Re: [Uta] FYI: improved attack against RSA PKCS1.5
Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 08 March 2014 06:24 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A28381A01AE for <uta@ietfa.amsl.com>; Fri, 7 Mar 2014 22:24:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u_ebxwr9YFed for <uta@ietfa.amsl.com>; Fri, 7 Mar 2014 22:24:11 -0800 (PST)
Received: from mail-ea0-x22b.google.com (mail-ea0-x22b.google.com [IPv6:2a00:1450:4013:c01::22b]) by ietfa.amsl.com (Postfix) with ESMTP id 75DDB1A01AA for <uta@ietf.org>; Fri, 7 Mar 2014 22:24:11 -0800 (PST)
Received: by mail-ea0-f171.google.com with SMTP id n15so2679141ead.2 for <uta@ietf.org>; Fri, 07 Mar 2014 22:24:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=WgLKyN/5GJFHZblETH5QAebW6u/Wz0GM/HGq9rlRjPk=; b=V3tGr6Ysk0SD3J545WU7HJzI1W3cbMfHTlUh2HbrzD5MJaezPAre8kAp2GtfYYTcUH t0z6m2jI8+GipnKQyNN4Vr50EF6Mf8K/Uwkll/JIoFk/qiMF+tu+8mW8lYI268jjQjId i1SvV1j/pfVhkGDFd/3K/XoxvrKwtFwVjUcu4CkUF3MUpk2eRzF4psOd9GRYi1pHdv+W R4ezlrNK9MBhFQpvCv4h78PayEWyMTt0/Vll1w9xs9kpbxYzEbhfMFTYVD+IGUm803CT TTExcXJ6fGScWHodoN0zwefpdh+mfopphYIGtzxnF2NVFnMtIxodzN4AAsePmKSzjzAC SweQ==
X-Received: by 10.14.221.201 with SMTP id r49mr569846eep.104.1394259846412; Fri, 07 Mar 2014 22:24:06 -0800 (PST)
Received: from [192.168.1.201] (bzq-82-80-146-146.static.bezeqint.net. [82.80.146.146]) by mx.google.com with ESMTPSA id w6sm15596005eex.9.2014.03.07.22.24.04 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 07 Mar 2014 22:24:05 -0800 (PST)
Message-ID: <531AB785.3070305@gmail.com>
Date: Sat, 08 Mar 2014 08:24:05 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
MIME-Version: 1.0
To: Kohei Kasamatsu <kasamatsu.kohei@po.ntts.co.jp>, uta@ietf.org
References: <5319B429.9050405@po.ntts.co.jp>
In-Reply-To: <5319B429.9050405@po.ntts.co.jp>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/uta/AbiP7KHkmDSb97UmFF6bkMqrENI
Subject: Re: [Uta] FYI: improved attack against RSA PKCS1.5
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 08 Mar 2014 06:24:14 -0000
Hi Kohei, Thanks for describing this attack. I guess the original Bleichenbacher attack and its derivatives do belong in the Attacks draft. Sec. 7.4.7.1 of RFC 5246 (TLS 1.2) claims to be resistant to the Bleichenbacher attack, and as far as I understand your new attack improves the performance of that attack, but makes the same assumptions on the protocol as the older attack. Can you comment on the security of TLS 1.2 (or older versions) against your attack? Thanks, Yaron On 03/07/2014 01:57 PM, Kohei Kasamatsu wrote: > Hi UTA folks, > > > I'm kohei kasamatsu > > [1] is improved attack against RSA PKCS1.5 by Bleichenbacher. > I think that it is better to consider it in draft-sheffer-tls-bcp. > > I recommend use of CCA secure public key encryption (variant of RSA) as > the countermeasure. (e.x. RSA-OAEP) > > [1] Romain Bardou, Riccardo Focardi, Yusuke Kawamoto, Lorenzo Simionato, > Graham Steel, Joe-Kai Tsay: Efficient Padding Oracle Attacks on > Cryptographic Hardware. CRYPTO 2012: 608-625 > > paper: http://eprint.iacr.org/2012/417 > slide: https://www.iacr.org/conferences/crypto2012/slides/11-1-Steel.pdf > > Best, >
- [Uta] FYI: improved attack against RSA PKCS1.5 Kohei Kasamatsu
- Re: [Uta] FYI: improved attack against RSA PKCS1.5 Yaron Sheffer
- Re: [Uta] FYI: improved attack against RSA PKCS1.5 Kohei Kasamatsu