Re: [TLS] NIST TLS recomendations (PKCS#1 encryption attacks)

[pgut001 at cs.auckland.ac.nz (Peter Gutmann)]

Bodo Moeller <bmoeller at acm.org> writes:
>On Tue, Nov 28, 2006 at 03:49:13PM +1300, Peter Gutmann wrote:
>> Another thing that should really be mentioned in the text (which I've pointed
>> out before) is that the requirement to continue makes for a marvellous DoS
>> attack, just blindly send a string of TLS handshake packets with a garbage
>> value for the RSA-encrypted data and the server has to go through the entire
>> rest of the handshake.  In some situations (e.g. low-powered devices) this
>> "defensive" measure may be an own-goal.
>
>Is this relevant?  The adversary might just as well send valid RSA-encrypted
>data (which is quite quickly done for e=65537) to keep the server busy.  

TLS doesn't have any anticlogging mechanism, so all an attacker needs to do is
open a socket, write a pre-generated string of TLS client messages, and close
the socket again.  In the meantime the server has to go through a full TLS
handshake to discover that it's just a DoS.  This makes that attack it waaaay
too asymmetric for my liking...

Peter.

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls