New TLS encryption-busting attack also impacts the newer TLS 1.3, is ECDHE_RSA also affected?
February 9, 2019: Source: New TLS encryption-busting attack also impacts the newer TLS 1.3
"Seven researchers from all over the world found --yet again-- another way to break RSA PKCS#1 v1.5, the most common RSA configuration used to encrypt TLS connections nowadays. Besides TLS, this new Bleichenbacher attack also works against Google's new QUIC encryption protocol as well."
Is TLS_ECDHE_RSA, and DHE_RSA, also affected? Or only TLS_RSA? If not please explain why.
Windows update example:
fe2.update.microsoft.com.nsatc.net offered
TLS_ECDHE_RSA_WITH_AES128_GCM_SHA384
x25519
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: x25519 (0x001d)
Pubkey Length: 32
Pubkey: e3267867db92a040eae6ea57bdb8e042680fa2e95da1e983...
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Length: 256
encryption tls cryptography vulnerability
add a comment |
February 9, 2019: Source: New TLS encryption-busting attack also impacts the newer TLS 1.3
"Seven researchers from all over the world found --yet again-- another way to break RSA PKCS#1 v1.5, the most common RSA configuration used to encrypt TLS connections nowadays. Besides TLS, this new Bleichenbacher attack also works against Google's new QUIC encryption protocol as well."
Is TLS_ECDHE_RSA, and DHE_RSA, also affected? Or only TLS_RSA? If not please explain why.
Windows update example:
fe2.update.microsoft.com.nsatc.net offered
TLS_ECDHE_RSA_WITH_AES128_GCM_SHA384
x25519
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: x25519 (0x001d)
Pubkey Length: 32
Pubkey: e3267867db92a040eae6ea57bdb8e042680fa2e95da1e983...
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Length: 256
encryption tls cryptography vulnerability
add a comment |
February 9, 2019: Source: New TLS encryption-busting attack also impacts the newer TLS 1.3
"Seven researchers from all over the world found --yet again-- another way to break RSA PKCS#1 v1.5, the most common RSA configuration used to encrypt TLS connections nowadays. Besides TLS, this new Bleichenbacher attack also works against Google's new QUIC encryption protocol as well."
Is TLS_ECDHE_RSA, and DHE_RSA, also affected? Or only TLS_RSA? If not please explain why.
Windows update example:
fe2.update.microsoft.com.nsatc.net offered
TLS_ECDHE_RSA_WITH_AES128_GCM_SHA384
x25519
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: x25519 (0x001d)
Pubkey Length: 32
Pubkey: e3267867db92a040eae6ea57bdb8e042680fa2e95da1e983...
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Length: 256
encryption tls cryptography vulnerability
February 9, 2019: Source: New TLS encryption-busting attack also impacts the newer TLS 1.3
"Seven researchers from all over the world found --yet again-- another way to break RSA PKCS#1 v1.5, the most common RSA configuration used to encrypt TLS connections nowadays. Besides TLS, this new Bleichenbacher attack also works against Google's new QUIC encryption protocol as well."
Is TLS_ECDHE_RSA, and DHE_RSA, also affected? Or only TLS_RSA? If not please explain why.
Windows update example:
fe2.update.microsoft.com.nsatc.net offered
TLS_ECDHE_RSA_WITH_AES128_GCM_SHA384
x25519
EC Diffie-Hellman Server Params
Curve Type: named_curve (0x03)
Named Curve: x25519 (0x001d)
Pubkey Length: 32
Pubkey: e3267867db92a040eae6ea57bdb8e042680fa2e95da1e983...
Signature Algorithm: rsa_pkcs1_sha1 (0x0201)
Signature Length: 256
encryption tls cryptography vulnerability
encryption tls cryptography vulnerability
asked 6 hours ago
TylerTyler
597
597
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
This article is poorly written. First, by this time, it's old news: the attack was made public over two months ago. Oddly there doesn't seem to have been a thread about this attack here before, but there was one on Cryptography Stack Exchange which you can read for an introduction to how the attack works.
A second way in which this article is misleading is that this attack does not impact TLS 1.3 in itself. It impacts servers that support TLS 1.3 and older versions, if the attacker manages to downgrade the connection.
“The most common RSA configuration used to encrypt TLS connections” is also misleading. It's technically true, in that it is the only TLS configuration that uses RSA for encryption, but in fact most TLS configurations that use RSA use it for signature, not for encryption.
