## CryptoDB

### Paper: Attacking RSA-based Sessions in SSL/TLS

Authors: Vlastimil Klima Ondrej Pokorny Tomas Rosa URL: http://eprint.iacr.org/2003/052 Search ePrint Search Google In this paper we present a practically feasible attack on RSA-based sessions in SSL/TLS protocols. These protocols incorporate the PKCS#1 (v. 1.5) encoding method for the RSA encryption of a premaster-secret value. The premaster-secret is the only secret value that is used for deriving all the particular session keys. Therefore, an attacker who can recover the premaster-secret can decrypt the whole captured SSL/TLS session. We show that incorporating a version number check over PKCS#1 plaintext used in the SSL/TLS creates a side channel that allows the attacker to invert the RSA encryption. The attacker can then either recover the premaster-secret or sign a message on behalf of the server. Practical tests showed that two thirds of randomly chosen Internet SSL/TLS servers were vulnerable. The attack is an extension of Bleichenbacher?s attack on PKCS#1 (v. 1.5). We introduce the concept of a bad-version oracle (BVO) that covers the side channel leakage, and present several methods that speed up the original algorithm. Our attack was successfully tested in practice and the results of complexity measurements are presented in the paper. Plugging a testing server (2x Pentium III/1.4 GHz, 1 GB RAM, 100 Mb/s Ethernet, OS RedHat 7.2, Apache 1.3.27), it was possible to achieve a speed of 67.7 BVO calls per second for a 1024 bits RSA key. The median time for a whole attack on the premaster-secret could be then estimated as 54 hours and 42 minutes. We also propose and discuss countermeasures, which are both cryptographically acceptable and practically feasible.
##### BibTeX
@misc{eprint-2003-11769,
title={Attacking RSA-based Sessions in SSL/TLS},
booktitle={IACR Eprint archive},
keywords={cryptanalysis, side channel attacks, SSL, TLS, RSA},
url={http://eprint.iacr.org/2003/052},
note={Extended version of the paper presented at CHES 2003, September 7-11, Cologne, Germany t_rosa@volny.cz 12293 received 14 Mar 2003, last revised 29 Aug 2003},
author={Vlastimil Klima and Ondrej Pokorny and Tomas Rosa},
year=2003
}