tls attack
Lucky 13, BEAST, CRIME,… Is TLS dead, or just resting?
sloth
SLOTH Security Losses from Obsolete and Truncated Transcript Hashes (CVE-2015-7575)
rsa problem
Protecting RSA-based Protocols Against Adaptive Chosen-Ciphertext Attacks
Padding Oracle Attack
BEAST & Lucky 13 & POODLE
Web场景禁用cbc的ciphersuite
Lucky 13
Lucky Thirteen: Breaking the TLS and DTLS Record Protocols
本质在于针对cbc padding的time analysis
所以,或者random time delay、或者用流式、或者aead、或者设法达到constant time processing的效果。
其弱点比较类似dh里的k-bit问题。
Diffie-Hellman实际强度
Logjam (MITM) => TLS1.3
DH 参数强度 => 优先选用ECDH
Bleichenbacher attack/DROWN attack => 禁用RSA PKCS#1 V1.5 PADDING,使用RSA OAEP PADDING
Hardness of Computing the Most Significant Bits of Secret Keys in Diffie-Hellman and Related Schemes
计算(破解):math::(log p)^(1/2) MSB 的 dh secret 的复杂度,与计算整个dh secret的复杂度相当。
计算(破解)elgamal public key encryption message类似。
SLtrip Attack(MITM)
HSTS登记网站
Browser配合
coding
Heartbleed => 参数检查
CRIME => tls compression算法禁止选择deflate
nonce misuse
Nonce-Disrespecting Adversaries: PracticalForgery Attacks on GCM in TLS
避免gcm的错误实现引入漏洞
要么像 chacha20-poly1305,aes-ocb一样,基于seq number & key 生成nonce
要么像 aes-siv 之类,实现类似 mac-then-encrypt的机制,生成tag & nonce
www
Does “www.” Mean Better Transport Layer Security?
部署的问题
cert
2016 wosign
robot
tls-rsa