Manualshelf

Reference Guide

ManualsBrandsDell ManualsBSAFEBSAFE SSL-J
12345678910
6 SSL/TLS Communications
RSA BSAFE SSL-J 6.2.6 Security Best Practices Guide
Poodle Attack
In October 2014, the POODLE (Padding Oracle On Downgraded Legacy Encryption)
attack was announced.
TLS clients are designed to communicate with TLS servers that support different
versions of the TLS protocol, including SSLv3, TLS 1.0, TLS 1.1, and TLS 1.2. In
some cases, clients send requests to a server at higher level protocol versions first, and
if not supported by the server, the client then sends requests at lower level protocol
versions until it is eventually accepted by the server.
A Man-in-the-Middle attack can occur where an attacker blocks all communication
attempts by the client until it specifies SSLv3 as its supported protocol. SSLv3 has
known security vulnerabilities related to the RC4 stream cipher and block ciphers in
CBC mode.
RC4 is well known to have weaknesses in its keystream, which could be leveraged to
discover a secret, such as a password or HTTP cookie, when sent repeatedly across a
TLS encrypted connection.
Block ciphers in CBC mode require random padding and the length of the padding
minus one to be placed after the plaintext and the MAC before encryption to make the
data up to a full block length. If the padding length is greater than the block length, an
attacker can replace the last block of cipher text with a previous block. The cipher text
is accepted if decrypting the replacement cipher text and XORing it with the previous
cipher text block results in the last byte being the padding length minus one. By
attempting this over many connections, eventually this will be true. The last byte of
the plaintext can then be determined.
An attacker can leverage this by modifying application data, such as the path in an
HTTP header, to place the last byte of a secret on a block boundary. The encrypted block
can then be copied over the last encrypted block. Over many connections the last byte
will match the padding length and can then be calculated. The attack then modifies the
application data to have the next byte of the secret as the last byte of the block and
repeats the process. In this way, an attacker is able to determine every byte of the secret.
Because SSLv3 uses no other ciphers than RC4 or CBC mode block ciphers, SSLv3 is
not secure.
For more information about the POODLE attack, see CVE-2014-3566.
How to Help Prevent the Attack
The best way to help prevent the POODLE attack is to disable SSLv3 in TLS clients
and servers.
SSL-J Prevention for the POODLE Attack
If SSL-J is used in FIPS 140 or Suite B mode, SSLv3 cannot be enabled and no further
action is required.