Cryptography Reference
In-Depth Information
Although a lazy system administrator can render all of your cautious cod-
ing moot, you must still ensure that a diligent system administrator's efforts
don't go to waste.
Daniel Bleichenbacher discovered an interesting attack on the RSA private
key. This attack wasn't on the server, but on most common implementations of
TLS. His idea was to ignore the supplied public key and instead pass a specifi -
cally chosen bit string in the client key exchange message. At this point, the
server has no choice but to attempt to decrypt it using its private key; it almost
certainly retrieves gibberish. Because the server expects a PKCS 1.5-padded
premaster secret, it fi rst checks that the fi rst byte is the expected padding byte
0x02; if it isn't, it issues an alert immediately.
Bleichenbacher took advantage of this alert — specifi cally that it was, at the
time, always implemented as a different alert message than the alert that would
occur later if a bad record MAC occurred. What would happen is that, most
of the time, the server would immediately send an alert indicating that the
RSA decryption failed. However, occasionally, the decrypted message would
accidentally appear as a valid, padded message. The rest would decrypt in a
garbled, unpredictable way, and the subsequent fi nished message would result in
a bad record MAC, but the damage would have been done. The attacker knew
that the chosen ciphertext did decrypt to a correctly padded message, even if
he didn't know what that message was. In this way, TLS was leaking bits of
information about the private key, which an attacker could exploit with about
a million carefully chosen key exchanges.
The solution to this attack is simple: ignore padding errors and continue on
with the key exchange, letting the fi nal fi nished message failure abort the hand-
shake. This way, the attacker doesn't know if the key exchange decrypted to a
properly padded message or not. The implementation presented here doesn't
address this, and is susceptible to the Bleichenbacher attack. If you want to tighten
up the code to defend against the attack, you can either modify rsa_decrypt
itself to go ahead and perform a decryption even if the padding type is unrec-
ognized, but still return an error code, or modify parse_client_key_exchange
to fi ll the premaster secret buffer with random values on a decryption failure
and just continue on with the handshake, allowing the fi nished verifi cation to
cause the handshake to fail.
When a Browser Displays Errors: Browser Trust
Issues
Of course, if you tried to connect to the SSL-secured web server described in
this chapter, you almost defi nitely received some variant of the error message
shown in Figure 7-5.
 
Search WWH ::




Custom Search