Re: What does SSL/TLS do if it can't verify a MAC?

From: Bodo Moeller (moeller_at_cdc.informatik.tu-darmstadt.de)
Date: 05/20/03

Next message: Lassi Hippeläinen : "Re: What does SSL/TLS do if it can't verify a MAC?"
Previous message: Panu Hämäläinen: "Re: What does SSL/TLS do if it can't verify a MAC?"
In reply to: Panu Hämäläinen: "Re: What does SSL/TLS do if it can't verify a MAC?"
Next in thread: Lassi Hippeläinen : "Re: What does SSL/TLS do if it can't verify a MAC?"
Reply: Lassi Hippeläinen : "Re: What does SSL/TLS do if it can't verify a MAC?"
Reply: Panu Hämäläinen: "Re: What does SSL/TLS do if it can't verify a MAC?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 20 May 2003 09:51:19 +0000 (UTC)

Panu Hämäläinen <panu.hamalainen@NOSPAM.tut.fi.invalid>:
> "Bodo Moeller" <moeller@cdc.informatik.tu-darmstadt.de>:

>> SSL/TLS is not packet-level protocols, it usually runs on top of TCP.
>> So a third party can easily implement a denial-of-service attack
>> anyway by sending a TCP FIN or RST.

> I'm not very familiar with SSL/TLS. The FIN and RST packets do not contain a
> MAC that is checked before taking an action? Only the TCP data packets are
> forward to the SSL/TLS layer?

FIN and RST happen at the TCP layer. An active attacker can cause the
TCP implementation to close or abort the connection with giving the
SSL/TLS implementation a chance to veto. What SSL/TLS uses is a
bidirectional octet stream as provided by TCP; SSL/TLS does not know
about the IP packets used by TCP to create the connection.

-- 
Bodo Möller <moeller@cdc.informatik.tu-darmstadt.de>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036

Next message: Lassi Hippeläinen : "Re: What does SSL/TLS do if it can't verify a MAC?"
Previous message: Panu Hämäläinen: "Re: What does SSL/TLS do if it can't verify a MAC?"
In reply to: Panu Hämäläinen: "Re: What does SSL/TLS do if it can't verify a MAC?"
Next in thread: Lassi Hippeläinen : "Re: What does SSL/TLS do if it can't verify a MAC?"
Reply: Lassi Hippeläinen : "Re: What does SSL/TLS do if it can't verify a MAC?"
Reply: Panu Hämäläinen: "Re: What does SSL/TLS do if it can't verify a MAC?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Why more than 1 hole in FW for IPSec
... >> Also running TCP over TCP, as would be necessary if you tunnel ... > single UDP port. ... > Providing a reliability layer similar to TCP so that the SSL/TLS ...
(comp.os.linux.security)
Re: Why more than 1 hole in FW for IPSec
... >> Also running TCP over TCP, as would be necessary if you tunnel ... > single UDP port. ... > Providing a reliability layer similar to TCP so that the SSL/TLS ...
(comp.os.linux.networking)
Re: tcp vulnerability? havent seen anything on it here...
... >> Anyone who recommends responding to a RST packet, ... >> understand TCP very well. ... during established session, address translation, sequence randomization a la ... with a session cookie. ...
(Linux-Kernel)
Re: Active response... some thoughts.
... a "TCP" RST have any effect on "UDP"-oriented connections? ... The protocol behind the RST ... >> TCP RST can and often will prevent even single packet ... it can often stop a single packet attack. ...
(Focus-IDS)
Re: Socket weirdness
... It's hard to explain all of TCP in a single post. ... then that is an not a valid packet and a packet with the RST bit set is sent clearing down the connection. ... Firstly, just to be absolutely clear, there is no such thing as an ACK packet, or a RST packet, or a SYN packet, etc. ... I was leading in to my next question about whether Send blocked for that response because I assumed ...
(microsoft.public.dotnet.framework)