Re: [TLS] NIST TLS recomendations (PKCS#1 encryption attacks)

[Bodo Moeller <bmoeller at acm.org>]

On Wed, Nov 29, 2006 at 12:42:17AM +1300, Peter Gutmann wrote:
> Bodo Moeller <bmoeller at acm.org> writes:
>> On Tue, Nov 28, 2006 at 03:49:13PM +1300, Peter Gutmann wrote:

>>> Another thing that should really be mentioned in the text (which I've pointed
>>> out before) is that the requirement to continue makes for a marvellous DoS
>>> attack, just blindly send a string of TLS handshake packets with a garbage
>>> value for the RSA-encrypted data and the server has to go through the entire
>>> rest of the handshake.  In some situations (e.g. low-powered devices) this
>>> "defensive" measure may be an own-goal.

>> Is this relevant?  The adversary might just as well send valid RSA-encrypted
>> data (which is quite quickly done for e=65537) to keep the server busy.  

> TLS doesn't have any anticlogging mechanism, so all an attacker needs to do is
> open a socket, write a pre-generated string of TLS client messages, and close
> the socket again.  In the meantime the server has to go through a full TLS
> handshake to discover that it's just a DoS.  This makes that attack it waaaay
> too asymmetric for my liking...

Yes, I understand that -- what I meant is, would it significantly help
not to have to do the Bleichenbacher countermeasure?  I don't think
so, because even without the countermeasure the same attack could
easily keep the server very busy.

Bodo


_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls