Paper 2013/049

Lessons Learned From Previous SSL/TLS Attacks - A Brief Chronology Of Attacks And Weaknesses

Christopher Meyer and Jörg Schwenk

Abstract

Since its introduction in 1994 the Secure Socket Layer (SSL) protocol (later renamed to Transport Layer Security (TLS)) evolved to the de facto standard for securing the transport layer. SSL/TLS can be used for ensuring data confidentiality, integrity and authenticity during transport. A main feature of the protocol is its flexibility. Modes of operation and security aims can easily be configured through different cipher suites. During its evolutionary development process several flaws were found. However, the flexible architecture of SSL/TLS allowed efficient fixes in order to counter the issues. This paper presents an overview on theoretical and practical attacks of the last 15 years, in chronological order and four categories: Attacks on the TLS Handshake protocol, on the TLS Record and Application Data Protocols, on the PKI infrastructure of TLS, and on various other attacks. We try to give a short ”Lessons Learned” at the end of each paragraph.

Metadata
Available format(s)
PDF
Publication info
Published elsewhere. SSL, TLS, Handshake Protocol, Record Layer, Public Key Infrastructures, Bleichenbacher Attack, Padding Oracles
Contact author(s)
christopher meyer @ rub de
History
2013-02-01: received
Short URL
https://ia.cr/2013/049
License
Creative Commons Attribution
CC BY

BibTeX 

@misc{cryptoeprint:2013/049,
      author = {Christopher Meyer and Jörg Schwenk},
      title = {Lessons Learned From Previous {SSL}/{TLS} Attacks - A Brief Chronology Of Attacks And Weaknesses},
      howpublished = {Cryptology {ePrint} Archive, Paper 2013/049},
      year = {2013},
      url = {https://eprint.iacr.org/2013/049}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.