20.6.2 Side channel attacks
In 2014, a group of German security researchers discovered four new side channels leading to Bleichenbacher-style oracles and demonstrated Bleichenbacher attacks on Java Secure Socket Extension (JSSE) (Java’s built-in SSL/TLS implementation) as well as on hardware security appliances that used a specific accelerator chip for TLS [119].
Notably, these latter attacks were the first practical timing attacks against TLS. The timing differences observed by the researchers over a switched network were between 1 and 23 microseconds, allowing them to extract the TLS pre-master secret in a realistic measurement setup.
20.6.3 DROWN
In 2016, a group of academic and industrial researchers from Israel, Germany, and the United States published a new cross-protocol attack called Decrypting RSA using Obsolete and Weakened eNcryption (DROWN) that uses a protocol-level Bleichenbacher-style oracle in SSL version 2 to decrypt TLS traffic [12].
To decrypt a 2,048-bit RSA TLS ciphertext using DROWN, Eve must observe 1,000 TLS handshakes, initiate 40,000 SSLv2 connections, and perform 250 offline computations. While 250 sounds like a large number at first, the researchers implemented DROWN and were able to decrypt a TLS 1.2 handshake that uses a 2,048-bit RSA public key in less than 8 hours.
In a second iteration, the researchers improved their attack by exploiting vulnerabilities in the handshake code of the then-current versions of the OpenSSL cryptographic library. The researchers discovered that these vulnerabilities create even more powerful Bleichenbacher oracles that facilitate a significant reduction in the amount of computation required for DROWN. With the improved attack, the TLS ciphertext could be decrypted in 1 minute on a single CPU.
By performing internet-wide scans, the researchers determined that at the time of their publication, 33% of HTTPS servers were vulnerable to the generic DROWN attack and 22% were vulnerable to the improved DROWN attack.
20.6.4 ROBOT
Return Of Bleichenbacher’s Oracle Threat (ROBOT) is not the name of an attack, but the acronym of a large-scale campaign performed in 2018 by Böck, Somorovsky, and Young in order to evaluate how widespread Bleichenbacher’s RSA vulnerability was on the internet [35]. Their results showed that 20 years after the original publication by Daniel Bleichenbacher, almost one-third of the top 100 domains in the Alexa Top 1 Million list – including well-known tech companies such as Facebook and Paypal – were affected by that vulnerability.
To demonstrate how dangerous Bleichenbacher’s attack is in practice, Böck, Somorovsky, and Young signed a message using the private key of facebook.com’s HTTPS certificate.
In 2019, a group of researchers around Eyal Ronen and Adi Shamir performed a new evaluation of then-current popular TLS implementations in order to determine whether they exhibit information leakages that lead to Bleichenbacher-style oracles [154].
They discovered that most TLS implementations were vulnerable to attacks that exploit information leakage from various micro-architectural side channels in order to implement a padding oracle. The oracle, in turn, can be used to decrypt or sign a message.
Leave a Reply