ROBOT Attack Revives a 19-Year Old Vulnerability

Daniel Bleichenbacher was the security researcher who first discovered, in 1998, that PKCS #1 v1.5 padding error messages sent by a Transport Layer Security (TLS) stack running on a server could enable an adaptive-chosen ciphertext attack. When used in conjunction with RSA encryption, this attack completely shattered TLS confidentiality. What Is the ROBOT Attack? ROBOT stands for Return Of Bleichenbacher's Oracle Threat – the return of the original vulnerability that enabled hackers to perform RSA decryption and signing operations with a TLS server's private key (without needing the key itself). Even though it has been known since the late 1990s, lots of web hosts remain vulnerable to attacks against RSA in TLS. How Does the ROBOT Attack Work? An attacker can simply send Client Key Exchange (CKE) messages – with wrong paddings – while a TLS-RSA handshake is being negotiated. Then, depending on the server's response to these modified CKE messages, the attacker can determine whether the server provides an oracle that renders the server vulnerable. If they discover a vulnerable server, the attacker will be able to decrypt any ciphertext, or sign any data, with the server's private key. To do so, the attacker first needs to...
Read more