Wireshark · Wireshark-bugs: [Wireshark-bugs] [Bug 10235] New: Encrypted TLS handshake detected heuristic broken by AESGCM nonce

Wireshark-bugs: [Wireshark-bugs] [Bug 10235] New: Encrypted TLS handshake detected heuristic bro

Date: Fri, 27 Jun 2014 03:32:48 +0000

Bug ID	10235
Summary	Encrypted TLS handshake detected heuristic broken by AESGCM nonce when counter is used
Classification	Unclassified
Product	Wireshark
Version	1.10.8
Hardware	x86-64
OS	Windows 7
Status	UNCONFIRMED
Severity	Normal
Priority	Low
Component	Dissection engine (libwireshark)
Assignee	bugzilla-admin@wireshark.org
Reporter	wireshark@reschly.com

Created attachment 12853 [details]
AESGCM connection between opensssl s_client and google, packet #11 demonstrates
error

Build Information:
Compiled (64-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5,
without POSIX capabilities, without libnl, with SMI 0.4.8, with c-ares 1.9.1,
with Lua 5.1, without Python, with GnuTLS 2.12.18, with Gcrypt 1.4.6, without
Kerberos, with GeoIP.

Running on 64-bit Windows 7 Service Pack 1, build 7601, without WinPcap.
       Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz, with 6058MB of physical
memory.
--
Wireshark uses a heuristic to determine whether TLS handshake message is
encrypted.  That heuristic to:

1. Extract bytes 1-3 (0-counting) as a 24-bit length field
2. If that length is larger than the remaining payload, declare record
encrypted.
3. Otherwise, declare record unencrypted.

(see:
https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob;f=epan/dissectors/packet-ssl.c;h=3c82774908ce9f5a6f3e9837c0f277912ddd6b0c;hb=HEAD#l1877
)

When AES-GCM is used, this heuristic is regularly broken.

When an AES GCM cipher suite is used, there is an 8-byte explicit nonce.
Some implementations use a counter for that explicit nonce.
Thus, the first 8 bytes of the TLS finished message are all 0x00, as it is the
first encrypted message.

When the heuristic runs against that payload, the extracted length is 0, and
the record is declared to be plaintext.  The heuristic runs another time, on
the next 4 bytes, and "finds" a second unencrypted handshake record when in
reality there are none.

The attachment demonstrates this error.  It was generated with openssl 1.0.1e
using the command:
openssl s_client -connect www.google.com:443 -cipher AESGCM

Packet 11 demonstrates the heuristic error, as Google uses a counter for the
nonce.
Packet 10 does not demonstrate the error as openssl uses a random nonce.

You are receiving this mail because:

You are watching all bug changes.

Follow-Ups:
- [Wireshark-bugs] [Bug 10235] Encrypted TLS handshake detected heuristic broken by AESGCM nonce when counter is used
  - From: bugzilla-daemon
- [Wireshark-bugs] [Bug 10235] Encrypted TLS handshake detected heuristic broken by AESGCM nonce when counter is used
  - From: bugzilla-daemon

Prev by Date: [Wireshark-bugs] [Bug 9527] TShark and Wireshark hang reading a particular MPEG-2 TS file?
Next by Date: [Wireshark-bugs] [Bug 10235] Encrypted TLS handshake detected heuristic broken by AESGCM nonce when counter is used
Previous by thread: [Wireshark-bugs] [Bug 10234] Dissect Forward SMS ACK signalling error
Next by thread: [Wireshark-bugs] [Bug 10235] Encrypted TLS handshake detected heuristic broken by AESGCM nonce when counter is used
Index(es):
- Date
- Thread