Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

As a countermeasure against the famous Bleichenbacher attack on RSA based ciphersuites, all TLS RFCs starting from RFC 2246 (TLS 1.0) propose "to treat incorrectly formatted messages in a manner indistinguishable from correctly formatted RSA blocks". In this paper we show that this objective has not been achieved yet (cf. Table 1): We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip. Three of these side channels are timing-based, and two of them provide the first timing-based Bleichenbacher attacks on SSL/TLS described in the literature. Our measurements confirmed that all these side channels are observable over a switched network, with timing differences between 1 and 23 microseconds. We were able to successfully recover the PreMasterSecret using three of the four side channels in a realistic measurement setup.

[1]  Daniel Bleichenbacher,et al.  Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 , 1998, CRYPTO.

[2]  Larry J. Blunk,et al.  PPP Extensible Authentication Protocol (EAP) , 1998, RFC.

[3]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[4]  James Manger,et al.  A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 , 2001, CRYPTO.

[5]  John Kelsey,et al.  Compression and Information Leakage of Plaintext , 2002, FSE.

[6]  Jakob Jonsson,et al.  Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 , 2003, RFC.

[7]  Vlastimil Klíma,et al.  Attacking RSA-Based Sessions in SSL/TLS , 2003, CHES.

[8]  Bernard Aboba,et al.  Extensible Authentication Protocol (EAP) , 2004, RFC.

[9]  Gregory V. Bard,et al.  The Vulnerability of SSL to Chosen Plaintext Attack , 2004, IACR Cryptol. ePrint Arch..

[10]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[11]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.1 , 2006, RFC.

[12]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[13]  Dan S. Wallach,et al.  Opportunities and Limits of Remote Timing Attacks , 2009, TSEC.

[14]  Hovav Shacham,et al.  Hey, you, get off of my cloud: exploring information leakage in third-party compute clouds , 2009, CCS.

[15]  Kenneth G. Paterson,et al.  Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol , 2011, ASIACRYPT.

[16]  Billy Bob Brumley,et al.  Remote Timing Attacks Are Still Practical , 2011, ESORICS.

[17]  Tibor Jager,et al.  On the Security of TLS-DHE in the Standard Model , 2012, CRYPTO.

[18]  Tibor Jager,et al.  Bleichenbacher's Attack Strikes again: Breaking PKCS#1 v1.5 in XML Encryption , 2012, ESORICS.

[19]  Graham Steel,et al.  Efficient Padding Oracle Attacks on Cryptographic Hardware , 2012, IACR Cryptol. ePrint Arch..

[20]  Kenneth G. Paterson,et al.  On the Security of the TLS Protocol: A Systematic Analysis , 2013, IACR Cryptol. ePrint Arch..

[21]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[22]  Jörg Schwenk,et al.  SoK: Lessons Learned from SSL/TLS Attacks , 2013, WISA.

[23]  Sean Turner,et al.  Transport Layer Security , 2014, IEEE Internet Computing.