Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1

Bleichenbacher, Daniel

doi:10.1007/bfb0055716

Cited by 389 publications

(337 citation statements)

References 7 publications

Supporting

Mentioning

330

Contrasting

Unclassified

Order By: Relevance

“…She may, furthermore, have access to more information, modeled by partial or full access to some oracles: a plaintext-checking oracle which, on input of a pair (m, c), answers whether c encrypts the message m. This attack has been named the Plaintext-Checking Attack [11]; a validity-checking oracle which, on input of a ciphertext c, just answers whether it is a valid ciphertext. This weak oracle (involved in the reaction attacks [8]) had been enough to break some famous encryption schemes [4,9], namely PKCS #1 v1.5; or the decryption oracle itself, which on the input of any ciphertext, except the challenge ciphertext, responds with the corresponding plaintext (non-adaptive/adaptive chosen-ciphertext attacks [10,12]). The latter, the adaptive chosen-ciphertext attack denoted CCA2, is clearly the strongest one.…”

Section: Security Notionsmentioning

confidence: 99%

RSA-OAEP Is Secure under the RSA Assumption

Fujisaki

Okamoto

Pointcheval

et al. 2001

Lecture Notes in Computer Science

126

View full text Add to dashboard Cite

Abstract.Recently Victor Shoup noted that there is a gap in the widely-believed security result of OAEP against adaptive chosen-ciphertext attacks. Moreover, he showed that, presumably, OAEP cannot be proven secure from the one-wayness of the underlying trapdoor permutation. This paper establishes another result on the security of OAEP. It proves that OAEP offers semantic security against adaptive chosenciphertext attacks, in the random oracle model, under the partial-domain one-wayness of the underlying permutation. Therefore, this uses a formally stronger assumption. Nevertheless, since partial-domain one-wayness of the RSA function is equivalent to its (full-domain) one-wayness, it follows that the security of RSA-OAEP can actually be proven under the sole RSA assumption, although the reduction is not tight.

show abstract

Section: Security Notionsmentioning

confidence: 99%

RSA-OAEP Is Secure under the RSA Assumption

Fujisaki

Okamoto

Pointcheval

et al. 2001

Lecture Notes in Computer Science

126

View full text Add to dashboard Cite

show abstract

“…The ciphertexts can be adaptively chosen so that information on previous decryptions is available before the next chosen ciphertext is submitted. These attacks have been used in the past to attack the RSA PKCS #1 v1.5 [12] encryption scheme [3], the Cipher-Block-Chaining (CBC) Mode of encryption when used with certain exploitable redundancies (e.g. padding schemes) [2,5,15,16,17] and the OpenPGP CFB mode [13,11,14] itself.…”

Section: Introductionmentioning

confidence: 99%

An Attack on CFB Mode Encryption as Used by OpenPGP

Mister

Zuccherato

2006

Selected Areas in Cryptography

View full text Add to dashboard Cite

Abstract. This paper describes an adaptive chosen-ciphertext attack on the Cipher Feedback (CFB) mode of encryption as used in OpenPGP. In most circumstances it will allow an attacker to determine 16 bits of any block of plaintext with about 2 15 oracle queries for the initial setup work and 2 15 oracle queries for each block. Standard CFB mode encryption does not appear to be affected by this attack. It applies to a particular variation of CFB used by OpenPGP. In particular it exploits an ad-hoc integrity check feature in OpenPGP which was meant as a "quick check" to determine the correctness of the decrypting symmetric key.

show abstract

“…Since its complete description is far beyond the scope of this article, we refer interested readers to the excellent book [10] for further details. In 1998 Bleichenbacher showed that the concrete encoding method called EME-PKCS1-v1_5, which is also employed in the SSL/TLS protocols, is highly vulnerable to chosen ciphertext attacks [1]. The attack assumes that information about the course of the decoding process is leaking to an attacker.…”

Section: Introductionmentioning

confidence: 99%

“…In this paper we present this attack. It turns out that the version number, which was initially believed to rule out the original attack [1], even allows a relatively optimized variant of the attack if the version number check is badly implemented. Our practical tests showed that among hundreds of SSL/TLS servers randomly chosen from the Internet, two thirds of them were vulnerable to our attack (for details see §4.3).…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Attacking RSA-Based Sessions in SSL/TLS

Klíma

Pokorný

Rosa

2003

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. In this paper we present a practically feasible attack on RSA-based sessions in SSL/TLS protocols. We show that incorporating a version number check over PKCS#1 plaintext used in the SSL/TLS creates a side channel that allows an attacker to invert the RSA encryption. The attacker can then either recover the premaster-secret or sign a message on behalf of the server. Practical tests showed that two thirds of randomly chosen Internet SSL/TLS servers were vulnerable. The attack is an extension of Bleichenbacher's attack on PKCS#1 (v. 1.5). We introduce the concept of a bad-version oracle (BVO) that covers the side channel leakage, and present several methods that speed up the original algorithm. Our attack was successfully tested in practice and the results of complexity measurements are presented in the paper.

show abstract

Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1

Cited by 389 publications

References 7 publications

RSA-OAEP Is Secure under the RSA Assumption

RSA-OAEP Is Secure under the RSA Assumption

An Attack on CFB Mode Encryption as Used by OpenPGP

Attacking RSA-Based Sessions in SSL/TLS

Contact Info

Product

Resources

About