Editing RSA cryptosystem (section)

===Adaptive chosen-ciphertext attacks===
In 1998, [[Daniel Bleichenbacher]] described the first practical [[adaptive chosen-ciphertext attack]] against RSA-encrypted messages using the PKCS&nbsp;#1&nbsp;v1 [[Padding (cryptography)|padding scheme]] (a padding scheme randomizes and adds structure to an RSA-encrypted message, so it is possible to determine whether a decrypted message is valid). Due to flaws with the PKCS&nbsp;#1 scheme, Bleichenbacher was able to mount a practical attack against RSA implementations of the [[Secure Sockets Layer]] protocol and to recover session keys. As a result of this work, cryptographers now recommend the use of provably secure padding schemes such as [[Optimal Asymmetric Encryption Padding]], and RSA Laboratories has released new versions of PKCS&nbsp;#1 that are not vulnerable to these attacks.

A variant of this attack, dubbed "BERserk", came back in 2014.<ref>{{cite web |title='BERserk' Bug Uncovered In Mozilla NSS Crypto Library Impacts Firefox, Chrome |date=25 September 2014 |url=https://www.darkreading.com/attacks-breaches/-berserk-bug-uncovered-in-mozilla-nss-crypto-library-impacts-firefox-chrome |access-date=4 January 2022}}</ref><ref>{{Cite web|url=https://www.mozilla.org/en-US/security/advisories/mfsa2014-73/|title=RSA Signature Forgery in NSS|website=Mozilla}}</ref> It impacted the Mozilla NSS Crypto Library, which was used notably by Firefox and Chrome.