Re: [TLS] NIST TLS recomendations (PKCS#1 encryption attacks)

[pgut001 at cs.auckland.ac.nz (Peter Gutmann)]

Bodo Moeller <bmoeller at acm.org> writes:
>On Wed, Nov 29, 2006 at 12:42:17AM +1300, Peter Gutmann wrote:
>> TLS doesn't have any anticlogging mechanism, so all an attacker needs to do is
>> open a socket, write a pre-generated string of TLS client messages, and close
>> the socket again.  In the meantime the server has to go through a full TLS
>> handshake to discover that it's just a DoS.  This makes that attack it waaaay
>> too asymmetric for my liking...
>
>Yes, I understand that -- what I meant is, would it significantly help not to
>have to do the Bleichenbacher countermeasure?  I don't think so, because even
>without the countermeasure the same attack could easily keep the server very
>busy.

I think specifically building in a countermeasure may be overkill, but since
the text mentions various implementation considerations it should probably
also mention this one in case it's a concern for anyone.  In particular the
fact that even a small botnet can, via source address forgery sending large
numbers of pre-generated handshake packets, bring pretty much any TLS server
to its knees (and I'm surprised this DoS hasn't been tried yet) should be a
security concern.  There's no pressing need to fix it (yet :-), but the text
should at least mention it as something that implementors may want to
consider.

Peter.

_______________________________________________
TLS mailing list
TLS at lists.ietf.org
https://www1.ietf.org/mailman/listinfo/tls