Re: [TLS] NIST TLS recomendations (PKCS#1 encryption attacks)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TLS] NIST TLS recomendations (PKCS#1 encryption attacks)
On Tue, 28 Nov 2006 13:35:35 +0200
<Pasi.Eronen at nokia.com> wrote:
> Peter Gutmann:
>
> > Another thing that should really be mentioned in the text (which
> > I've pointed out before) is that the requirement to continue makes
> > for a marvellous DoS attack, just blindly send a string of TLS
> > handshake packets with a garbage value for the RSA-encrypted data
> > and the server has to go through the entire rest of the handshake.
> > In some situations (e.g. low-powered devices) this "defensive"
> > measure may be an own-goal.
>
> The most resource-consuming part of the handshake is the RSA
> decryption, and this we have to do before we can detect any padding
> errors. So I'm not sure if continuing the handshake really makes the
> situation any worse DoS-wise...
>
If we want to deal with DoS attacks at that layer, we could standardize
the Dean/Stubblefield TLS client puzzle scheme.
--Steve Bellovin, http://www.cs.columbia.edu/~smb
_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls
Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.
