Ed Kubaitis wrote:
> Dan Kegel wrote:
> > How vulnerable is the current OpenSSL to the Bleichenbacher attack?
> > Must be old hat by now, but someone brought it up at work.
> > The source tree does not seem to contain the word 'bleichenbacher', ...
>
> Typo I think. Grep openssl-0.9.5a/CHANGES for "Bleich"
Oops, thanks. That says:
Changes between 0.9.1c and 0.9.2b [22 Mar 1999]
*) Add OAEP encryption for the OpenSSL crypto library. OAEP is the improved
padding method for RSA, which is recommended for new applications in PKCS
#1 v2.0 (RFC 2437, October 1998).
OAEP (Optimal Asymmetric Encryption Padding) has better theoretical
foundations than the ad-hoc padding used in PKCS #1 v1.5. It is secure
against Bleichbacher's attack on RSA.
[Ulf Moeller <[EMAIL PROTECTED]>, reformatted, corrected and integrated by
Ben Laurie]
Still in newbie mode here - what if a client connects and sends
stuff using the old RSA padding scheme? OpenSSL still has to
support that. So the question still stands - does OpenSSL
treat incorrectly formatted RSA blocks indistinguishably from
properly formatted ones? I did try to look at the code, but
I don't know it well enough yet.
- Dan
> > TLS ( http://www.ietf.org/rfc/rfc2246.txt ) notes that the
> > attack relies on the server responding differently depending
> > on whether the RSA block is formatted correctly or not:
> >
> > > 7.4.7.1. RSA encrypted premaster secret message
> > > ...
> > > Note: An attack discovered by Daniel Bleichenbacher [BLEI] can be used
> > > to attack a TLS server which is using PKCS#1 encoded RSA. The
> > > attack takes advantage of the fact that by failing in different
> > > ways, a TLS server can be coerced into revealing whether a
> > > particular message, when decrypted, is properly PKCS#1 formatted
> > > or not.
> > >
> > > The best way to avoid vulnerability to this attack is to treat
> > > incorrectly formatted messages in a manner indistinguishable from
> > > correctly formatted RSA blocks. Thus, when it receives an
> > > incorrectly formatted RSA block, a server should generate a
> > > random 48-byte value and proceed using it as the premaster
> > > secret. Thus, the server will act identically whether the
> > > received RSA block is correctly encoded or not.
> >
> > The book "SSL and TLS Essentials" says about the same thing, in more
> > detail.
> >
> > So has OpenSSL been cleaned up to make this kind of attack difficult?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
