A 25-year-old vulnerability that enables RSA decryption has been presented at the 28th European Symposium on Research in Computer Security. The paper, Everlasting robot: the Marvin attack, discusses how error message handling in SSL servers is still vulnerable to an RSA “padding mode” attack that was discovered in 1998.
This attack fully breaks the confidentiality of the TLS protocol when used with RSA encryption. In 2019, researchers showed that many internet servers were still vulnerable to slight variations of the original attack.
In a blog post describing the new variant of the vulnerability, Hubert Kario, a senior quality engineer at Red Hat, said: “We have had 25 years of people trying to patch this fundamentally broken padding mode. Robot has shown that the far easier workaround was implemented incorrectly by a large number of implementations. Implementing the Marvin workaround correctly is much more tricky, as it must include actually testing it for side channel leakage.”
In the paper discussing the flaw, Kario wrote: “We have successfully attacked multiple implementations using only timing of decryption operation and shown that many others are vulnerable.”
Kario said that the vulnerability means an attacker is able to decrypt RSA ciphertexts and forge signatures. On a TLS server that defaults to RSA encryption key exchanges, Kario said the attacker would be able to record a session and decrypt it later.
However, for TLS hosts that use what Kario described as “forward secure ciphersuites”, he said the attacker would have to perform a massively parallel attack to forge a server signature before the connection attempt. Kario said that this means such attack is much harder, but not impossible.
According to Kario, the attack is also applicable to other interfaces that perform RSA decryption in an automated manner such as S/MIME, JSON web tokens, or hardware tokens.
He said: “We have identified the vulnerability in multiple implementations and confirmed fixes in a few of them, but believe that most cryptographic implementations are vulnerable in practice.”
Apart from patching, where patches are available, Kario urged IT administrators to “disable ciphersuites that use RSA encryption”, adding that this is the recommended way to fix this vulnerability.
In the paper, Kario said that this is because implementing it correctly is very hard, if not impossible. Discussing the specific vulnerability, he said: “We especially recommend that the PKCS#1 v1.5 padding for RSA encryption should not be used, and any protocols that allow its use should be deprecated, and forbid its use completely.”
According to Kario, any implementation of cryptographic arithmetic that uses general-purpose multi-precision numerical methods is vulnerable to side-channel attacks. “Any code that uses variable size internal representation of integers is, most likely, vulnerable to side-channel attacks,” he warned.