Fwd: OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with CBC encryption

Robert Olson olson at mcs.anl.gov
Thu Feb 20 08:31:01 CST 2003 

good example of the subtlty of attacks that can be launched...

>Delivered-To: openssl-announce-l at master.openssl.org
>X-Original-To: openssl-announce at openssl.org
>Delivered-To: openssl-announce at openssl.org
>X-Original-To: openssl-announce at openssl.org
>Date: Thu, 20 Feb 2003 12:45:10 +0100
>From: Bodo Moeller <bodo at openssl.org>
>To: openssl-announce at openssl.org
>Subject: OpenSSL Security Advisory: Timing-based attacks on SSL/TLS with 
>CBC encryption
>User-Agent: Mutt/1.2.5i
>Sender: owner-openssl-announce at openssl.org
>Reply-To: openssl-users at openssl.org
>X-Sender: Bodo Moeller <bodo at openssl.org>
>X-Spam-Status: No, hits=-5.0 required=5.0 tests=UNIFIED_PATCH version=2.21
>X-Spam-Level:
>
>OpenSSL Security Advisory [19 February 2003]
>
>Timing-based attacks on SSL/TLS with CBC encryption
>===================================================
>
>CONTENTS
>
>  - Vulnerability
>  - Source code patch [*]
>  - Acknowledgement
>  - References
>
>[*] OpenSSL 0.9.6i and OpenSSL 0.9.7a do not require this patch.
>
>The source code of OpenSSL 0.9.6i and OpenSSL 0.9.7a is available as
>files openssl-0.9.6i.tar.gz and openssl-0.9.7a.tar.gz from
>
>      ftp://ftp.openssl.org/source;type=d
>
>(If you were previously using an OpenSSL 0.9.6* "engine" release and
>cannot upgrade to OpenSSL 0.9.7a, obtain file
>openssl-engine-0.9.6i.tar.gz instead.  With OpenSSL 0.9.7, the
>"engine" framework has become part of the standard distribution.)
>
>If you are using a pre-compiled OpenSSL package, please look for update
>information from the respective software distributor.  The OpenSSL
>group itself does not distribute OpenSSL binaries.
>
>
>Vulnerability
>-------------
>
>In an upcoming paper, Brice Canvel (EPFL), Alain Hiltgen (UBS), Serge
>Vaudenay (EPFL), and Martin Vuagnoux (EPFL, Ilion) describe and
>demonstrate a timing-based attack on CBC ciphersuites in SSL and TLS.
>
>The attack assumes that multiple SSL or TLS connections involve a
>common fixed plaintext block, such as a password.  An active attacker
>can substitute specifically made-up ciphertext blocks for blocks sent
>by legitimate SSL/TLS parties and measure the time until a response
>arrives: SSL/TLS includes data authentication to ensure that such
>modified ciphertext blocks will be rejected by the peer (and the
>connection aborted), but the attacker may be able to use timing
>observations to distinguish between two different error cases, namely
>block cipher padding errors and MAC verification errors.  This is
>sufficient for an adaptive attack that finally can obtain the complete
>plaintext block.
>
>OpenSSL version since 0.9.6c supposedly treat block cipher padding
>errors like MAC verification errors during record decryption
>(see http://www.openssl.org/~bodo/tls-cbc.txt), but MAC verification
>was still skipped after detection of a padding error, which allowed
>the timing attack.  (Note that it is likely that other SSL/TLS
>implementations will have similar problems.)
>
>OpenSSL 0.9.6i and 0.9.7a perform a MAC computation even if incorrrect
>block cipher padding has been found to minimize information leaked via
>timing.  For earlier versions starting with 0.9.6e, the enclosed
>security patch can be used.
>
>
>Source code patch
>-----------------
>
>If upgrading to OpenSSL 0.9.7a (the recommended version) or to OpenSSL
>0.9.6i is not immediately possible, the following patch should be
>applied to the OpenSSL source code tree.  The patch is compatible
>with OpenSSL 0.9.6e and later.
>
> >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
>--- ../openssl-0.9.6h/CHANGES   Thu Dec  5 22:40:48 2002
>+++ ./CHANGES   Tue Feb 19 00:00:00 2003
>@@ -1,3 +1,19 @@
>+ Change from security patch  [19 Feb 2003]
>+
>+ (Please consider installing OpenSSL 0.9.7a or OpenSSL 0.9.6i.
>+ These versions already include this change; do not try to apply
>+ the patch to them!)
>+
>+  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
>+     via timing by performing a MAC computation even if incorrrect
>+     block cipher padding has been found.  This is a countermeasure
>+     against active attacks where the attacker has to distinguish
>+     between bad padding and a MAC verification error. (CAN-2003-0078)
>+
>+     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
>+     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
>+     Martin Vuagnoux (EPFL, Ilion)]
>+
>
>   OpenSSL CHANGES
>   _______________
>--- ../openssl-0.9.6h/ssl/s3_pkt.c      Mon May  6 12:42:56 2002
>+++ ./ssl/s3_pkt.c      Wed Feb 18 00:00:00 2003
>@@ -238,6 +238,8 @@
>         unsigned int mac_size;
