2003
DOI: 10.1007/978-3-540-45146-4_34
|View full text |Cite
|
Sign up to set email alerts
|

Password Interception in a SSL/TLS Channel

Abstract: Abstract. Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS. At Eurocrypt'02, Vaudenay presented vulnerabilities in padding schemes used for block ciphers in CBC mode. He used a side channel, namely error information in the padding verification. This attack was not possible against SSL/TLS due to both unavailability of the side channel (errors are encrypted) and premature abor… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

1
80
0

Year Published

2005
2005
2013
2013

Publication Types

Select...
8

Relationship

0
8

Authors

Journals

citations
Cited by 119 publications
(84 citation statements)
references
References 7 publications
1
80
0
Order By: Relevance
“…This can be useful in practice for, say, diagnostics within a protocol session. Often, allowing decryption to return multiple error messages has been problematic in practice; witness the various "padding oracle" attacks on SSL/TLS [40,11,32]. For our encode-then-encipher AEAD schemes, such attacks will not be a concern.…”
Section: Aead From Tweakable Ciphersmentioning
confidence: 99%
See 1 more Smart Citation
“…This can be useful in practice for, say, diagnostics within a protocol session. Often, allowing decryption to return multiple error messages has been problematic in practice; witness the various "padding oracle" attacks on SSL/TLS [40,11,32]. For our encode-then-encipher AEAD schemes, such attacks will not be a concern.…”
Section: Aead From Tweakable Ciphersmentioning
confidence: 99%
“…Multiple, descriptive error messages can be quite useful in practice, but have often empowered damaging attacks (e.g. padding-oracle attacks [40,11,32,2,16]) against AE schemes using blockcipher modes, CBC-mode in particular. These attacks don't work against our AEAD schemes because, loosely, changing any bit of a ciphertext will randomize every bit of the decrypted string.…”
Section: Introductionmentioning
confidence: 99%
“…In implementations of the scheme we stress that uniform error reporting must be used. This will be vital for the scheme's security otherwise a padding oracle attack similar to that against SSL/TLS by Canvel et al [7] may be possible. As a result our analysis we only considers one error type, ⊥.…”
Section: Security Modelsmentioning
confidence: 99%
“…Even if this error code is not returned, information on whether or not the integrity check was successful can likely be obtained through timing or other information. (See [5] for a similar attack that uses this kind of timing information.) RFC 2440 says that the integrity check "allows the receiver to immediately check whether the session key is incorrect".…”
Section: Server-based Openpgp Usersmentioning
confidence: 99%
“…These attacks have been used in the past to attack the RSA PKCS #1 v1.5 [12] encryption scheme [3], the Cipher-Block-Chaining (CBC) Mode of encryption when used with certain exploitable redundancies (e.g. padding schemes) [2,5,15,16,17] and the OpenPGP CFB mode [13,11,14] itself. The attack on the OpenPGP CFB mode in [13,11] was able to obtain the entire plaintext using one oracle query which returned to the attacker the entire decryption of C and the attacks in [14] were able to extend the previous attack to adaptive scenarios.…”
Section: Introductionmentioning
confidence: 99%