Empty TLS application records being injected in Tor streams
Ben Laurie
ben at links.org
Fri Dec 5 16:33:24 UTC 2008
Robert Hogan wrote:
> On Thursday 20 November 2008 19:54:34 Robert Hogan wrote:
>> On Wednesday 12 November 2008 02:25:51 Steven J. Murdoch wrote:
>>> Does anyone have ideas on how to remove the redundant TLS application
>>> records, or otherwise improve the efficiency?
>>>
>>> Steven.
>> http://marc.info/?l=openssl-users&m=115654275717293&w=2
>>
>> has the answer.
>>
>> "Sending empty SSL record (I mean record with only MAC) before SSL
>> record with real application data guards against some timing CBC attacks
>> and is enabled in OpenSSL by default.
>> To disable this set SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS with
>> SSL_CTX_set_options()."
>>
>> This corresponds exactly with what you're seeing - the empty record
>> always precedes the populated application record.
>
> I looked at this a bit more out of curiosity. The attack the empty records
> defend against is a confirmation attack based on the fact that TLS in CBC
> mode uses the previous cipher block as the IV for encrypting the current
> plaintext. So if the previous cipher block is available to the attacker,
> by just sniffing packets, and they are able to guess the plaintext in both
> the previous and current blocks they can confirm their guess.
> Alternatively they can choose a plaintext, encrypt it with their guess for
> the key, ask for an encrypted version of it and confirm whether they have
> guessed the key correctly if the cipher text matches. (A random IV
> protects against this last one.)
>
> " The attack itself is very simple. Remember that in CBC mode, each
> plaintext block is XOR'ed with the last ciphertext block and then
> encrypted to produce the next ciphertext block. Suppose the attacker
> suspects that plaintext block P_i might be x, and wants to test whether
> that's the case, he would choose the next plaintext block P_j to be x
> XOR C_(i-1) XOR C_(j-1). If his guess is correct, then C_j = Encrypt(P_j
> XOR C_(j-1)) = Encrypt(P_i XOR C_(i-1)) = C_i, and so he can confirm his
> guess by looking at whether C_j = C_i."
>
> The empty records prevent this attack because each full application record
> (containing encrypted plaintext the attacker might be interested in) is
> interleaved with an empty record (with an unpredictable MAC in it). Since
> the attacker needs to be able to guess two adjacent plaintexts in order to
> perform the attack (P_i and P_j), the empty record with the unpredictable
> MAC will always make this impossible.
>
> So from Tor's point of view the question is whether the CBC confirmation
> attack is practical given the data Tor exchanges in TLS application
> records. Does Tor transmit two guessable plaintexts in a row? VERSIONS and
> NETINFO cells seem to fall into this category. Other cells seem much
> harder to guess.
Steven asked me to do an analysis of this a while back, which I did,
then forgot to post. Here it is...
--
http://www.apache-ssl.org/ben.html http://www.links.org/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: on-tls-empty-record-insertion.txt
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20081205/f0a100e0/attachment.txt>
More information about the tor-dev
mailing list