| <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><meta name="generator" content="rustdoc"><meta name="description" content="Source of the Rust file `/root/.cargo/git/checkouts/incubator-teaclave-crates-c8106113f74feefc/ede1f68/rustls-0.19.1/rustls/src/manual/tlsvulns.rs`."><meta name="keywords" content="rust, rustlang, rust-lang"><title>tlsvulns.rs - source</title><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceSerif4-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../FiraSans-Regular.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../FiraSans-Medium.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceCodePro-Regular.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceSerif4-Bold.ttf.woff2"><link rel="preload" as="font" type="font/woff2" crossorigin href="../../../SourceCodePro-Semibold.ttf.woff2"><link rel="stylesheet" href="../../../normalize.css"><link rel="stylesheet" href="../../../rustdoc.css" id="mainThemeStyle"><link rel="stylesheet" href="../../../ayu.css" disabled><link rel="stylesheet" href="../../../dark.css" disabled><link rel="stylesheet" href="../../../light.css" id="themeStyle"><script id="default-settings" ></script><script src="../../../storage.js"></script><script defer src="../../../source-script.js"></script><script defer src="../../../source-files.js"></script><script defer src="../../../main.js"></script><noscript><link rel="stylesheet" href="../../../noscript.css"></noscript><link rel="alternate icon" type="image/png" href="../../../favicon-16x16.png"><link rel="alternate icon" type="image/png" href="../../../favicon-32x32.png"><link rel="icon" type="image/svg+xml" href="../../../favicon.svg"></head><body class="rustdoc source"><!--[if lte IE 11]><div class="warning">This old browser is unsupported and will most likely display funky things.</div><![endif]--><nav class="sidebar"><a class="sidebar-logo" href="../../../rustls/index.html"><div class="logo-container"><img class="rust-logo" src="../../../rust-logo.svg" alt="logo"></div></a></nav><main><div class="width-limiter"><nav class="sub"><a class="sub-logo-container" href="../../../rustls/index.html"><img class="rust-logo" src="../../../rust-logo.svg" alt="logo"></a><form class="search-form"><div class="search-container"><span></span><input class="search-input" name="search" autocomplete="off" spellcheck="false" placeholder="Click or press ‘S’ to search, ‘?’ for more options…" type="search"><div id="help-button" title="help" tabindex="-1"><a href="../../../help.html">?</a></div><div id="settings-menu" tabindex="-1"><a href="../../../settings.html" title="settings"><img width="22" height="22" alt="Change settings" src="../../../wheel.svg"></a></div></div></form></nav><section id="main-content" class="content"><div class="example-wrap"><pre class="src-line-numbers"><span id="1">1</span> |
| <span id="2">2</span> |
| <span id="3">3</span> |
| <span id="4">4</span> |
| <span id="5">5</span> |
| <span id="6">6</span> |
| <span id="7">7</span> |
| <span id="8">8</span> |
| <span id="9">9</span> |
| <span id="10">10</span> |
| <span id="11">11</span> |
| <span id="12">12</span> |
| <span id="13">13</span> |
| <span id="14">14</span> |
| <span id="15">15</span> |
| <span id="16">16</span> |
| <span id="17">17</span> |
| <span id="18">18</span> |
| <span id="19">19</span> |
| <span id="20">20</span> |
| <span id="21">21</span> |
| <span id="22">22</span> |
| <span id="23">23</span> |
| <span id="24">24</span> |
| <span id="25">25</span> |
| <span id="26">26</span> |
| <span id="27">27</span> |
| <span id="28">28</span> |
| <span id="29">29</span> |
| <span id="30">30</span> |
| <span id="31">31</span> |
| <span id="32">32</span> |
| <span id="33">33</span> |
| <span id="34">34</span> |
| <span id="35">35</span> |
| <span id="36">36</span> |
| <span id="37">37</span> |
| <span id="38">38</span> |
| <span id="39">39</span> |
| <span id="40">40</span> |
| <span id="41">41</span> |
| <span id="42">42</span> |
| <span id="43">43</span> |
| <span id="44">44</span> |
| <span id="45">45</span> |
| <span id="46">46</span> |
| <span id="47">47</span> |
| <span id="48">48</span> |
| <span id="49">49</span> |
| <span id="50">50</span> |
| <span id="51">51</span> |
| <span id="52">52</span> |
| <span id="53">53</span> |
| <span id="54">54</span> |
| <span id="55">55</span> |
| <span id="56">56</span> |
| <span id="57">57</span> |
| <span id="58">58</span> |
| <span id="59">59</span> |
| <span id="60">60</span> |
| <span id="61">61</span> |
| <span id="62">62</span> |
| <span id="63">63</span> |
| <span id="64">64</span> |
| <span id="65">65</span> |
| <span id="66">66</span> |
| <span id="67">67</span> |
| <span id="68">68</span> |
| <span id="69">69</span> |
| <span id="70">70</span> |
| <span id="71">71</span> |
| <span id="72">72</span> |
| <span id="73">73</span> |
| <span id="74">74</span> |
| <span id="75">75</span> |
| <span id="76">76</span> |
| <span id="77">77</span> |
| <span id="78">78</span> |
| <span id="79">79</span> |
| <span id="80">80</span> |
| <span id="81">81</span> |
| <span id="82">82</span> |
| <span id="83">83</span> |
| <span id="84">84</span> |
| <span id="85">85</span> |
| <span id="86">86</span> |
| <span id="87">87</span> |
| <span id="88">88</span> |
| <span id="89">89</span> |
| <span id="90">90</span> |
| <span id="91">91</span> |
| <span id="92">92</span> |
| <span id="93">93</span> |
| <span id="94">94</span> |
| <span id="95">95</span> |
| <span id="96">96</span> |
| <span id="97">97</span> |
| <span id="98">98</span> |
| <span id="99">99</span> |
| <span id="100">100</span> |
| <span id="101">101</span> |
| <span id="102">102</span> |
| <span id="103">103</span> |
| <span id="104">104</span> |
| <span id="105">105</span> |
| <span id="106">106</span> |
| <span id="107">107</span> |
| <span id="108">108</span> |
| <span id="109">109</span> |
| <span id="110">110</span> |
| <span id="111">111</span> |
| <span id="112">112</span> |
| <span id="113">113</span> |
| <span id="114">114</span> |
| <span id="115">115</span> |
| <span id="116">116</span> |
| <span id="117">117</span> |
| <span id="118">118</span> |
| <span id="119">119</span> |
| <span id="120">120</span> |
| <span id="121">121</span> |
| <span id="122">122</span> |
| <span id="123">123</span> |
| <span id="124">124</span> |
| <span id="125">125</span> |
| <span id="126">126</span> |
| <span id="127">127</span> |
| <span id="128">128</span> |
| <span id="129">129</span> |
| <span id="130">130</span> |
| <span id="131">131</span> |
| <span id="132">132</span> |
| <span id="133">133</span> |
| <span id="134">134</span> |
| <span id="135">135</span> |
| <span id="136">136</span> |
| <span id="137">137</span> |
| <span id="138">138</span> |
| <span id="139">139</span> |
| <span id="140">140</span> |
| <span id="141">141</span> |
| <span id="142">142</span> |
| <span id="143">143</span> |
| <span id="144">144</span> |
| <span id="145">145</span> |
| <span id="146">146</span> |
| <span id="147">147</span> |
| <span id="148">148</span> |
| <span id="149">149</span> |
| <span id="150">150</span> |
| <span id="151">151</span> |
| <span id="152">152</span> |
| <span id="153">153</span> |
| <span id="154">154</span> |
| <span id="155">155</span> |
| <span id="156">156</span> |
| <span id="157">157</span> |
| <span id="158">158</span> |
| <span id="159">159</span> |
| <span id="160">160</span> |
| <span id="161">161</span> |
| <span id="162">162</span> |
| <span id="163">163</span> |
| <span id="164">164</span> |
| <span id="165">165</span> |
| <span id="166">166</span> |
| <span id="167">167</span> |
| <span id="168">168</span> |
| <span id="169">169</span> |
| <span id="170">170</span> |
| <span id="171">171</span> |
| <span id="172">172</span> |
| <span id="173">173</span> |
| </pre><pre class="rust"><code><span class="doccomment">/*! # A review of protocol vulnerabilities |
| |
| ## CBC MAC-then-encrypt ciphersuites |
| |
| Back in 2000 [Bellare and Namprempre](https://eprint.iacr.org/2000/025) discussed how to make authenticated |
| encryption by composing separate encryption and authentication primitives. That paper included this table: |
| |
| | Composition Method | Privacy || Integrity || |
| |--------------------|---------||-----------|| |
| || IND-CPA | IND-CCA | NM-CPA | INT-PTXT | INT-CTXT | |
| | Encrypt-and-MAC | insecure | insecure | insecure | secure | insecure | |
| | MAC-then-encrypt | secure | insecure | insecure | secure | insecure | |
| | Encrypt-then-MAC | secure | secure | secure | secure | secure | |
| |
| One may assume from this fairly clear result that encrypt-and-MAC and MAC-then-encrypt compositions would be quickly abandoned |
| in favour of the remaining proven-secure option. But that didn't happen, not in TLSv1.1 (2006) nor in TLSv1.2 (2008). Worse, |
| both RFCs included incorrect advice on countermeasures for implementers, suggesting that the flaw was "not believed to be large |
| enough to be exploitable". |
| |
| [Lucky 13](http://www.isg.rhul.ac.uk/tls/Lucky13.html) (2013) exploited this flaw and affected all implementations, including |
| those written [after discovery](https://aws.amazon.com/blogs/security/s2n-and-lucky-13/). OpenSSL even had a |
| [memory safety vulnerability in the fix for Lucky 13](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107), which |
| gives a flavour of the kind of complexity required to remove the side channel. |
| |
| rustls does not implement CBC MAC-then-encrypt ciphersuites for these reasons. TLSv1.3 removed support for these |
| ciphersuites in 2018. |
| |
| There are some further rejected options worth mentioning: [RFC7366](https://tools.ietf.org/html/rfc7366) defines |
| Encrypt-then-MAC for TLS, but unfortunately cannot be negotiated without also supporting MAC-then-encrypt |
| (clients cannot express "I offer CBC, but only EtM and not MtE"). |
| |
| ## RSA PKCS#1 encryption |
| |
| "RSA key exchange" in TLS involves the client choosing a large random value and encrypting it using the server's |
| public key. This has two overall problems: |
| |
| 1. It provides no _forward secrecy_: later compromise of the server's private key breaks confidentiality of |
| *all* past sessions using that key. This is a crucial property in the presence of software that is often |
| [poor at keeping a secret](http://heartbleed.com/). |
| 2. The padding used in practice in TLS ("PKCS#1", or fully "RSAES-PKCS1-v1_5") has been known to be broken since |
| [1998](http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf). |
| |
| In a similar pattern to the MAC-then-encrypt problem discussed above, TLSv1.0 (1999), TLSv1.1 (2006) and TLSv1.2 (2008) |
| continued to specify use of PKCS#1 encryption, again with incrementally more complex and incorrect advice on countermeasures. |
| |
| [ROBOT](https://robotattack.org/) (2018) showed that implementations were still vulnerable to these attacks twenty years later. |
| |
| rustls does not support RSA key exchange. TLSv1.3 also removed support. |
| |
| ## BEAST |
| |
| [BEAST](https://vnhacker.blogspot.com/2011/09/beast.html) ([CVE-2011-3389](https://nvd.nist.gov/vuln/detail/CVE-2011-3389)) |
| was demonstrated in 2011 by Thai Duong and Juliano Rizzo, |
| and was another vulnerability in CBC-based ciphersuites in SSLv3.0 and TLSv1.0. CBC mode is vulnerable to adaptive |
| chosen-plaintext attacks if the IV is predictable. In the case of these protocol versions, the IV was the previous |
| block of ciphertext (as if the entire TLS session was one CBC ciphertext, albeit revealed incrementally). This was |
| obviously predictable, since it was published on the wire. |
| |
| OpenSSL contained a countermeasure for this problem from 2002 onwards: it encrypts an empty message before each real |
| one, so that the IV used in the real message is unpredictable. This was turned off by default due to bugs in IE6. |
| |
| TLSv1.1 fix this vulnerability, but not any of the other deficiencies of CBC mode (see above). |
| |
| rustls does not support these ciphersuites. |
| |
| ## CRIME |
| |
| In 2002 [John Kelsey](https://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf) discussed the length side channel |
| as applied to compression of combined secret and attacker-chosen strings. |
| |
| Compression continued to be an option in TLSv1.1 (2006) nor in TLSv1.2 (2008). Support in libraries was widespread. |
| |
| [CRIME](http://netifera.com/research/crime/CRIME_ekoparty2012.pdf) ([CVE-2012-4929](https://nvd.nist.gov/vuln/detail/CVE-2012-4929)) |
| was demonstrated in 2012, again by Thai Duong and Juliano Rizzo. It attacked several protocols offering transparent |
| compression of application data, allowing quick adaptive chosen-plaintext attacks against secret values like cookies. |
| |
| rustls does not implement compression. TLSv1.3 also removed support. |
| |
| ## Logjam / FREAK |
| |
| Way back when SSL was first being born, circa 1995, the US government considered cryptography a munition requiring |
| export control. SSL contained specific ciphersuites with dramatically small key sizes that were not subject |
| to export control. These controls were dropped in 2000. |
| |
| Since the "export-grade" ciphersuites no longer fulfilled any purpose, and because they were actively harmful to users, |
| one may have expected software support to disappear quickly. This did not happen. |
| |
| In 2015 [the FREAK attack](https://mitls.org/pages/attacks/SMACK#freak) ([CVE-2015-0204](https://nvd.nist.gov/vuln/detail/CVE-2015-0204)) |
| and [the Logjam attack](https://weakdh.org/) ([CVE-2015-4000](https://nvd.nist.gov/vuln/detail/CVE-2015-4000)) both |
| demonstrated total breaks of security in the presence of servers that accepted export ciphersuites. FREAK factored |
| 512-bit RSA keys, while Logjam optimised solving discrete logs in the 512-bit group used by many different servers. |
| |
| Naturally, rustls does not implement any of these ciphersuites. |
| |
| ## SWEET32 |
| |
| Block ciphers are vulnerable to birthday attacks, where the probability of repeating a block increases dramatically |
| once a particular key has been used for many blocks. For block ciphers with 64-bit blocks, this becomes probable |
| once a given key encrypts the order of 32GB of data. |
| |
| [Sweet32](https://sweet32.info/) ([CVE-2016-2183](https://nvd.nist.gov/vuln/detail/CVE-2016-2183)) attacked this fact |
| in the context of TLS support for 3DES, breaking confidentiality by analysing a large amount of attacker-induced traffic |
| in one session. |
| |
| rustls does not support any 64-bit block ciphers. |
| |
| ## DROWN |
| |
| [DROWN](https://drownattack.com/) ([CVE-2016-0800](https://nvd.nist.gov/vuln/detail/CVE-2016-0800)) is a cross-protocol |
| attack that breaks the security of TLSv1.2 and earlier (when used with RSA key exchange) by using SSLv2. It is required |
| that the server uses the same key for both protocol versions. |
| |
| rustls naturally does not support SSLv2, but most importantly does not support RSA key exchange for TLSv1.2. |
| |
| ## Poodle |
| |
| [POODLE](https://www.openssl.org/~bodo/ssl-poodle.pdf) ([CVE-2014-3566](https://nvd.nist.gov/vuln/detail/CVE-2014-3566)) |
| is an attack against CBC mode ciphersuites in SSLv3. This was possible in most cases because some clients willingly |
| downgraded to SSLv3 after failed handshakes for later versions. |
| |
| rustls does not support CBC mode ciphersuites, or SSLv3. Note that rustls does not need to implement `TLS_FALLBACK_SCSV` |
| introduced as a countermeasure because it contains no ability to downgrade to earlier protocol versions. |
| |
| ## GCM nonces |
| |
| [RFC5288](https://tools.ietf.org/html/rfc5288) introduced GCM-based ciphersuites for use in TLS. Unfortunately |
| the design was poor; it reused design for an unrelated security setting proposed in RFC5116. |
| |
| GCM is a typical nonce-based AEAD: it requires a unique (but not necessarily unpredictable) 96-bit nonce for each encryption |
| with a given key. The design specified by RFC5288 left two-thirds of the nonce construction up to implementations: |
| |
| - wasting 8 bytes per TLS ciphertext, |
| - meaning correct operation cannot be tested for (eg, in protocol-level test vectors). |
| |
| There were no trade-offs here: TLS has a 64-bit sequence number that is not allowed to wrap and would make an ideal nonce. |
| |
| As a result, a [2016 study](https://eprint.iacr.org/2016/475.pdf) found: |
| |
| - implementations from IBM, A10 and Citrix used randomly-chosen nonces, which are unlikely to be unique over long connections, |
| - an implementation from Radware used the same nonce for the first two messages. |
| |
| rustls uses a counter from a random starting point for GCM nonces. TLSv1.3 and the Chacha20-Poly1305 TLSv1.2 ciphersuite |
| standardise this method. |
| |
| ## Renegotiation |
| |
| In 2009 Marsh Ray and Steve Dispensa [discovered](https://kryptera.se/Renegotiating%20TLS.pdf) that the renegotiation |
| feature of all versions of TLS allows a MitM to splice a request of their choice onto the front of the client's real HTTP |
| request. A countermeasure was proposed and widely implemented to bind renegotiations to their previous negotiations; |
| unfortunately this was insufficient. |
| |
| rustls does not support renegotiation in TLSv1.2. TLSv1.3 also no longer supports renegotiation. |
| |
| ## 3SHAKE |
| |
| [3SHAKE](https://www.mitls.org/pages/attacks/3SHAKE) (2014) described a complex attack that broke the "Secure Renegotiation" extension |
| introduced as a countermeasure to the previous protocol flaw. |
| |
| rustls does not support renegotiation for TLSv1.2 connections, or RSA key exchange, and both are required for this attack |
| to work. rustls implements the "Extended Master Secret" (RFC7627) extension for TLSv1.2 which was standardised as a countermeasure. |
| |
| TLSv1.3 no longer supports renegotiation and RSA key exchange. It also effectively incorporates the improvements made in RFC7627. |
| |
| ## KCI |
| |
| [This vulnerability](https://kcitls.org/) makes use of TLS ciphersuites (those offering static DH) which were standardised |
| yet not widely used. However, they were implemented by libraries, and as a result enabled for various clients. It coupled |
| this with misconfigured certificates (on services including facebook.com) which allowed their misuse to MitM connections. |
| |
| rustls does not support static DH/EC-DH ciphersuites. We assert that it is misissuance to sign an EC certificate |
| with the keyUsage extension allowing both signatures and key exchange. That it isn't is probably a failure |
| of CAB Forum baseline requirements. |
| */ |
| </span></code></pre></div> |
| </section></div></main><div id="rustdoc-vars" data-root-path="../../../" data-current-crate="rustls" data-themes="ayu,dark,light" data-resource-suffix="" data-rustdoc-version="1.66.0-nightly (5c8bff74b 2022-10-21)" ></div></body></html> |