Re: [TLS] NIST TLS recomendations (PKCS#1 encryption attacks)

[Dr Stephen Henson <lists at drh-consultancy.demon.co.uk>]

Pasi.Eronen at nokia.com wrote:
> Peter Gutmann:
> 
>> Another thing that should really be mentioned in the text (which
>> I've pointed out before) is that the requirement to continue makes
>> for a marvellous DoS attack, just blindly send a string of TLS
>> handshake packets with a garbage value for the RSA-encrypted data
>> and the server has to go through the entire rest of the handshake.
>> In some situations (e.g. low-powered devices) this "defensive"
>> measure may be an own-goal.
> 
> The most resource-consuming part of the handshake is the RSA
> decryption, and this we have to do before we can detect any padding
> errors. So I'm not sure if continuing the handshake really makes the
> situation any worse DoS-wise...
> 
> (Especially remembering that we don't have any good alternatives;
> reporting the error leads to revealing your private key.)
> 

Does it? I thought a successful attack revealed a premaster secret, not
the actual private key.

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson at drh-consultancy.co.uk, PGP key: via homepage.

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls