Opened 15 years ago

Closed 15 years ago

#5 closed clarification (fixed)

Remove decryption_failed alert

Reported by: pasi.eronen@… Owned by:
Priority: major Milestone: milestone1
Component: draft-ietf-tls-rfc4346-bis Version: 02
Severity: Keywords:


The document allows compliant implementations of TLS 1.2 to 
send the decryption_failed alert. The inclusion of this alert 
has known security flaws [CBCATT]. We recommend that compliant 
implementations of TLS 1.2 MUST NOT generate this alert but 
SHOULD be able to parse such an alert.

Proposed edits:

Section 7.2, list of alerts:

Section 7.2:
   This alert MAY be returned if a TLSCiphertext decrypted in an
   invalid way: either it wasn't an even multiple of the block
   length, or its padding values, when checked, weren't correct.
   This message is always fatal.

   Note: Differentiating between bad_record_mac and
   decryption_failed alerts may permit certain attacks against CBC
   mode as used in TLS [CBCATT]. It is preferable to uniformly use
   the bad_record_mac alert to hide the specific type of the error.
   This alert was used in some earlier versions of TLS, and
   may have permitted certain attacks against the CBC mode
   [CBCATT].  It MUST NOT be sent by compliant implementations.

Change History (2)

comment:1 Changed 15 years ago by pasi.eronen@…

  • Milestone set to milestone1

comment:2 Changed 15 years ago by ekr@…

  • Resolution set to fixed
  • Status changed from new to closed
Note: See TracTickets for help on using tickets.