third_party/rust_crates/vendor/rustls/src/manual/tlsvulns.rs - fuchsia - Git at Google

 /*! # A review of protocol vulnerabilities

 ## CBC MAC-then-encrypt ciphersuites

 Back in 2000 [Bellare and Namprempre](https://eprint.iacr.org/2000/025) discussed how to make authenticated
 encryption by composing separate encryption and authentication primitives.  That paper included this table:

 | Composition Method | Privacy || Integrity ||
 |--------------------|---------||-----------||
 || IND-CPA | IND-CCA | NM-CPA | INT-PTXT | INT-CTXT |
 | Encrypt-and-MAC | insecure | insecure | insecure | secure | insecure |
 | MAC-then-encrypt | secure | insecure | insecure | secure | insecure |
 | Encrypt-then-MAC | secure | secure | secure | secure | secure |

 One may assume from this fairly clear result that encrypt-and-MAC and MAC-then-encrypt compositions would be quickly abandoned
 in favour of the remaining proven-secure option.  But that didn't happen, not in TLSv1.1 (2006) nor in TLSv1.2 (2008).  Worse,
 both RFCs included incorrect advice on countermeasures for implementers, suggesting that the flaw was "not believed to be large
 enough to be exploitable".

 [Lucky 13](http://www.isg.rhul.ac.uk/tls/Lucky13.html) (2013) exploited this flaw and affected all implementations, including
 those written [after discovery](https://aws.amazon.com/blogs/security/s2n-and-lucky-13/). OpenSSL even had a
 [memory safety vulnerability in the fix for Lucky 13](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107), which
 gives a flavour of the kind of complexity required to remove the side channel.

 rustls does not implement CBC MAC-then-encrypt ciphersuites for these reasons.  TLSv1.3 removed support for these
 ciphersuites in 2018.

 There are some further rejected options worth mentioning: [RFC7366](https://tools.ietf.org/html/rfc7366) defines
 Encrypt-then-MAC for TLS, but unfortunately cannot be negotiated without also supporting MAC-then-encrypt
 (clients cannot express "I offer CBC, but only EtM and not MtE").

 ## RSA PKCS#1 encryption

 "RSA key exchange" in TLS involves the client choosing a large random value and encrypting it using the server's
 public key.  This has two overall problems:

 1. It provides no _forward secrecy_: later compromise of the server's private key breaks confidentiality of
    *all* past sessions using that key.  This is a crucial property in the presence of software that is often
    [poor at keeping a secret](http://heartbleed.com/).
 2. The padding used in practice in TLS ("PKCS#1", or fully "RSAES-PKCS1-v1_5") has been known to be broken since
    [1998](http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf).

 In a similar pattern to the MAC-then-encrypt problem discussed above, TLSv1.0 (1999), TLSv1.1 (2006) and TLSv1.2 (2008)
 continued to specify use of PKCS#1 encryption, again with incrementally more complex and incorrect advice on countermeasures.

 [ROBOT](https://robotattack.org/) (2018) showed that implementations were still vulnerable to these attacks twenty years later.

 rustls does not support RSA key exchange.  TLSv1.3 also removed support.

 ## BEAST

 [BEAST](https://vnhacker.blogspot.com/2011/09/beast.html) ([CVE-2011-3389](https://nvd.nist.gov/vuln/detail/CVE-2011-3389))
 was demonstrated in 2011 by Thai Duong and Juliano Rizzo,
 and was another vulnerability in CBC-based ciphersuites in SSLv3.0 and TLSv1.0.  CBC mode is vulnerable to adaptive
 chosen-plaintext attacks if the IV is predictable.  In the case of these protocol versions, the IV was the previous
 block of ciphertext (as if the entire TLS session was one CBC ciphertext, albeit revealed incrementally).  This was
 obviously predictable, since it was published on the wire.

 OpenSSL contained a countermeasure for this problem from 2002 onwards: it encrypts an empty message before each real
 one, so that the IV used in the real message is unpredictable.  This was turned off by default due to bugs in IE6.

 TLSv1.1 fix this vulnerability, but not any of the other deficiencies of CBC mode (see above).

 rustls does not support these ciphersuites.