The attack works only against TLS_RSA
cipher suites, i.e. against cipher suites that have RSA in their name but not DHE or ECDHE. It attacks RSA decryption. Cipher suites that use RSA signature, or that don't use RSA at all, are not affected.
In order to perform the direct attack, the attacker has to convince the victims to use TLS ≤1.2 with an RSA-decryption cipher suite. It can often do that by hijacking the very beginning of the connection (it's a man-in-the-middle attack) and telling the client that it only supports TLS 1.2 (or some earlier version) and only RSA-decryption cipher suites. The client then sends a value encrypted with the server's public key, and the attacker must decrypt it to continue talking to the client. Normally decrypting the value requires the private key, but if the server is vulnerable to the attack, then the attacker is able to trick the server into decrypting that value by making many connections to the server with an RSA-decryption cipher suite, sending carefully-chosen ciphertexts and observing the precise timing of the server's response.
Even if the client refuses to use RSA-decryption cipher suites, or indeed even if the client only supports TLS 1.3, it may still be vulnerable if the server uses the same RSA private key for decryption and for signature. To perform this variant of the attack, the attacker is once again a man-in-the-middle, and it uses an RSA-signature cipher suite to talk to the client. At some point the attacker needs to sign a value with the server's private key, and it does this as above by making many connections to the server with an RSA-decryption cipher suite.
To protect against this attack, you can do any of the following:
- Keep your server up to date. This is the best way to protect against every attack.
- Disable RSA-decryption cipher suites on the server.
- Disable RSA-decryption cipher suites on the client and not use the same RSA private key for decryption and signature on the server.
Thank you very much for taking the time to post this! Very much appreciated!
– Tyler
2 hours ago
add a comment |
Thank you for your answer, Gilles, apparently this has a name; (the first source never gave any name). Such appears to be the nature of everything crypto.
https://robotattack.org/
"ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.
By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.
Based on some preliminary data we also believe the compatibility costs of disabling RSA encryption modes are relatively low. Cloudflare shared with us that around one percent of their connections use the RSA encryption modes. Disabling these modes on the HTTPS server operated by one of the authors caused no notable problems."
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203289%2fnew-tls-encryption-busting-attack-also-impacts-the-newer-tls-1-3-is-ecdhe-rsa-a%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
This article is poorly written. First, by this time, it's old news: the attack was made public over two months ago. Oddly there doesn't seem to have been a thread about this attack here before, but there was one on Cryptography Stack Exchange which you can read for an introduction to how the attack works.
A second way in which this article is misleading is that this attack does not impact TLS 1.3 in itself. It impacts servers that support TLS 1.3 and older versions, if the attacker manages to downgrade the connection.
“The most common RSA configuration used to encrypt TLS connections” is also misleading. It's technically true, in that it is the only TLS configuration that uses RSA for encryption, but in fact most TLS configurations that use RSA use it for signature, not for encryption.
The attack works only against TLS_RSA
cipher suites, i.e. against cipher suites that have RSA in their name but not DHE or ECDHE. It attacks RSA decryption. Cipher suites that use RSA signature, or that don't use RSA at all, are not affected.
In order to perform the direct attack, the attacker has to convince the victims to use TLS ≤1.2 with an RSA-decryption cipher suite. It can often do that by hijacking the very beginning of the connection (it's a man-in-the-middle attack) and telling the client that it only supports TLS 1.2 (or some earlier version) and only RSA-decryption cipher suites. The client then sends a value encrypted with the server's public key, and the attacker must decrypt it to continue talking to the client. Normally decrypting the value requires the private key, but if the server is vulnerable to the attack, then the attacker is able to trick the server into decrypting that value by making many connections to the server with an RSA-decryption cipher suite, sending carefully-chosen ciphertexts and observing the precise timing of the server's response.
Even if the client refuses to use RSA-decryption cipher suites, or indeed even if the client only supports TLS 1.3, it may still be vulnerable if the server uses the same RSA private key for decryption and for signature. To perform this variant of the attack, the attacker is once again a man-in-the-middle, and it uses an RSA-signature cipher suite to talk to the client. At some point the attacker needs to sign a value with the server's private key, and it does this as above by making many connections to the server with an RSA-decryption cipher suite.
