Password Interception in a SSL/TLS Channel

  • Brice Canvel
  • Alain Hiltgen
  • Serge Vaudenay
  • Martin Vuagnoux
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2729)


Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS.

At Eurocrypt’02, Vaudenay presented vulnerabilities in padding schemes used for block ciphers in CBC mode. He used a side channel, namely error information in the padding verification. This attack was not possible against SSL/TLS due to both unavailability of the side channel (errors are encrypted) and premature abortion of the session in case of errors. In this paper we extend the attack and optimize it. We show it is actually applicable against latest and most popular implementations of SSL/TLS (at the time this paper was written) for password interception.

We demonstrate that a password for an IMAP account can be intercepted when the attacker is not too far from the server in less than an hour in a typical setting.

We conclude that these versions of the SSL/TLS implementations are not secure when used with block ciphers in CBC mode and propose ways to strengthen them. We also propose to update the standard protocol.


Block Cipher Error Message Message Authentication Code Data Encryption Standard Dictionary Attack 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    ISO/IEC 10116, Information Processing — Modes of Operation for an n-bit Block Cipher Algorithm. International Organization for Standardization, Geneva, Switzerland (1991)Google Scholar
  2. 2.
    Wireless Transport Layer Security. Wireless Application Protocol WAP-261-WTLS-20010406-a. Wireless Application Protocol Forum (2001),
  3. 3.
    FIPS 46-3, Data Encryption Standard (DES). U.S. Department of Commerce — National Institute of Standards and Technology. Federal Information Processing Standard Publication 46-3 (1999)Google Scholar
  4. 4.
    FIPS 81, DES Modes of Operation. U.S. Department of Commerce — National Bureau of Standards, National Technical Information Service, Springfield, Virginia. Federal Information Processing Standards 81 (1980)Google Scholar
  5. 5.
    English Word List Elcomsoft Co. Ltd,
  6. 6.
    Black, J., Urtubia, H.: Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption. In: Proceedings of the 11th Usenix UNIX Security Symposium, San Francisco, California, USA, USENIX (2002)Google Scholar
  7. 7.
    Brumley, D., Boneh, D.: Remote Timing Attacks are Practical. To appear in Proceedings of the 12th Usenix UNIX Security Symposium, USENIX (2003)Google Scholar
  8. 8.
    Crispin, M.: Internet Message Access Protocol - Version 4. RFC 1730, standard tracks, University of Washington (1994)Google Scholar
  9. 9.
    Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246, standard tracks, the Internet Society (1999)Google Scholar
  10. 10.
    Franks, J., Hallam-Baker, P., Hostetler, J., Lawrence, S., Leach, P., Luotonen, A., Stewart, L.: HTTP Authentication: Basic and Digest Access Authentication. Internet standard. RFC 2617, the Internet Society (1999)Google Scholar
  11. 11.
    Junod, P.: On the Optimality of Linear, Differential and Sequential Distinguishers. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 17–32. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  12. 12.
    Kocher, P.: Timing Attacks on Implementations of Diffie-Hellman, RSA, DSS, and other Systems. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 104–113. Springer, Heidelberg (1996)Google Scholar
  13. 13.
    Möller, B.: Security of CBC Ciphersuites in SSL/TLS: Problems and Countermeasures (2002),
  14. 14.
    Newman, C.: Using TLS with IMAP, POP3 and ACAP. RFC 2595, standard tracks, the Internet Society (1999)Google Scholar
  15. 15.
    Siegmund, D.: Sequential Analysis — Tests and Confidence Intervals. Springer, Heidelberg (1985)zbMATHGoogle Scholar
  16. 16.
    Ricca, M.: The Denver Projet - A Combination of ARP and DNS Spoofing. Ecole Polytechnique Fédérale de Lausanne, LASEC, Semester Project (2002),
  17. 17.
    Vaudenay, S.: Security Flaws Induced by CBC Padding — Applications to SSL, IPSEC, WTLS.. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  18. 18.
    Vuagnoux, M.: CBC PAD Attack against IMAP over TLS. omen. Ecole Polytechnique Fédérale de Lausanne, LASEC, Semester Project (2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2003

Authors and Affiliations

  • Brice Canvel
    • 1
  • Alain Hiltgen
    • 2
  • Serge Vaudenay
    • 1
  • Martin Vuagnoux
    • 3
  1. 1.Swiss Federal Institute of Technology (EPFL) — LASEC 
  2. 2.UBS AG 
  3. 3.EPFL — SSC, and Ilion 

Personalised recommendations