Abstract
In this paper we present a practically feasible attack on RSA-based sessions in SSL/TLS protocols. We show that incorporating a version number check over PKCS#1 plaintext used in the SSL/TLS creates a side channel that allows an attacker to invert the RSA encryption. The attacker can then either recover the premaster-secret or sign a message on behalf of the server. Practical tests showed that two thirds of randomly chosen Internet SSL/TLS servers were vulnerable. The attack is an extension of Bleichenbacher’s attack on PKCS#1 (v. 1.5). We introduce the concept of a bad-version oracle (BVO) that covers the side channel leakage, and present several methods that speed up the original algorithm. Our attack was successfully tested in practice and the results of complexity measurements are presented in the paper.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Bleichenbacher, D.: Chosen Ciphertexts Attacks Against Protocols Based on the RSA Encryption Standard PKCS#1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)
Canvel, B.: Password Interception in a SSL/TLS Channel (February 2003), http://lasecwww.epfl.ch/memo_ssl.shtml
Håstad, J., Näslund, M.: The Security of Individual RSA Bits. In: Proc. of FOCS 1998, pp. 510–521 (1998)
Jonsson, J., Kaliski Jr., B.S.: On the Security of RSA Encryption in TLS. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 127–142. Springer, Heidelberg (2002)
Klíma, V., Rosa, T.: Further Results and Considerations on Side Channel Attacks on RSA. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 244–259. Springer, Heidelberg (2003)
Manger, J.: A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 230–238. Springer, Heidelberg (2001)
OpenSSL: OpenSSL ver. 0.9.7 December 31 (2002), http://www.openssl.org/
PKCS#5 ver. 2.0: Password-Based Cryptography Standard, RSA Laboratories, March 25 (1999)
PKCS #1: RSA Encryption Standard, An RSA Laboratories Technical Note, Version 1.5, Revised November 1 (1993)
Rescorla, E.: SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, New York (2000)
Rescorla, E.: Diffie-Hellman Key Agreement Method, RFC 2631 (June 1999)
Allen, C., Dierks, T.: The TLS Protocol, RFC 2246, Version 1.0 (January 1999)
Rivest, R.: The MD5 Message-Digest Algorithm, RFC 1321 (April 1992)
Rivest, R.L., Shamir, A., Adleman, L.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM 21, 120–126 (1978)
RSA Labs: Prescriptions for Applications that are Vulnerable to the Adaptive Chosen Ciphertext Attack on PKCS #1 v1.5, RSA Laboratories, http://www.rsasecurity.com/rsalabs/pkcs1/prescriptions.html
Schneier, B., Wagner, D.: Analysis of the SSL 3.0 Protocol. In: The Second USENIX Workshop on Electronic Commerce Proceedings, November 1996, pp. 29–40. USENIX Press (1996)
Secure Hash Standard, FIPS Pub 180-1, April 17 (1995)
X509: ITU-T Recommendation X.509 (06/97) - Information Technology - Open System Interconnection – The Directory: Authenticantion Framework, ITU (1997)
Klima, V., Pokorny, O., Rosa, T.: Attacking RSA-based Sessions in SSL/TLS, Cryptology ePrint Archive: Report 2003/052, http://eprint.iacr.org/2003/052/
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Klíma, V., Pokorný, O., Rosa, T. (2003). Attacking RSA-Based Sessions in SSL/TLS. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds) Cryptographic Hardware and Embedded Systems - CHES 2003. CHES 2003. Lecture Notes in Computer Science, vol 2779. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-45238-6_33
Download citation
DOI: https://doi.org/10.1007/978-3-540-45238-6_33
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40833-8
Online ISBN: 978-3-540-45238-6
eBook Packages: Springer Book Archive