 ## CRIME

 In 2002 [John Kelsey](https://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf) discussed the length side channel
 as applied to compression of combined secret and attacker-chosen strings.

 Compression continued to be an option in TLSv1.1 (2006) nor in TLSv1.2 (2008).  Support in libraries was widespread.

 [CRIME](http://netifera.com/research/crime/CRIME_ekoparty2012.pdf) ([CVE-2012-4929](https://nvd.nist.gov/vuln/detail/CVE-2012-4929))
 was demonstrated in 2012, again by Thai Duong and Juliano Rizzo.  It attacked several protocols offering transparent
 compression of application data, allowing quick adaptive chosen-plaintext attacks against secret values like cookies.

 rustls does not implement compression.  TLSv1.3 also removed support.

 ## Logjam / FREAK

 Way back when SSL was first being born, circa 1995, the US government considered cryptography a munition requiring
 export control.  SSL contained specific ciphersuites with dramatically small key sizes that were not subject
 to export control.  These controls were dropped in 2000.

 Since the "export-grade" ciphersuites no longer fulfilled any purpose, and because they were actively harmful to users,
 one may have expected software support to disappear quickly. This did not happen.

 In 2015 [the FREAK attack](https://mitls.org/pages/attacks/SMACK#freak) ([CVE-2015-0204](https://nvd.nist.gov/vuln/detail/CVE-2015-0204))
 and [the Logjam attack](https://weakdh.org/) ([CVE-2015-4000](https://nvd.nist.gov/vuln/detail/CVE-2015-4000)) both
 demonstrated total breaks of security in the presence of servers that accepted export ciphersuites.  FREAK factored
 512-bit RSA keys, while Logjam optimised solving discrete logs in the 512-bit group used by many different servers.

 Naturally, rustls does not implement any of these ciphersuites.

 ## SWEET32

 Block ciphers are vulnerable to birthday attacks, where the probability of repeating a block increases dramatically
 once a particular key has been used for many blocks.  For block ciphers with 64-bit blocks, this becomes probable
 once a given key encrypts the order of 32GB of data.

 [Sweet32](https://sweet32.info/) ([CVE-2016-2183](https://nvd.nist.gov/vuln/detail/CVE-2016-2183)) attacked this fact
 in the context of TLS support for 3DES, breaking confidentiality by analysing a large amount of attacker-induced traffic
 in one session.

 rustls does not support any 64-bit block ciphers.

 ## DROWN

 [DROWN](https://drownattack.com/) ([CVE-2016-0800](https://nvd.nist.gov/vuln/detail/CVE-2016-0800)) is a cross-protocol
 attack that breaks the security of TLSv1.2 and earlier (when used with RSA key exchange) by using SSLv2.  It is required
 that the server uses the same key for both protocol versions.

 rustls naturally does not support SSLv2, but most importantly does not support RSA key exchange for TLSv1.2.

 ## Poodle

 [POODLE](https://www.openssl.org/~bodo/ssl-poodle.pdf) ([CVE-2014-3566](https://nvd.nist.gov/vuln/detail/CVE-2014-3566))
 is an attack against CBC mode ciphersuites in SSLv3.  This was possible in most cases because some clients willingly
 downgraded to SSLv3 after failed handshakes are later versions.

 rustls does not support CBC mode ciphersuites, or SSLv3.  Note that rustls does not need to implement `TLS_FALLBACK_SCSV`
 introduced as a countermeasure because it contains no ability to downgrade to earlier protocol versions.

 ## GCM nonces

 [RFC5288](https://tools.ietf.org/html/rfc5288) introduced GCM-based ciphersuites for use in TLS.  Unfortunately
 the design was poor; it reused design for an unrelated security setting proposed in RFC5116.

 GCM is a typical nonce-based AEAD: it requires a unique (but not necessarily unpredictable) 96-bit nonce for each encryption
 with a given key.  The design specified by RFC5288 left two-thirds of the nonce construction up to implementations:

 - wasting 8 bytes per TLS ciphertext,
 - meaning correct operation cannot be tested for (eg, in protocol-level test vectors).

 There were no trade-offs here: TLS has a 64-bit sequence number that is not allowed to wrap and would make an ideal nonce.

