[ietf-tls] Re: Cryptographer's view of the "dummy block"

[Klima Vlastimil <vlastimil.klima@xxxx>]

On Wed, Jun 19, 2002, Bodo Moller wrote:

>> It seems, that the dummy block does not solve the Vaudenay's attack.

>It is not meant to solve this particular problem.  Vaudenay's attack
>is prevented by using a single error message instead of
>differentiating between decryption_failed and bad_record_mac; see the
>first message archived at <URL:http://www.openssl.org/~bodo/tls-cbc.txt>.
>The dummy record approach targets a different problem; see the second
>message at the same URL.

Thank you very much for putting us to the context, because we did not know
the whole discussion before. 

The proposal against Vaudenay?s attack seems to be practically sufficient. 
However it places some non-trivial demands on the implementation phase. 
For instance there still exists a risk of timing side channel (unveiling
whether it was padding or MAC, what failed, especially for longer records). 
Also there is a risk of introducing other side channels (cf. Manger?s OAEP
attack assumptions).

Hope that programmers will be aware of these pitfalls. 
Vlastimil Klima and Tomas Rosa

---
You are currently subscribed to ietf-tls as: ietf-tls-archive@xxxxxxx
To unsubscribe send a blank email to leave-ietf-tls-3174485O@xxxxxxxxxxxxxxxxxx