Today Hanno Böck, Juraj Somorovsky and Craig Young announced details of new work testing TLS implementations in the wild for Bleichenbacher’s attack on RSA PKCS#1v1.5 encryption. The short summary is the attack, first made public at CRYPTO ’98, still works on almost 3% of the Alexa top million most visited websites thanks to minor details in the way they implement countermeasures.
Major manufacturers such as Cisco and F5 were affected. The researchers were even able to sign a message using Facebook’s private TLS key, since the attack allows both decryption and signature.
As we’ve written before, this kind of encryption needs to be put out of our misery. One reason it persists in TLS is a perception that the countermeasures first proposed in RFC 3218 are effective in that context.
What this new research confirms is that they are in fact fragile and extremely difficult to implement perfectly. Get it slightly wrong and Bleichenbacher is back.
Another myth that persists around this attack is that it requires millions of messages to be sent to the server. In fact, recent advances show only 15 000 messages are required in the median case to decrypt a plaintext using a standard “padding oracle” bug on the server. It can be even fewer if the implementation is particularly leaky.
PKCS#1v1.5 encryption still lurks in a lot of old protocols, standards and APIs. To find out if an application uses it, you can use a tool like our Analyzer.