 As a result, a [2016 study](https://eprint.iacr.org/2016/475.pdf) found:

 - implementations from IBM, A10 and Citrix used randomly-chosen nonces, which are unlikely to be unique over long connections,
 - an implementation from Radware used the same nonce for the first two messages.

 rustls uses a counter from a random starting point for GCM nonces.  TLSv1.3 and the Chacha20-Poly1305 TLSv1.2 ciphersuite
 standardise this method.

 ## Renegotiation

 In 2009 Marsh Ray and Steve Dispensa [discovered](https://kryptera.se/Renegotiating%20TLS.pdf) that the renegotiation
 feature of all versions of TLS allows a MitM to splice a request of their choice onto the front of the client's real HTTP
 request.  A countermeasure was proposed and widely implemented to bind renegotiations to their previous negotiations;
 unfortunately this was insufficient.

 rustls does not support renegotiation in TLSv1.2.  TLSv1.3 also no longer supports renegotiation.

 ## 3SHAKE

 [3SHAKE](https://www.mitls.org/pages/attacks/3SHAKE) (2014) described a complex attack that broke the "Secure Renegotiation" extension
 introduced as a countermeasure to the previous protocol flaw.

 rustls does not support renegotiation for TLSv1.2 connections, or RSA key exchange, and both are required for this attack
 to work.  rustls implements the "Extended Master Secret" (RFC7627) extension for TLSv1.2 which was standardised as a countermeasure.

 TLSv1.3 no longer supports renegotiation and RSA key exchange.  It also effectively incorporates the improvements made in RFC7627.

 ## KCI

 [This vulnerability](https://kcitls.org/) makes use of TLS ciphersuites (those offering static DH) which were standardised
 yet not widely used. However, they were implemented by libraries, and as a result enabled for various clients.  It coupled
 this with misconfigured certificates (on services including facebook.com) which allowed their misuse to MitM connections.

 rustls does not support static DH/EC-DH ciphersuites.  We assert that it is misissuance to sign an EC certificate
 with the keyUsage extension allowing both signatures and key exchange.  That it isn't is probably a failure
 of CAB Forum baseline requirements.
 */
	/*! # A review of protocol vulnerabilities

	## CBC MAC-then-encrypt ciphersuites

	Back in 2000 [Bellare and Namprempre](https://eprint.iacr.org/2000/025) discussed how to make authenticated
	encryption by composing separate encryption and authentication primitives. That paper included this table:

	\| Composition Method \| Privacy \|\| Integrity \|\|
	\|--------------------\|---------\|\|-----------\|\|
	\|\| IND-CPA \| IND-CCA \| NM-CPA \| INT-PTXT \| INT-CTXT \|
	\| Encrypt-and-MAC \| insecure \| insecure \| insecure \| secure \| insecure \|
	\| MAC-then-encrypt \| secure \| insecure \| insecure \| secure \| insecure \|
	\| Encrypt-then-MAC \| secure \| secure \| secure \| secure \| secure \|

	One may assume from this fairly clear result that encrypt-and-MAC and MAC-then-encrypt compositions would be quickly abandoned
	in favour of the remaining proven-secure option. But that didn't happen, not in TLSv1.1 (2006) nor in TLSv1.2 (2008). Worse,
	both RFCs included incorrect advice on countermeasures for implementers, suggesting that the flaw was "not believed to be large
	enough to be exploitable".

	[Lucky 13](http://www.isg.rhul.ac.uk/tls/Lucky13.html) (2013) exploited this flaw and affected all implementations, including
	those written [after discovery](https://aws.amazon.com/blogs/security/s2n-and-lucky-13/). OpenSSL even had a
	[memory safety vulnerability in the fix for Lucky 13](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107), which
	gives a flavour of the kind of complexity required to remove the side channel.

	rustls does not implement CBC MAC-then-encrypt ciphersuites for these reasons. TLSv1.3 removed support for these
	ciphersuites in 2018.

	There are some further rejected options worth mentioning: [RFC7366](https://tools.ietf.org/html/rfc7366) defines
	Encrypt-then-MAC for TLS, but unfortunately cannot be negotiated without also supporting MAC-then-encrypt
	(clients cannot express "I offer CBC, but only EtM and not MtE").

