Dan Kegel wrote:
>
> (Crypto newbie here.)
>
(Me too.)
>
> How vulnerable is the current OpenSSL to the Bleichenbacher attack?
> Must be old hat by now, but someone brought it up at work.
> The source tree does not seem to contain the word 'bleichenbacher', ...
Typo I think. Grep openssl-0.9.5a/CHANGES for "Bleich"
--------------------------
Ed Kubaitis ([EMAIL PROTECTED])
CCSO - University of Illinois at Urbana-Champaign
> TLS ( http://www.ietf.org/rfc/rfc2246.txt ) notes that the
> attack relies on the server responding differently depending
> on whether the RSA block is formatted correctly or not:
>
> > 7.4.7.1. RSA encrypted premaster secret message
> > ...
> > Note: An attack discovered by Daniel Bleichenbacher [BLEI] can be used
> > to attack a TLS server which is using PKCS#1 encoded RSA. The
> > attack takes advantage of the fact that by failing in different
> > ways, a TLS server can be coerced into revealing whether a
> > particular message, when decrypted, is properly PKCS#1 formatted
> > or not.
> >
> > The best way to avoid vulnerability to this attack is to treat
> > incorrectly formatted messages in a manner indistinguishable from
> > correctly formatted RSA blocks. Thus, when it receives an
> > incorrectly formatted RSA block, a server should generate a
> > random 48-byte value and proceed using it as the premaster
> > secret. Thus, the server will act identically whether the
> > received RSA block is correctly encoded or not.
>
> The book "SSL and TLS Essentials" says about the same thing, in more
> detail.
>
> So has OpenSSL been cleaned up to make this kind of attack difficult?
> Thanks,
> Dan
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> Development Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
