"Travis H." <[EMAIL PROTECTED]> writes:

> On 5/14/06, Victor Duchovni <[EMAIL PROTECTED]> wrote:
>> Security is fragile. Deviating from well understood primitives may be
>> good research, but is not good engineering. Especially fragile are:
> Point taken.  This is not for a production system, it's a research thing.
>> TLS (available via OpenSSL) provides integrity and authentication, any
>> reason to re-invent the wheel? It took multiple iterations of design
>> improvements to get TLS right, even though it was designed by experts.
> IIUC, protocol design _should_ be easy, you just perform some
> finite-state analysis and verify that, assuming your primitives are
> ideal, no protocol-level operations break it.  The 7th Usenix Security
> Symposium has a paper where the authors built up SSL 3.0 to find out
> what attack each datum was meant to prevent.  They used mur-phi, which
> has been used for VLSI verification (i.e. large numbers of states).
> AT&T published some code to do it too (called SPIN).  It's effective
> if the set of attacks you're protecting against is finite and
> enumerable (for protocol design, I think it should be; reflection,
> replay, reorder, suppress, inject, etc.).  I wouldn't consider
> fielding a protocol design without sanity-checking it using such a
> tool.  Was there an attack against TLS which got past FSA, or did the
> experts not know about FSA?

There have been a number of attacks on TLS since Mitchell et al's
paper was published in 1998. The most well known are the attacks
on CBC mode described in http://www.openssl.org/~bodo/tls-cbc.txt.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to