To protect against this attack, you can do any of the following:
- Keep your server up to date. This is the best way to protect against every attack.
- Disable RSA-decryption cipher suites on the server.
- Disable RSA-decryption cipher suites on the client and not use the same RSA private key for decryption and signature on the server.
Thank you very much for taking the time to post this! Very much appreciated!
– Tyler
2 hours ago
add a comment |
This article is poorly written. First, by this time, it's old news: the attack was made public over two months ago. Oddly there doesn't seem to have been a thread about this attack here before, but there was one on Cryptography Stack Exchange which you can read for an introduction to how the attack works.
A second way in which this article is misleading is that this attack does not impact TLS 1.3 in itself. It impacts servers that support TLS 1.3 and older versions, if the attacker manages to downgrade the connection.
“The most common RSA configuration used to encrypt TLS connections” is also misleading. It's technically true, in that it is the only TLS configuration that uses RSA for encryption, but in fact most TLS configurations that use RSA use it for signature, not for encryption.
The attack works only against TLS_RSA
cipher suites, i.e. against cipher suites that have RSA in their name but not DHE or ECDHE. It attacks RSA decryption. Cipher suites that use RSA signature, or that don't use RSA at all, are not affected.
In order to perform the direct attack, the attacker has to convince the victims to use TLS ≤1.2 with an RSA-decryption cipher suite. It can often do that by hijacking the very beginning of the connection (it's a man-in-the-middle attack) and telling the client that it only supports TLS 1.2 (or some earlier version) and only RSA-decryption cipher suites. The client then sends a value encrypted with the server's public key, and the attacker must decrypt it to continue talking to the client. Normally decrypting the value requires the private key, but if the server is vulnerable to the attack, then the attacker is able to trick the server into decrypting that value by making many connections to the server with an RSA-decryption cipher suite, sending carefully-chosen ciphertexts and observing the precise timing of the server's response.
Even if the client refuses to use RSA-decryption cipher suites, or indeed even if the client only supports TLS 1.3, it may still be vulnerable if the server uses the same RSA private key for decryption and for signature. To perform this variant of the attack, the attacker is once again a man-in-the-middle, and it uses an RSA-signature cipher suite to talk to the client. At some point the attacker needs to sign a value with the server's private key, and it does this as above by making many connections to the server with an RSA-decryption cipher suite.
To protect against this attack, you can do any of the following:
- Keep your server up to date. This is the best way to protect against every attack.
- Disable RSA-decryption cipher suites on the server.
- Disable RSA-decryption cipher suites on the client and not use the same RSA private key for decryption and signature on the server.
Thank you very much for taking the time to post this! Very much appreciated!
– Tyler
2 hours ago
add a comment |
This article is poorly written. First, by this time, it's old news: the attack was made public over two months ago. Oddly there doesn't seem to have been a thread about this attack here before, but there was one on Cryptography Stack Exchange which you can read for an introduction to how the attack works.
A second way in which this article is misleading is that this attack does not impact TLS 1.3 in itself. It impacts servers that support TLS 1.3 and older versions, if the attacker manages to downgrade the connection.
“The most common RSA configuration used to encrypt TLS connections” is also misleading. It's technically true, in that it is the only TLS configuration that uses RSA for encryption, but in fact most TLS configurations that use RSA use it for signature, not for encryption.
The attack works only against TLS_RSA
cipher suites, i.e. against cipher suites that have RSA in their name but not DHE or ECDHE. It attacks RSA decryption. Cipher suites that use RSA signature, or that don't use RSA at all, are not affected.
In order to perform the direct attack, the attacker has to convince the victims to use TLS ≤1.2 with an RSA-decryption cipher suite. It can often do that by hijacking the very beginning of the connection (it's a man-in-the-middle attack) and telling the client that it only supports TLS 1.2 (or some earlier version) and only RSA-decryption cipher suites. The client then sends a value encrypted with the server's public key, and the attacker must decrypt it to continue talking to the client. Normally decrypting the value requires the private key, but if the server is vulnerable to the attack, then the attacker is able to trick the server into decrypting that value by making many connections to the server with an RSA-decryption cipher suite, sending carefully-chosen ciphertexts and observing the precise timing of the server's response.
