A new attack poses a threat even for TLS 1.3

A consolidated team of specialists from Tel Aviv University, the University of Adelaide, the University of Michigan, the Weizmann Institute, as well as the NCC Group and Data61 presented a report(PDF) on the new variations of the Bleichenbacher attack, which is a threat even to the newest TLS 1.3.

To understand the essence of the problem, you need to remember what the Bleichenbacher attack is. Back in 1998, Bell Laboratories specialist Daniel Bleichenbacher  discovered a problem  (PDF) related to how a TLS server behaves if its operator decided to encrypt the key exchange between the client and the server using RSA.

The essence of the attack, then developed by Bleichenbacher, was that before setting up an encrypted connection, the client randomly selects a session key, which is then encrypted with a public key and sent to the server. The server decrypts this “message”, saves a copy of the session key and subsequently uses it to identify the client. Thus, the client is validated, and a secure HTTPS connection is established.

Since the RSA algorithm is not sufficiently secure by itself, so-called padding is additionally used, that is, adding meaningless data to the encrypted information, which ultimately should increase the strength of encryption. Bleichenbacher discovered a problem in case session keys encrypted with RSA use padding PKCS # 1 1.5.

It turned out that an attacker could simply send random keys to the TLS server, asking if they were correct. You can pick up a real key based only on server responses: a simple “yes / no” that it returns in response to the query “is this an RSA key of a session?”.

However, after the discovery of this bug, the use of the RSA algorithm was not abandoned. Instead, the authors of the TLS standard implemented a series of countermeasures that prevented such brute force from taking place. Unfortunately, this was clearly not enough, and the information security specialists have repeatedly found other ways to implement the Bleichenbacher attack. Relevant studies were presented in  2003 ,  2012 ,  2014  and  2015  . Among the most recent variations of this problem, we can recall attacks called  DROWN  (Decrypting RSA with Obsolete and Weakened eNcryption) and ROBOT (Return Of Bleichenbacher's Oracle Threat), 2016-2017.

Now a group of the aforementioned specialists has once again found new ways to bypass the RSA PKCS # 1 v1.5. Worse, the attacks proposed by researchers in certain situations affect not only TLS, but also the QUIC encryption protocol developed by Google.

The researchers write that their solution is an attack on a third-party channel that uses data “flowing through” the processor cache and makes it possible to compromise RSA key exchange and certain TLS implementations. Although the latest version of TLS (1.3) uses RSA to a minimum, experts have found that in some cases it is possible to lower the connection to TLS 1.2, after which the Bleichenbacher attack can be applied.

After examining the various implementations of TLS, the experts concluded that before new variations of the old problem, OpenSSL, Amazon s2n, MbedTLS, Apple CoreTLS, Mozilla NSS, WolfSSL and GnuTLS are vulnerable. Currently, all libraries have already received updates, as the researchers warned the developers about their findings last fall. The report also notes that BearSSL and Google BoringSSL did not affect the problem.

The vulnerabilities identified by experts were assigned the following identifiers: CVE-2018-12404, CVE-2018-19608, CVE-2018-16868, CVE-2018-16869 and CVE-2018-16870.