	## RSA PKCS#1 encryption

	"RSA key exchange" in TLS involves the client choosing a large random value and encrypting it using the server's
	public key. This has two overall problems:

	1. It provides no _forward secrecy_: later compromise of the server's private key breaks confidentiality of
	all past sessions using that key. This is a crucial property in the presence of software that is often
	[poor at keeping a secret](http://heartbleed.com/).
	2. The padding used in practice in TLS ("PKCS#1", or fully "RSAES-PKCS1-v1_5") has been known to be broken since
	[1998](http://archiv.infsec.ethz.ch/education/fs08/secsem/bleichenbacher98.pdf).

	In a similar pattern to the MAC-then-encrypt problem discussed above, TLSv1.0 (1999), TLSv1.1 (2006) and TLSv1.2 (2008)
	continued to specify use of PKCS#1 encryption, again with incrementally more complex and incorrect advice on countermeasures.

	[ROBOT](https://robotattack.org/) (2018) showed that implementations were still vulnerable to these attacks twenty years later.

	rustls does not support RSA key exchange. TLSv1.3 also removed support.

	## BEAST

	[BEAST](https://vnhacker.blogspot.com/2011/09/beast.html) ([CVE-2011-3389](https://nvd.nist.gov/vuln/detail/CVE-2011-3389))
	was demonstrated in 2011 by Thai Duong and Juliano Rizzo,
	and was another vulnerability in CBC-based ciphersuites in SSLv3.0 and TLSv1.0. CBC mode is vulnerable to adaptive
	chosen-plaintext attacks if the IV is predictable. In the case of these protocol versions, the IV was the previous
	block of ciphertext (as if the entire TLS session was one CBC ciphertext, albeit revealed incrementally). This was
	obviously predictable, since it was published on the wire.

	OpenSSL contained a countermeasure for this problem from 2002 onwards: it encrypts an empty message before each real
	one, so that the IV used in the real message is unpredictable. This was turned off by default due to bugs in IE6.

	TLSv1.1 fix this vulnerability, but not any of the other deficiencies of CBC mode (see above).

	rustls does not support these ciphersuites.

	## CRIME

	In 2002 [John Kelsey](https://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf) discussed the length side channel
	as applied to compression of combined secret and attacker-chosen strings.

	Compression continued to be an option in TLSv1.1 (2006) nor in TLSv1.2 (2008). Support in libraries was widespread.

	[CRIME](http://netifera.com/research/crime/CRIME_ekoparty2012.pdf) ([CVE-2012-4929](https://nvd.nist.gov/vuln/detail/CVE-2012-4929))
	was demonstrated in 2012, again by Thai Duong and Juliano Rizzo. It attacked several protocols offering transparent
	compression of application data, allowing quick adaptive chosen-plaintext attacks against secret values like cookies.

	rustls does not implement compression. TLSv1.3 also removed support.

	## Logjam / FREAK

	Way back when SSL was first being born, circa 1995, the US government considered cryptography a munition requiring
	export control. SSL contained specific ciphersuites with dramatically small key sizes that were not subject
	to export control. These controls were dropped in 2000.

	Since the "export-grade" ciphersuites no longer fulfilled any purpose, and because they were actively harmful to users,
	one may have expected software support to disappear quickly. This did not happen.

	In 2015 [the FREAK attack](https://mitls.org/pages/attacks/SMACK#freak) ([CVE-2015-0204](https://nvd.nist.gov/vuln/detail/CVE-2015-0204))
	and [the Logjam attack](https://weakdh.org/) ([CVE-2015-4000](https://nvd.nist.gov/vuln/detail/CVE-2015-4000)) both
	demonstrated total breaks of security in the presence of servers that accepted export ciphersuites. FREAK factored
	512-bit RSA keys, while Logjam optimised solving discrete logs in the 512-bit group used by many different servers.

	Naturally, rustls does not implement any of these ciphersuites.

	## SWEET32

	Block ciphers are vulnerable to birthday attacks, where the probability of repeating a block increases dramatically
	once a particular key has been used for many blocks. For block ciphers with 64-bit blocks, this becomes probable
	once a given key encrypts the order of 32GB of data.

