Security

Password Interception in a SSL/TLS Channel

Free registration required

Executive Summary

Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS. At Eurocrypt'02, Vaudenay presented vulnerabilities in padding schemes used for block ciphers in CBC mode. He used a side channel, namely error information in the padding verification. This attack was not possible against SSL/TLS due to both unavailability of the side channel (errors are encrypted) and premature abortion of the session in case of errors. This paper extends the attack and optimizes it. The paper shows it is actually applicable against latest and most popular implementations of SSL/TLS (at the time this paper was written) for password interception.

  • Format: PDF
  • Size: 162.2 KB