S.E. Leontiev, V.O. Popov, S.V. Smyshlyaev
At Ekoparty conference in Argentina in September of 2011 a new work of Duong and Rizzo , dedicated to practical implementation of known theoretical attack on SSL/TLS protocol, was presented. That attack had been proposed by Gregory Bard  7 years before Duong and Rizzo. It was based on certain properties of CBC block cipher operation mode in case of chosen plaintext attack when the following initialization vector is known.
Earlier at Eurocrypt 2002  a work by Serge Vaudenay was presented. It was dedicated to another method of constructing attack on TLS protocol, also using certain properties of CBC mode. The idea of constructing such chosen ciphertext attacks when certain modes of block cipher operation and padding algorithms are used was presented earlier at CRYPTO 1998 .
The current work is dedicated to countermeasures against attacks on TLS Record Protocol. All observed attacks are based on ideas of Bard and Vaudenay and are possible in models with chosen plaintext or chosen ciphertext attacks.
A short review of most important attacks on TLS protocol is presented. Applicability of such class of attacks to versions 1.0 and 1.1–1.2 of TLS protocol is considered and a new modification of timing attack, which is applicable to versions 1.1 and 1.2, is proposed.
To counteract against timing attacks similar to Vaudenay attack in 126.96.36.199 of RFC 5246  it was recommended to compute MAC even in the case of incorrect padding. In that case it was proposed to compute MAC for the whole message, considering there is no padding.
There was also noted that proposed measures leave behind a certain side channel caused by difference between times of MAC computation in case of correct and incorrect padding.
Consider the task of decrypting block Ci of transmitted ciphertext . We will consider that block lengths of block cipher and MAC are equal to b, 1≤ b ≤ 128, where 256 is a multiple of b.
It is assumed that it is possible for adversary to encrypt plaintext M, which is modified in right of block Mi using the current key; also it is assumed that adversary is able to make requests to an oracle which evaluate padding correctness in decrypted text.
To construct such an oracle one needs to distinguish the following two events: 1) MAC is computed for a message with length of 2b bytes or less; 2) for a message with length of 255 bytes.
The block Mi is restored byte-by-byte, starting from the last one; an average number of 128 evaluations is needed to restore each byte.
With the exception of using stream cipher algorithms (suites TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_RC4_128_MD5), for usage of algorithms that are not vulnerable to described attacks it is proposed to use encryption-with-authentication suites which use GCM :
For the purpose of counteraction against described attacks the following measures are proposed.
Nopadding. Usage of CNT mode of operation of GOST 28147-89, which does not require any padding, makes any attacks using additional redundancy impossible.
Authentication of messages together with padding. Authenticity of each received message mustbeverified with GOST 28147-89 MAC. It is important to note that in SSL v2 authentication was always made for messages together with padding. Later it was changed that caused appearance of described attacks.
RandomchoiceofIV. It isproposed that before processing of each packet a new unpredictable IV must be generated.
That is, for elimination of vulnerabilities of all described attacks on TLS protocol usage of the following cipher suites is proposed: TLS_GOSTR341094_WITH_28147_CNT_IMIT and TLS_GOSTR341001_WITH_28147_CNT_IMIT.