	[Sweet32](https://sweet32.info/) ([CVE-2016-2183](https://nvd.nist.gov/vuln/detail/CVE-2016-2183)) attacked this fact
	in the context of TLS support for 3DES, breaking confidentiality by analysing a large amount of attacker-induced traffic
	in one session.

	rustls does not support any 64-bit block ciphers.

	## DROWN

	[DROWN](https://drownattack.com/) ([CVE-2016-0800](https://nvd.nist.gov/vuln/detail/CVE-2016-0800)) is a cross-protocol
	attack that breaks the security of TLSv1.2 and earlier (when used with RSA key exchange) by using SSLv2. It is required
	that the server uses the same key for both protocol versions.

	rustls naturally does not support SSLv2, but most importantly does not support RSA key exchange for TLSv1.2.

	## Poodle

	[POODLE](https://www.openssl.org/~bodo/ssl-poodle.pdf) ([CVE-2014-3566](https://nvd.nist.gov/vuln/detail/CVE-2014-3566))
	is an attack against CBC mode ciphersuites in SSLv3. This was possible in most cases because some clients willingly
	downgraded to SSLv3 after failed handshakes are later versions.

	rustls does not support CBC mode ciphersuites, or SSLv3. Note that rustls does not need to implement `TLS_FALLBACK_SCSV`
	introduced as a countermeasure because it contains no ability to downgrade to earlier protocol versions.

	## GCM nonces

	[RFC5288](https://tools.ietf.org/html/rfc5288) introduced GCM-based ciphersuites for use in TLS. Unfortunately
	the design was poor; it reused design for an unrelated security setting proposed in RFC5116.

	GCM is a typical nonce-based AEAD: it requires a unique (but not necessarily unpredictable) 96-bit nonce for each encryption
	with a given key. The design specified by RFC5288 left two-thirds of the nonce construction up to implementations:

	- wasting 8 bytes per TLS ciphertext,
	- meaning correct operation cannot be tested for (eg, in protocol-level test vectors).

	There were no trade-offs here: TLS has a 64-bit sequence number that is not allowed to wrap and would make an ideal nonce.

	As a result, a [2016 study](https://eprint.iacr.org/2016/475.pdf) found:

	- implementations from IBM, A10 and Citrix used randomly-chosen nonces, which are unlikely to be unique over long connections,
	- an implementation from Radware used the same nonce for the first two messages.

	rustls uses a counter from a random starting point for GCM nonces. TLSv1.3 and the Chacha20-Poly1305 TLSv1.2 ciphersuite
	standardise this method.

	## Renegotiation

	In 2009 Marsh Ray and Steve Dispensa [discovered](https://kryptera.se/Renegotiating%20TLS.pdf) that the renegotiation
	feature of all versions of TLS allows a MitM to splice a request of their choice onto the front of the client's real HTTP
	request. A countermeasure was proposed and widely implemented to bind renegotiations to their previous negotiations;
	unfortunately this was insufficient.

	rustls does not support renegotiation in TLSv1.2. TLSv1.3 also no longer supports renegotiation.

	## 3SHAKE

	[3SHAKE](https://www.mitls.org/pages/attacks/3SHAKE) (2014) described a complex attack that broke the "Secure Renegotiation" extension
	introduced as a countermeasure to the previous protocol flaw.

	rustls does not support renegotiation for TLSv1.2 connections, or RSA key exchange, and both are required for this attack
	to work. rustls implements the "Extended Master Secret" (RFC7627) extension for TLSv1.2 which was standardised as a countermeasure.

	TLSv1.3 no longer supports renegotiation and RSA key exchange. It also effectively incorporates the improvements made in RFC7627.

	## KCI

	[This vulnerability](https://kcitls.org/) makes use of TLS ciphersuites (those offering static DH) which were standardised
	yet not widely used. However, they were implemented by libraries, and as a result enabled for various clients. It coupled
	this with misconfigured certificates (on services including facebook.com) which allowed their misuse to MitM connections.

	rustls does not support static DH/EC-DH ciphersuites. We assert that it is misissuance to sign an EC certificate
	with the keyUsage extension allowing both signatures and key exchange. That it isn't is probably a failure
	of CAB Forum baseline requirements.
	*/