Cryptographic Attack from 1998 Still Works! Affects Facebook, PayPal, and Others
Security researchers have discovered a variation of a 19-year-old cryptographic attack that can be exploited by the attackers to get private encryption key necessary to decrypt secure HTTPS traffic. The attack, named ROBOT (Return Of Bleichenbacher’s Oracle Threat), is a resurrection of a bug that was first discovered nearly two decades ago and now affects some of the most popular websites, including the likes of Facebook and PayPal.
Remote, unauthenticated attacker may be able to obtain the TLS pre-master secret (TLS session key) and decrypt TLS traffic
The bug was first discovered in 1998 by Daniel Bleichenbacher of Bell Laboratories who had found a vulnerability in how TLS servers work when server owners encrypt server-client key communication with the RSA algorithm. Researchers Hanno Bock and Juraj Somorovsky from Hackmanit GmbH, Ruhr-Universitat Bochum, and Tripwire VERT’s Craig Young now suggest that by “using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.”
The vulnerability is in the RSA implementation from at least 8 different vendors, including F5, Citrix, and Cisco. Researchers wrote that PKCS #1 1.5 padding error messages produced by the secure sockets layer (SSL) servers allow for an adaptive-chosen ciphertext attack that “fully breaks the confidentiality of TLS when used with RSA encryption.”
They added that they used minor variations of the original attack and were still successful, saying that the issue was hiding in plain sight.
“For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible, but it is more challenging.”
In simple terms, the original attack enabled attackers to launch a brute-force attack to guess the session key and decrypt all HTTPS messages exchanged between the TLS (HTTPS) server and the client browser. At the time, RSA wasn’t replaced with a secure algorithm, instead designers had added countermeasures to make brute-forcing difficult. The new method essentially focuses on these countermeasures to exploit the original bugs.
“Transport Layer Security (TLS) is a mechanism for a security transport over network connections, and is defined in RFC 5246. TLS may utilize RSA cryptography to secure the connection, and section 7.4.7 describes how client and server may exchange keys. Implementations that don’t closely follow the descriptions in RFC 5246 may leak information to an attacker when they handle PKCS #1 v1.5 padding errors in ways that lets the attacker distinguish between valid and invalid messages. An attacker may utilize discrepancies in TLS error messages to obtain the pre-master secret key private RSA key used by TLS to decrypt sensitive data.” – US Cert
While the attack only works under certain conditions, until the fixes are offered by the companies like Cisco and Citrix, the ROBOT research team and US-CERT have advised to disable TLS session key RSA encryption.
“Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures,” the research team wrote. “We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.”