>         int clear=0;
>         size_t extra;
>+       int decryption_failed_or_bad_record_mac = 0;
>+       unsigned char *mac = NULL;
>
>         rr= &(s->s3->rrec);
>         sess=s->session;
>@@ -353,8 +355,11 @@
>                         /* SSLerr() and ssl3_send_alert() have been called */
>                         goto err;
>
>-               /* otherwise enc_err == -1 */
>-               goto decryption_failed_or_bad_record_mac;
>+               /* Otherwise enc_err == -1, which indicates bad padding
>+               * (rec->length has not been changed in this case).
>+               * To minimize information leaked via timing, we will perform
>+               * the MAC computation anyway. */
>+               decryption_failed_or_bad_record_mac = 1;
>                 }
>
>  #ifdef TLS_DEBUG
>@@ -380,28 +385,46 @@
> 
>SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_PRE_MAC_LENGTH_TOO_LONG);
>                         goto f_err;
>  #else
>-                       goto decryption_failed_or_bad_record_mac;
>+                       decryption_failed_or_bad_record_mac = 1;
>  #endif
>                         }
>                 /* check the MAC for rr->input (it's in mac_size bytes at 
> the tail) */
>-               if (rr->length < mac_size)
>+               if (rr->length >= mac_size)
>                         {
>+                       rr->length -= mac_size;
>+                       mac = &rr->data[rr->length];
>+                       }
>+               else
>+                       {
>+                       /* record (minus padding) is too short to contain 
>a MAC */
>  #if 0 /* OK only for stream ciphers */
>                         al=SSL_AD_DECODE_ERROR;
>                         SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_LENGTH_TOO_SHORT);
>                         goto f_err;
>  #else
>-                       goto decryption_failed_or_bad_record_mac;
>+                       decryption_failed_or_bad_record_mac = 1;
>+                       rr->length = 0;
>  #endif
>                         }
>-               rr->length-=mac_size;
>                 i=s->method->ssl3_enc->mac(s,md,0);
>-               if (memcmp(md,&(rr->data[rr->length]),mac_size) != 0)
>+               if (mac == NULL || memcmp(md, mac, mac_size) != 0)
>                         {
>-                       goto decryption_failed_or_bad_record_mac;
>+                       decryption_failed_or_bad_record_mac = 1;
>                         }
>                 }
>
>+       if (decryption_failed_or_bad_record_mac)
>+               {
>+               /* A separate 'decryption_failed' alert was introduced 
>with TLS 1.0,
>+               * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
>+               * failure is directly visible from the ciphertext anyway,
>+               * we should not reveal which kind of error occured -- this
>+               * might become visible to an attacker (e.g. via a logfile) */
>+               al=SSL_AD_BAD_RECORD_MAC;
>+ 
>SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
>+               goto f_err;
>+               }
>+
>         /* r->length is now just compressed */
>         if (s->expand != NULL)
>                 {
>@@ -443,19 +466,12 @@
>
>         return(1);
>
>-decryption_failed_or_bad_record_mac:
>-       /* Separate 'decryption_failed' alert was introduced with TLS 1.0,
>-       * SSL 3.0 only has 'bad_record_mac'.  But unless a decryption
>-       * failure is directly visible from the ciphertext anyway,
>-       * we should not reveal which kind of error occured -- this
>-       * might become visible to an attacker (e.g. via logfile) */
>-       al=SSL_AD_BAD_RECORD_MAC;
>- 
>SSLerr(SSL_F_SSL3_GET_RECORD,SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC);
>  f_err:
>         ssl3_send_alert(s,SSL3_AL_FATAL,al);
>  err:
>         return(ret);
>         }
>+const char *CAN_2003_0078_patch_ID="CAN-2003-0078 patch 2003-02-19";
>
>  static int do_uncompress(SSL *ssl)
>         {
><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
>
>
>Acknowledgement
>---------------
>
>We thank Brice Canvel, Alain Hiltgen, Serge Vaudenay, and Martin
>Vuagnoux for informing us about this vulnerability.
>
>
>References
>----------
>
>The Common Vulnerabilities and Exposures project (cve.mitre.org) has
>assigned the name CAN-2003-0078 to this issue:
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0078
>
>URL for this Security Advisory:
>http://www.openssl.org/news/secadv_20030219.txt
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>Announcement Mailing List                 openssl-announce at openssl.org
>Automated List Manager                           majordomo at openssl.org

More information about the ag-dev mailing list