-
19.7.3 Rainbow tables In 1980, Martin Hellman – the cryptographer who, four years earlier, published the Diffie-Hellman key agreement protocol – proposed a method for achieving a time-memory trade-off in an exhaustive search attack [80]. Hellman’s method assumes a chosen plaintext attack with a plaintext p0, which is encrypted with a secret key k as […]
-
In other words, to determine k′, Eve generates a chain of keys starting with Y 1 = R(c0) and up to the length t. If Alice computed c0 using a key that is contained in the table, then Eve will eventually generate the key that matches the last key (the endpoint) in the corresponding chain. […]
-
20.1.3 The Downgrade Dance Originally, the Downgrade Dance is a mechanism to negotiate a commonly supported TLS version for client and servers during the TLS handshake. However, up to and including TLS version 1.2, the messages of the negotiation process are not authenticated, so that an active attacker acting as a man-in-the-middle can misuse this […]
-
20.2 Logjam Logjam (see [1]) represents the practical implementation of the attack template shown in Figure 20.1 with respect to the DHE key-establishment protocol. Here, the server is tricked into selecting a weak export-grade DHE cipher suite such as this: As discussed earlier, the client therefore receives weak key parameters and uses them to generate […]
-
20.5 Bleichenbacher attack Long before Bleichenbacher published this work, it was well known that plain RSA is vulnerable to chosen-ciphertext attacks. If Eve wants to decrypt the ciphertext c ≡ md (mod n) that Bob encrypted for Alice, she can choose a random integer s and ask Alice to decrypt an apparently innocuous message c′≡ […]
-
20.5.2 Countermeasures Daniel Bleichenbacher published his attack at the CRYPTO’98 conference, which took place in August 1998. RFC 2246 The TLS Protocol Version 1.0 draft version 0.6, released on November 12, 1998, added a note that an attack has been discovered against TLS servers that use RSA with PKCS #1-encoded messages. In order to prevent […]
-
20.6.2 Side channel attacks In 2014, a group of German security researchers discovered four new side channels leading to Bleichenbacher-style oracles and demonstrated Bleichenbacher attacks on Java Secure Socket Extension (JSSE) (Java’s built-in SSL/TLS implementation) as well as on hardware security appliances that used a specific accelerator chip for TLS [119]. Notably, these latter attacks […]
-
20.1 Downgrade attacks As we have seen in Chapter 18, TLS Cipher Suites, the TLS protocol allows Alice and Bob to negotiate cryptographic settings for the TLS connection they want to establish. The ability to negotiate cryptographic parameters has a twofold benefit. First, it ensures maximum possible compatibility in the heterogeneous landscape of TLS endpoints. […]
-
20.7 Insecure renegotiation In 2009, Marsh Ray and Steve Dispensa, two employees of a company providing a multi-factor authentication solution that was eventually acquired by Microsoft and integrated into Azure, discovered a renegotiation-related vulnerability in then-current TLS versions that allowed Mallory to inject an arbitrary amount of chosen plaintext into the beginning of the application […]