Guidelines for the selection, configuration, and use of Transport Layer Security (TLS) implementations

Abstract: (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation's measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL's responsibilities include the development of technical, physical, administrative, and management standards and guidelines for… Show more

“…Indeed, the attack described in Section III will work just as before 6 . We next present an attack that recovers the rightmost byte of plaintext in any target block for GnuTLS-style padding processing.…”

“…2) P 20 ends with any other byte value: in this case, at least two bytes of "padding" are removed, the next 20 bytes are interpreted as a MAC tag T , and the remaining bytes of plaintext are taken as the record R. Because the starting message length, at 320 bytes, is long enough to allow for the removal of 256 bytes of padding and a 20-byte MAC whilst still leaving 5 www.gnu.org/software/gnutls/ 6 In fact, since the attack only involves plaintexts which are correctly padded, it will work for any correct decryption algorithm. a non-null record, no length sanity tests will fail.…”

“…However, RC4 is not an option for DTLS, and not NISTrecommended for TLS [6]; meanwhile authenticated encryption modes are only available in TLS 1.2, which is not yet widely supported. 1 Redesigning (D)TLS would require even more radical changes than adopting TLS 1.2.…”

Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

“…Indeed, the attack described in Section III will work just as before 6 . We next present an attack that recovers the rightmost byte of plaintext in any target block for GnuTLS-style padding processing.…”

“…2) P 20 ends with any other byte value: in this case, at least two bytes of "padding" are removed, the next 20 bytes are interpreted as a MAC tag T , and the remaining bytes of plaintext are taken as the record R. Because the starting message length, at 320 bytes, is long enough to allow for the removal of 256 bytes of padding and a 20-byte MAC whilst still leaving 5 www.gnu.org/software/gnutls/ 6 In fact, since the attack only involves plaintexts which are correctly padded, it will work for any correct decryption algorithm. a non-null record, no length sanity tests will fail.…”

“…However, RC4 is not an option for DTLS, and not NISTrecommended for TLS [6]; meanwhile authenticated encryption modes are only available in TLS 1.2, which is not yet widely supported. 1 Redesigning (D)TLS would require even more radical changes than adopting TLS 1.2.…”

Lucky Thirteen: Breaking the TLS and DTLS Record Protocols

“… NIST SP 800-52 provides guidance on Transport Layer Security (TLS) Implementations [68]  NIST SP 800-56 provides guidance on cryptographic key establishment [69].…”

Guide to Industrial Control Systems (ICS) Security : Supervisory Control and Data Acquisition (SCADA) Systems, Distributed Control Systems (DCS), and Other Control System Configurations such as Programmable Logic Controllers (PLC)

“…In TLS, a rich set of mutual authentication variants, which are based on different so-called ciphersuites, is provided. Assume for simplicity that the five ciphersuites listed in Table I are available (in descending order of security strength according to [10]): …”

A Conceptual Model of Tunable Security Services