Before the third handshake, server Alice has to require a session renegotiation, including client authentication, on its connection with Mallory, possibly in response to Mallory’s request for some restricted resource. [...]
20.8 Triple Handshake attack In the Triple Handshake attack [29], an attacker posing as a man-in-the-middle causes two separate TLS connections, namely one from client Bob to attacker Mallory and [...]
21.1 Lucky 13 In 2013, Nadhem AlFardan and Kenneth Paterson, two researchers from the Information Security Group at Royal Holloway, University of London, published a new attack that can recover [...]
21.1.2 The timing signal You may be wondering where the timing signal originates from in the encryption process illustrated in Figure 21.1. That source, it turns out, is the HMAC [...]
21.2 POODLE POODLE stands for Padding Oracle On Downgraded Legacy Encryption and was discovered in 2014 by Möller, Duong, and Kotowicz [122]. The name shows that the attack combines two [...]
21.3 BEAST Browser Exploit Against SSL/TLS (BEAST) [55] is an attack on the CBC-based encryption of the record layer in SSL 3.0 and TLS 1.0. It is not a padding [...]
21.4 Sweet32 SWEET32 [30] is a generic attack against block ciphers with a block size of 64 bits in CBC mode, such as DES or 3DES. However, it has special [...]
21.5.1 Lossless compression algorithms In a lossless compression algorithm, the input data is encoded in such a way that its length is decreased. After decoding, however, all of the input [...]
21.5.2 The compression side channel Back in 2002, John Kelsey, a cryptographer working for Certicom at that time, published a paper [98] describing how lossless data compression, when used in [...]
21.5.3 Brief history of compression in TLS Both TLS version 1.0 released in 1999 [47] and TLS version 1.1 released in 2006 [48] specify compression for TLS records. One of [...]