Re: Serious crypto problem fixed by envelope HMAC method insteadof currently used prefix
Hi,
The problem/bug that I described below affects SSLv2 servers and clients.
SSLv2 (still an option in the browsers) is vulnerable to this extension
attack.
Thanks.
Regards,
Omirjan Batyrbaev, CTO B3 Security Corp.
batyr@xxxxxxxxxxxxxxxxxx
----- Original Message -----
From: "Omirjan Batyrbaev" <batyr@xxxxxxxxxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Cc: <dm@xxxxxxxxxxxxxxxxx>
Sent: Sunday, November 19, 2006 9:44 PM
Subject: Serious crypto problem fixed by envelope HMAC method insteadof
currently used prefix
> Hi,
>
> I propose to use envelope method instead of currently used prefix method
in
> HMAC used in TLS/SSL. The measure is important especially since it was
> pointed out that the
> NULL cipher suites have a real use and since some ciphers are
intentionally
> weak. With the NULL cipher (or the easily broken 40 bits cipher) the
current
> HMAC
> construct is exploitable by an active attacker who appends to the message
> and substitutes the new message and the newly generated HMAC value for the
> originals. On the server side the HMAC operation will succeed. Of course
it
> can be the server message that gets compromised this way. This attack is
> well known in the crypto community and is well documented in HAC (Handbook
> of Applied Cryptography). The book is available online and I can send you
a
> page reference if you are not familiar with the attack on the HMAC prefix
> method.
>
> I quote TLS 1.2:
> "The MAC is generated as:
>
> HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
> TLSCompressed.version + TLSCompressed.length +
> TLSCompressed.fragment));
>
> where "+" denotes concatenation."
>
> This is subject to the above mentioned attack.
>
> Instead I propose the HMAC construct which is not prone to the above
stated
> exploit:
>
> HMAC_hash(MAC_write_secret, seq_num + TLSCompressed.type +
> TLSCompressed.version + TLSCompressed.length +
> TLSCompressed.fragment + MAC_write_secret));
>
> addition of the MAC_write_secret as the last bits of the input to the HMAC
> makes it envelope method which is secure against the above stated exploit.
>
> Versions affected Products that implemented TLS 1.2; 1.1; 1.0 and SSL v3,
> v2, v1.
>
> PS: it makes no difference if the plaintext compressed or not I just
quoted
> from the draft/specs.
>
>
> Thanks.
> Regards,
> Omirjan Batyrbaev, CTO B3 Security Corp.
> batyr@xxxxxxxxxxxxxxxxxx
>