(Crypto newbie here.)
How vulnerable is the current OpenSSL to the Bleichenbacher attack?
Must be old hat by now, but someone brought it up at work.
The source tree does not seem to contain the word 'bleichenbacher',
and it's only been mentioned in passing on this list.
TLS ( http://www.ietf.org/rfc/rfc2246.txt ) notes that the
attack relies on the server responding differently depending
on whether the RSA block is formatted correctly or not:
> 7.4.7.1. RSA encrypted premaster secret message
> ...
> Note: An attack discovered by Daniel Bleichenbacher [BLEI] can be used
> to attack a TLS server which is using PKCS#1 encoded RSA. The
> attack takes advantage of the fact that by failing in different
> ways, a TLS server can be coerced into revealing whether a
> particular message, when decrypted, is properly PKCS#1 formatted
> or not.
>
> The best way to avoid vulnerability to this attack is to treat
> incorrectly formatted messages in a manner indistinguishable from
> correctly formatted RSA blocks. Thus, when it receives an
> incorrectly formatted RSA block, a server should generate a
> random 48-byte value and proceed using it as the premaster
> secret. Thus, the server will act identically whether the
> received RSA block is correctly encoded or not.
The book "SSL and TLS Essentials" says about the same thing, in more
detail.
So has OpenSSL been cleaned up to make this kind of attack difficult?
Thanks,
Dan
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
