If the CBC padding is incorrect, then assume the pad size is zero and

carry on with the procedure. This prevents a timing attack where an
attacker could distinguish bad padding vs MAC failure. This timing
channel used in the paper "Password Interception in a SSL/TLS Channel"
by Vaudenay et. al. to attack SSL in certain fairly realistic use
scenarios.

0 files changed, 0 insertions, 0 deletions