On the security of CBC Mode in SSL3.0 and TLS1.0

Currently, SSL (Secure Socket Layer) and TLS (Transport Layer Security) are two of the most widely used security protocols on the Internet and TLS1.0 is one of the most supported protocol versions through SSL/TLS. To protect the application data in SSL3.0/TLS1.0, two bulk data encryption algorithms are selected by the ciphesuites of them: the stream cipher encryption or the block cipher encryption in combination with the cipher block chaining (CBC) mode of operation. For these several years, they have been criticized to be insecure when used in the real world. For example, the BEAST attack against TLS1.0 and the POODLE attack against SSL3.0 had a significant impact on the internet security not least because their techniques are clever and their computational costs are low. In this paper, we survey their attacks and prove theoretically that the patched CBC mode in TLS1.0 satisfies indistinguishability, which implies that it is secure against BEAST type of attack.

[1]  David M. Kristol,et al.  HTTP State Management Mechanism , 1997, RFC.

[2]  Pratik Guha Sarkar,et al.  ATTACKS ON SSL A COMPREHENSIVE STUDY OF BEAST , CRIME , TIME , BREACH , LUCKY 13 & RC 4 BIASES , 2013 .

[3]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[4]  Masakatu Morii,et al.  Comprehensive Analysis of Initial Keystream Biases of RC4 , 2014, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[5]  Bruce Schneier,et al.  Applied cryptography : protocols, algorithms, and source codein C , 1996 .

[6]  Mihir Bellare,et al.  The Security of Triple Encryption and a Framework for Code-Based Game-Playing Proofs , 2006, EUROCRYPT.

[7]  Masakatu Morii,et al.  Full Plaintext Recovery Attack on Broadcast RC4 , 2013, FSE.

[8]  Kenneth G. Paterson,et al.  On the Security of RC4 in TLS , 2013, USENIX Security Symposium.

[9]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[10]  Donald Eastlake rd,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011 .

[11]  Whitfield Diffie,et al.  New Directions in Cryptography , 1976, IEEE Trans. Inf. Theory.

[12]  Adi Shamir,et al.  A Practical Attack on Broadcast RC4 , 2001, FSE.

[13]  Alfredo Pironti,et al.  Deprecating Secure Sockets Layer Version 3.0 , 2015, RFC.

[14]  Bodo Möller,et al.  This POODLE Bites: Exploiting The SSL 3.0 Fallback , 2014 .

[15]  Adam Barth,et al.  The Web Origin Concept , 2011, RFC.

[16]  Andrei Popov,et al.  Prohibiting RC4 Cipher Suites , 2015, RFC.

[17]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[18]  Peter Gutmann,et al.  Encrypt-then-MAC for Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) , 2014, RFC.

[19]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[20]  Alan O. Freier,et al.  Internet Engineering Task Force (ietf) the Secure Sockets Layer (ssl) Protocol Version 3.0 , 2022 .

[21]  Shiho Moriai,et al.  Can We Securely Use CBC Mode in TLS1.0? , 2015, ICT-EurAsia/CONFENIS.

[22]  Donald E. Eastlake,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011, RFC.

[23]  Morris J. Dworkin,et al.  Recommendation for Block Cipher Modes of Operation: Methods and Techniques , 2001 .