20.5.2 Countermeasures

Daniel Bleichenbacher published his attack at the CRYPTO’98 conference, which took place in August 1998. RFC 2246 The TLS Protocol Version 1.0 draft version 0.6, released on November 12, 1998, added a note that an attack has been discovered against TLS servers that use RSA with PKCS #1-encoded messages.

In order to prevent Bleichenbacher’s attack, the RFC 2246 draft recommends to ”treat incorrectly formatted messages in a manner indistinguishable from correctly formatted RSA blocks. Thus, when it receives an incorrectly formatted RSA block, a server should generate a random 48-byte value and proceed using it as the premaster secret” [5].

20.6 Improvements of Bleichenbacher’s attack

After its publication in 1998, it quickly became clear that Bleichenbacher’s attack could be extended on various levels to yield even more practical attacks on TLS.

20.6.1 Bad version oracles

In 2003, Klima, Pokorny, and Rosa published a practical attack on RSA-based TLS sessions that extracts the TLS pre-master secret from a TLS 1.0 handshake [101]. Their attack extends Bleichenbacher’s attack by exploiting the TLS version number check over PKCS #1 plaintexts as an oracle.

As shown in Figure 20.3, a TLS message with the correct PKCS #1 padding contains two bytes that denote the TLS version. These bytes were originally introduced to thwart so-called version rollback attacks where Mallory tries to trick Alice into switching to an older TLS version, preferrably – from Mallory’s perspective – with weaker cryptographic algorithms or shorter and, therefore, fewer secure keys.

Klima, Pokorny, and Rosa, however, observed that many then-current TLS implementations returned an error when one of these bytes had a different value than what server Alice expected. Based on this observation, they defined a bad version oracle: whenever there is no error message, for some c = me (mod n) of Eve’s choice, she knows that the corresponding plaintext m has a valid PKCS #1 padding.

From here, Eve can apply the original Bleichenbacher attack to invert the RSA encryption. This, in turn, allows Eve to accomplish two different things: she can either extract the pre-master secret from the TLS handshake message or trick Alice into signing a message of Eve’s choice.

Klima, Pokorny, and Rosa conducted practical experiments with their attack and determined that at the time of their publication, about two-thirds of several hundred randomly chosen TLS servers were vulnerable to their attack.