Difference between SSL and TLS or When the POODLE Bites

TLS is a successor to SSL. This widely-recognized fact still leaves many puzzled as to why TLS had to come out as a new protocol and not some variation of SSL, and since it did, why is it still used in conjunction with its predecessor as SSL/TLS in network security? 

What happened to SSL 3.0?

The heart of the problem with SSL 3.0 protocol lies in the encryption method that creates a loophole for what’s called a POODLE (Padding Oracle on Downgraded Legacy Encryption) attack. SSL 3.0 uses either RC4 stream cipher or CBC block cipher to encrypt messages. RC4 symmetric encryption key is made of an infrequently changed shared key and a 24-bit randomized IV (initialization vector), which allows for only about 17 million possible unique values eliciting reuse of IVs. With modern computing technology intruders are able to capture IVs and decrypt messages. This also led to departure from WEP that uses RC4 cipher for encryption in wireless security.

CBC (cipher-block chaining) encryption’s defect is in non-random padding which isn’t verified with MAC (Message Authentication Code). The CBC POST request is made of a path, a cookie, the main message usually followed by a 20-byte MAC and a padding of unknown size. An attacker can perform multiple GET requests until it becomes visible where a block’s boundary is crossed and, thus, infer the size of the padding. This, on average, takes 16 attempts. CBC is set so that the final byte of an encrypted message is the first byte of the cookie. Therefore, by deducing the sizes of the block and the padding, the attacker can easily infer the cookie and steal it. The attacker then strips the POST request of the padding and the MAC, replaces the original ciphertext with another, puts back the MAC and the padding and sends it to the receiving end. The tampered message is accepted and the POODLE attack is successfully executed. 

How is TLS different from SSL?

Much like SSL, TLS uses symmetric ciphers such as RC4 and DES for encryption. The padding size is now verified using a MAC that is computed via a secure hash function. The main improvement, however, stems from the asymmetric cryptography used for authentication purposes. POODLE attack is a man-in-the-middle attack where an intruder takes advantage of the weakness in the transportation mechanism of the packet and manipulates it for malicious purposes. Secure connection is essential to thwart the man-in-the-middle. To establish such a connection, a TLS handshake is performed to select cryptographic algorithms, authenticate each side, and generate a secret key using asymmetric encryption. In an SSL handshake, there is no real client authentication scheme and the secret is symmetrically encrypted, which makes the SSL connection vulnerable to man-in-the-middle attacks such as POODLE.     

Explicit vs. implicit connection

Part of the secret key in TLS connection is implicitly generated during the handshake itself, and is not sent as part of the secret key packet. This is more evident with TLS 1.2. With the adoption of AES-CCM cipher suites that use AEAD (Authenticated Encryption with Associated Data) algorithms in TLS 1.2, TLS connections became more secure. The 12-byte long AEAD nonce, which is essentially the one-time secret key is split into an 8-byte explicit nonce and a 4-byte implicit salt. The salt is generated during the process of the TLS handshake whether by the client or the server and is not sent as part of the nonce packet. In SSL handshake, the secret key is not split into explicit and implicit parts and is sent as a whole or explicitly in a relevant packet. 

The dangerous dance

With all its enhancements, TLS is still susceptible to POODLE attacks mainly due to what’s called a “downgrade dance”, which is perhaps the reason why it is still used in conjunction with SSL as SSL/TLS in network security. When a client initializes a TLS connection, the server offers the highest protocol (for example TLS 1.2). If the handshake fails, the server downgrades the protocol and reattempts with TLS 1.1 protocol. This can continue until TLS protocol downgrades to SSL 3.0 in order to operate with legacy systems. The attacker that controls the network between the server and the client can leverage this downgrading mechanism, force the use of SSL 3.0 and perform a POODLE attack. The best way to eradicate this issue is to completely disable downgrading to SSL 3.0, which is still arguable due to absence of alternative methods to securely work with legacy systems.    

Unfortunately, even without the downgrade dance, TLS protocols have been compromised since the TLS paddings in earlier TLS protocols are the subset of SSL 3.0 paddings. For today, TLS 1.3 is the most secure version of TLS protocol that is starting to see widespread adoption. 

I hope this helps clarify the ambiguity behind SSL/TLS dilemma. Please feel free to post your thoughts in comments.