Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Adaptive chosen-ciphertext attack
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Practical attacks== Adaptive-chosen-ciphertext attacks were perhaps considered to be a theoretical concern, but not to have been be manifested in practice, until 1998, when [[Daniel Bleichenbacher]] (then of [[Bell Laboratories]]) demonstrated a practical attack against systems using RSA encryption in concert with the [[PKCS 1|PKCS#1 v1.5]] encoding function, including a version of the [[Secure Sockets Layer]] (SSL) protocol used by thousands of [[web server]]s at the time.<ref>{{cite conference |conference=CRYPTO '98 |conference-url=https://link.springer.com/book/10.1007/BFb0055715 |date=August 23β27, 1998 |first=Daniel |last=Bleichenbacher |title=Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1 |publisher=Springer Berlin Heidelberg |place=Santa Barbara, California |pages=1β12 |doi=10.1007/BFb0055716 |url=https://link.springer.com/content/pdf/10.1007%2FBFb0055716.pdf |isbn=978-3-540-64892-5 |doi-access=free}}</ref> The Bleichenbacher attacks, also known as the million message attack, took advantage of flaws within the PKCS #1 v1.5 padding function to gradually reveal the content of an RSA encrypted message. Under this padding function, padded plaintexts have a fixed format that it should follow. If the decryption device (e.g. SSL-equipped web server) somehow reveals whether the padding is valid, it also serves as an "oracle" that reveals information on the secret key. Finding the whole key requires sending several million test ciphertexts to the target.<ref>{{cite web |last=Pornin |first=Thomas |year=2014 |title=Can you explain Bleichenbacher's CCA attack on PKCS#1 v1.5? |url=https://crypto.stackexchange.com/a/12706 |website=Cryptography Stack Exchange |language=en}}</ref> In practical terms, this means that an SSL session key can be exposed in a reasonable amount of time, perhaps a day or less. With slight variations, this vulnerability was still exploitable in many servers in 2018, under the new name "Return Of Bleichenbacher's Oracle Threat" (ROBOT).<ref>{{cite web |url=https://robotattack.org |title=ROBOT attack |author=Hanno BΓΆck |author2=Juraj Somorovsky |author3=Craig Young |access-date=February 27, 2018}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)