive"
> measure may be an own-goal.

The most resource-consuming part of the handshake is the RSA
decryption, and this we have to do before we can detect any padding
errors. So I'm not sure if continuing the handshake really makes the
situation any worse DoS-wise...

(Especially remembering that we don't have any good alternatives;
reporting the error leads to revealing your private key.)

Best regards,
Pasi

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls