oss-sec mailing list archives

Re: Truly scary SSL 3.0 vuln to be revealed soon:

From: "Ben Lincoln (0E1C7DBB - OSS)" <0E1C7DBB () beneaththewaves net>
Date: Wed, 15 Oct 2014 04:34:16 -0700

On 2014-10-15 02:13, Pierre Schweitzer wrote:

I've a naive question regarding the vulnerability, actually.

It says you can recover plain text of ciphered text, using a specific
method.
But, in the end it means you'll have plain text + ciphered text of the
same text. Does that mean you can easily bruteforce the key that was
used? So that you can actually, if you logged the complete session,
decipher the whole session of the user? And not only the cookie?
Or breaking the key would be too complex yet?


Hi Pierre.

For modern block ciphers (e.g. AES, or even 3DES), known-plaintextattacks still generally require the entire keyspace to be brute-forced,which is not practical using the technology available today.

Think about the Adobe credential breach. There are many thousands ofknown plaintext + ciphertext pairs there (the same 3DES key was used toencrypt all of the passwords, and the passwords for many users were ableto be recovered based on a combination of ECB-mode encryption +plaintext password hints), but the actual key was never recovered evenwith all of that data to work with.


- Ben

Current thread:

Re: SSL POODLE (Truly scary SSL 3.0 vuln), (continued)
- - - Re: SSL POODLE (Truly scary SSL 3.0 vuln) gremlin (Oct 14)
    - Re: SSL POODLE (Truly scary SSL 3.0 vuln) Krassimir Tzvetanov (Oct 14)
    - Re: SSL POODLE Florian Weimer (Oct 15)
    - Re: SSL POODLE Hanno Böck (Oct 15)
    - Re: Truly scary SSL 3.0 vuln to be revealed soon: Reed Loden (Oct 14)
    - RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 15)
    - Re: Truly scary SSL 3.0 vuln to be revealed soon: Pierre Schweitzer (Oct 14)
    - Re: Truly scary SSL 3.0 vuln to be revealed soon: mancha (Oct 14)
    - Re: Truly scary SSL 3.0 vuln to be revealed soon: Krassimir Tzvetanov (Oct 14)
  - Re: Truly scary SSL 3.0 vuln to be revealed soon: Pierre Schweitzer (Oct 15)
    - Re: Truly scary SSL 3.0 vuln to be revealed soon: Ben Lincoln (0E1C7DBB - OSS) (Oct 15)
    - Re: Truly scary SSL 3.0 vuln to be revealed soon: Hanno Böck (Oct 15)
  - Re: Truly scary SSL 3.0 vuln to be revealed soon: ishish (Oct 16)
    - RE: Truly scary SSL 3.0 vuln to be revealed soon: Sona Sarmadi (Oct 16)
    - Re: Truly scary SSL 3.0 vuln to be revealed soon: Daniel Kahn Gillmor (Oct 17)
    - neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) mancha (Oct 17)
    - Re: neuter the poodle (was: Re: Truly scary SSL 3.0 vuln to be revealed soon:) Nikos Mavrogiannopoulos (Oct 18)
    - Re: Re: neuter the poodle mancha (Oct 18)
    - Re: Re: neuter the poodle Nikos Mavrogiannopoulos (Oct 18)
    - Re: Truly scary SSL 3.0 vuln to be revealed soon: Mark Felder (Oct 17)