An ancient timing oracle attack against RSA encryption has re-emerged, with a Red Hat researcher saying an oracle attack first discovered in 1998 by Daniel Bleichenbacher remains exploitable.
Bleichenbacher’s vulnerability has re-emerged several times over the years, the last time in 2018 when researchers Hanno Böck, Jurau Somorovsky and Craig Young published ROBOT, “the Return of Bleichenbacher’s Oracle Threat”.
What Bleichenbacher first discovered was that SSL servers returned error messages in the PKCS #1 v1.5 padding that enabled an attack on the ciphertext which broke the confidentiality of Transaction Layer Security (TLS) using RSA encryption.
An attacker who could observe the time of the decryption operation performed with the private key could decrypt captured RSA messages.
The new attack, dubbed Marvin (a nod towards both The Hitchhikers Guide to the Galaxy and the previous ROBOT attack), was published here by Czech Red Hat researcher Hubert Kario.
He discovered that by using more statistically rigorous techniques than Bleichenbacher, the attack could still succeed against a number of cryptographic implementations, including OpenSSL, GnuTLS, Mozilla’s NSS (which Kario says remains vulnerable in spite of a patch), pyca/cryptography (only partially fixed), M2Crypto, and OpenSSL-ibmca.
His site provides a list of CVEs.
Kario worked for years on his attack, saying that while patches for the issue emerged between 2020 and 2023, two problems made for slow progress.
“First … we were struggling with false positives caused by the timing signal generated by the harness (test script)”, Kario wrote.
That caused the other issue: “Because of unreliable results it was hard to pinpoint the particular cause for the timing signal and without that, it was hard to convince upstream developers to work on the issue.
“Only when we created a constant-time test harness were we able to move forward with fixes (and that happened in the middle of 2022).”
Kario has published scripts to help test implementations for the vulnerability.
He also said system logs could provide some indication whether or not an attack has been launched against a system: “If you run a server and can be certain no one made a large number of connections that attempted RSA key exchange to any of your servers … then you weren’t attacked.”
Chiefly, however, Kario said, people should “stop using RSA PKCS#1 v1.5 encryption”, even if they believe they need it for backwards compatibility.