CarderPlanet
Professional
- Messages
- 2,549
- Reaction score
- 724
- Points
- 113
The engineer found flaws in the 25-year-old encryption method.
Hubert Cario, senior quality engineer in the QE BaseOS security team at Red Hat, showed that many software implementations of the PKCS#1 v1.5 padding scheme for RSA key exchange, which were previously considered resistant to the well-known Daniel Bleichenbacher attack, are actually vulnerable.
In 1998, Bleichenbacher showed that an SSL/TLS server client can use information obtained from the server's error responses to learn enough about padding and decrypt a secure message.
The vulnerability has appeared repeatedly, most recently in 2017, when security researchers found that at least 8 IT vendors and open source projects were vulnerable to a variation of the original Bleichenbacher attack. The researchers named their attack ROBOT.
Cario's article states that Bleichenbacher-style attacks on the RSA protocol are still possible and that vulnerable implementations are common. Cario named his attack MARVIN. Basically, by sending specially crafted RSA ciphertexts to a server that uses PKCS#1 v1.5 and measuring the time it takes to process the messages, you can eventually read the target plaintext.
Kario recommends that you stop using RSA PKCS#1 v1.5 encryption, as only servers that implement RSA encryption are affected. Most modern clients, he says, rely on Diffie Hellman's Elliptic Curve.
Cario identified at least 7 affected implementations, some of which confirmed fixes, but in his opinion, most cryptographic implementations of RSA PKCS#1 v1.5 are still vulnerable.
Affected implementations:
Those who are interested in testing their systems can use the Kario script for testing TLS servers and the corresponding instructions . Cario also noted that the flaw isn't just limited to RSA. Any implementation that uses generic integer execution will face the same problems.
Hubert Cario, senior quality engineer in the QE BaseOS security team at Red Hat, showed that many software implementations of the PKCS#1 v1.5 padding scheme for RSA key exchange, which were previously considered resistant to the well-known Daniel Bleichenbacher attack, are actually vulnerable.
In 1998, Bleichenbacher showed that an SSL/TLS server client can use information obtained from the server's error responses to learn enough about padding and decrypt a secure message.
The vulnerability has appeared repeatedly, most recently in 2017, when security researchers found that at least 8 IT vendors and open source projects were vulnerable to a variation of the original Bleichenbacher attack. The researchers named their attack ROBOT.
Cario's article states that Bleichenbacher-style attacks on the RSA protocol are still possible and that vulnerable implementations are common. Cario named his attack MARVIN. Basically, by sending specially crafted RSA ciphertexts to a server that uses PKCS#1 v1.5 and measuring the time it takes to process the messages, you can eventually read the target plaintext.
Kario recommends that you stop using RSA PKCS#1 v1.5 encryption, as only servers that implement RSA encryption are affected. Most modern clients, he says, rely on Diffie Hellman's Elliptic Curve.
Cario identified at least 7 affected implementations, some of which confirmed fixes, but in his opinion, most cryptographic implementations of RSA PKCS#1 v1.5 are still vulnerable.
Affected implementations:
- OpenSSL (TLS Layer) - Oracle Synchronization in RSA Decryption (CVE-2022-4304);
- OpenSSL (API Layer) - Make the RSA decryption API secure for use with PKCS#1 v1.5 padding (no CVE);
- GnuTLS (TLS layer) - the vulnerability is related to the fact that the response time to incorrect RSA ciphertexts in ClientKeyExchange differs from the response time of ciphertexts with correct padding PKCS#1 v1 .5 (CVE-2023-0361);
- NSS (TLS layer) - improved constant time in RSA operations. The bug was not fully fixed in version 3.61 – the implementation is still vulnerable (CVE-2023-4421);
- pyca / cryptography-OpenSSL level fix required (CVE-2020-25659);
- M2Crypto-OpenSSL level fix required (CVE-2020-25657);
- OpenSSL-ibmca-Fixes for RSA PKCS#1 v1. 5 and OAEP filling in version 2.4.0 (without CVE).
Those who are interested in testing their systems can use the Kario script for testing TLS servers and the corresponding instructions . Cario also noted that the flaw isn't just limited to RSA. Any implementation that uses generic integer execution will face the same problems.
