On Tue, 2015-12-01 at 21:02 +0100, Hanno Böck wrote: > On Tue, 1 Dec 2015 14:28:49 -0500 > Watson Ladd <watsonbl...@gmail.com> wrote: > > > https://www.nds.rub.de/media/nds/veroeffentlichungen/2015/08/21/Tls > > 13QuicAttacks.pdf > > > > This one looks very nasty to fix. Short of disallowing the use of > > RSA > > certificates for TLS 1.2 with the RSA handshake and in TLS 1.3, I > > don't see a good fix. I haven't read this paper in detail yet. > > > > Cross-protocol attacks are the gift that keeps giving. > > Correct me if I'm wrong, but as I understand the result (and I had > one > of the authors explaining it to me a few days ago) the problem > appears > only if you have a TLS 1.2 implementation with an RSA keyexchange > that > is vulnerable to a bleichenbacher attack. If it is not then you're > fine.
The interesting result of the paper is: "Even though this limits the practical impact of this attack, it demonstrates that simply removing a legacy algorithm from a standard is not necessarily sufficient to protect against its weaknesses." Even though the attack does not work for current implementations it underlines that if you reuse keys from TLS 1.2 to TLS 1.3 you don't get any advantage from the better algorithms in TLS 1.3. You are as safe, as if you'd be using TLS 1.2. That can be claimed to be trivial result given that it is underlined on almost every paper that describes a cross-protocol attack, but it is not still grasped by the engineering community. There have been described quite some cross protocol attacks (Kerberos 4 -> Kerberos 5 by Yu et al., TLS between ciphersuites starting by Wagner and Schneier), but still we reuse keys between protocols. regards, Nikos _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
