if an adversary changes the supported ciphersuite m1

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: and downgrade Ciphersuit to a broken version, this is why we have the second step. ( if an adversary changes the supported ciphersuite, M1 or M2 would be changed so in step 6, the Mac(H(m1 ­ m5)) will not be right and they cant handshake) (2) Change Cipher Spec  ­> check (3) Application Data Transfer SSL doens't protect domain name and subdomain that you are accessing but will protect the exact url, cookies, passwords,etc. There are attacks that are still possible, ones that look at lengths of messages, etc. 1) An attack  ­> Padding Oracle ( Lucky 13)  ­> applies to CBC mode  ­> exploits the fact that , implemented, CBC mode is not CCA secure (even with a MAC)  ­>problem is with the padding  ­> not inside the MAC  ­>Lesson: Better in general to encrypt ­then ­MAC (c = Enc(M||pad) | MAC(e) ) 1) An attack  ­> BEAST  ­> exploits the fact that CBC mode was not CPA ­secure (as implemented)  ­> fixed in TLS1.1, 1.2  ­>predictable IVs  ­> IV for record i = last block of record i ­1 c1 = Enc (m1 xor IV) ci = Enc (mi xor ci ­1) i>1...
View Full Document

Ask a homework question - tutors are online