Title: The real impact of obsolete cryptography, applied to SSL/TLS 


SSL/TLS, a 20-year old security protocol, has become a major component securing network communications, from HTTPS e-commerce and socialnetwork sites to Virtual Private Networks, from e-mail protocols to virtually every possible protocol. 

The problem SSL/TLS is trying to solve can be summarised as an authenticated key exchange followed by the establishment of a secure channel providing confidentiality and integrity to application data. Theorerically, this problem is a solved one.  Actually, SSL/TLS comes with a heavy history, from its inception as SSLv2, which is vulnerable to numerous attacks, up to TLS 1.3, still a work in progress at the IETF. Thus, the algorithms and modes used in practice in TLS do not reflect the state of the art.  In this presentation, we will describe three examples of weak constuctions that are still frequently used by our browsers:

  • the MAC-then-Encrypt paradigm (Lucky13 [0], POODLE [1]) ;
  • RSA encryption using PKCS# v1.5 (Bleichenbacher [2], DROWN [3]) ;
  • RSA signature using PKCS# v1.5 (Bleichenbacher [4], Berserk [5])

Prerequisites: notions of basic cryptography (blockciphers, asymmetrical cryptography, RSA)


Olivier Levillain is head of the training center (CFSSI) at ANSSI.  He has been working in ANSSI labs for 8 years, on variouos topics ranging from low-level security models (SMM/ACPI) to public key infrastructures.  More recently, his work focused on security protocols (and SSL/TLS in particular) and on programming languages.

[0] http://www.isg.rhul.ac.uk/tls/Lucky13.html
[1] https://www.openssl.org/~bodo/ssl-poodle.pdf
[2] Bleichenbacher, Daniel (1998). “Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1” (PS). CRYPTO ’98
[3] http://drownattack.com/
[4] https://www.ietf.org/mail-archive/web/openpgp/current/msg00999.html
[5] http://www.intelsecurity.com/resources/wp-berserk-analysis-part-1.pdf

Comments are closed.