Home

protocol pitfalls

Alert attack: alert records are not properly authenticated during handshake
Non-AEAD ciphers may not be safe:
- CBC permits Lucky13 side-channel attack thus implementaion requires workarounds.
- RC4 is biased
Non-DHE key exchange methods do not provide forward secrecy.
Compression may leak sensitive data in certain places e.g. CRIME
Renegonation flaw

CCS injection: if CCS is carelessly accepted, it may cause bad results
- agl's article

RFC 4492: ECC
RFC 5054: Secure Remote Password for TLS
RFC 5077: Session resumption w/o server-side state
RFC 5288: GCM for TLS
RFC 5289: ECC for GCM/TLS
RFC 5932: Camellia
- patented :(
- http://crypto.stackexchange.com/questions/6530/why-is-camellia-suddenly-so-widely-used
RFC 5746: Renegotiation Indication Extension
RFC 5764: DTLS+SRTP
RFC 5878: Authorization Extensions
- experimental, does not seem useful
- "why?" http://ietf.10.n7.nabble.com/RFC-5878-why-td384749.html
RFC 6066: TLS Extension Definitions (including sni)
RFC 6091: OpenPGP
RFC 6176: Prohibiting SSL 2.0
RFC 6209: ARIA
RFC 6520: Heartbeat extension
RFC 7027: Brainpool
- https://polarssl.org/kb/cryptography/elliptic-curve-performance-nist-vs-brainpool

TLS 1.3 draft
- Removes non-DHE key exchange methods
- Removes non-AEAD ciphers
- Removes compression
chacha20poly1305
- Google uses it! (anyone else?)
- BoringSSL implements draft 04
- OpenSSL has 1.0.2-aead branch which implements draft 01 (incompatible to draft 04)
no-gmtunixtime
- TLS 1.2 has gmtunixtime field but the value is not important
TLS Curve25519 draft
false start: 1-RTT for full handshake
- disabled due to compatibility issues
application layer protocol negotiation
channel id
- implemented in boringssl
fallback SCSV
padding
EtM
prohibiting rc4

NIST ECC
- It's not easy to implement short Weierstrass curves in constant time: safecurves
- A lot of NIST curves contain obscure numbers: BADA55
AES/GCM: careless implementation may permit timing attack