Even if the client refuses to use RSA-decryption cipher suites, or indeed even if the client only supports TLS 1.3, it may still be vulnerable if the server uses the same RSA private key for decryption and for signature. To perform this variant of the attack, the attacker is once again a man-in-the-middle, and it uses an RSA-signature cipher suite to talk to the client. At some point the attacker needs to sign a value with the server's private key, and it does this as above by making many connections to the server with an RSA-decryption cipher suite.
To protect against this attack, you can do any of the following:
- Keep your server up to date. This is the best way to protect against every attack.
- Disable RSA-decryption cipher suites on the server.
- Disable RSA-decryption cipher suites on the client and not use the same RSA private key for decryption and signature on the server.
This article is poorly written. First, by this time, it's old news: the attack was made public over two months ago. Oddly there doesn't seem to have been a thread about this attack here before, but there was one on Cryptography Stack Exchange which you can read for an introduction to how the attack works.
A second way in which this article is misleading is that this attack does not impact TLS 1.3 in itself. It impacts servers that support TLS 1.3 and older versions, if the attacker manages to downgrade the connection.
“The most common RSA configuration used to encrypt TLS connections” is also misleading. It's technically true, in that it is the only TLS configuration that uses RSA for encryption, but in fact most TLS configurations that use RSA use it for signature, not for encryption.
The attack works only against TLS_RSA
cipher suites, i.e. against cipher suites that have RSA in their name but not DHE or ECDHE. It attacks RSA decryption. Cipher suites that use RSA signature, or that don't use RSA at all, are not affected.
In order to perform the direct attack, the attacker has to convince the victims to use TLS ≤1.2 with an RSA-decryption cipher suite. It can often do that by hijacking the very beginning of the connection (it's a man-in-the-middle attack) and telling the client that it only supports TLS 1.2 (or some earlier version) and only RSA-decryption cipher suites. The client then sends a value encrypted with the server's public key, and the attacker must decrypt it to continue talking to the client. Normally decrypting the value requires the private key, but if the server is vulnerable to the attack, then the attacker is able to trick the server into decrypting that value by making many connections to the server with an RSA-decryption cipher suite, sending carefully-chosen ciphertexts and observing the precise timing of the server's response.
Even if the client refuses to use RSA-decryption cipher suites, or indeed even if the client only supports TLS 1.3, it may still be vulnerable if the server uses the same RSA private key for decryption and for signature. To perform this variant of the attack, the attacker is once again a man-in-the-middle, and it uses an RSA-signature cipher suite to talk to the client. At some point the attacker needs to sign a value with the server's private key, and it does this as above by making many connections to the server with an RSA-decryption cipher suite.
To protect against this attack, you can do any of the following:
- Keep your server up to date. This is the best way to protect against every attack.
- Disable RSA-decryption cipher suites on the server.
- Disable RSA-decryption cipher suites on the client and not use the same RSA private key for decryption and signature on the server.
answered 4 hours ago
GillesGilles
38.9k1192146
38.9k1192146
Thank you very much for taking the time to post this! Very much appreciated!
– Tyler
2 hours ago
add a comment |
Thank you very much for taking the time to post this! Very much appreciated!
– Tyler
2 hours ago
Thank you very much for taking the time to post this! Very much appreciated!
– Tyler
2 hours ago
Thank you very much for taking the time to post this! Very much appreciated!
– Tyler
2 hours ago
add a comment |
Thank you for your answer, Gilles, apparently this has a name; (the first source never gave any name). Such appears to be the nature of everything crypto.
https://robotattack.org/
"ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.
By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.
Based on some preliminary data we also believe the compatibility costs of disabling RSA encryption modes are relatively low. Cloudflare shared with us that around one percent of their connections use the RSA encryption modes. Disabling these modes on the HTTPS server operated by one of the authors caused no notable problems."
add a comment |
Thank you for your answer, Gilles, apparently this has a name; (the first source never gave any name). Such appears to be the nature of everything crypto.
https://robotattack.org/
"ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.
By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.
Based on some preliminary data we also believe the compatibility costs of disabling RSA encryption modes are relatively low. Cloudflare shared with us that around one percent of their connections use the RSA encryption modes. Disabling these modes on the HTTPS server operated by one of the authors caused no notable problems."
add a comment |
Thank you for your answer, Gilles, apparently this has a name; (the first source never gave any name). Such appears to be the nature of everything crypto.
https://robotattack.org/
"ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.
By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.
Based on some preliminary data we also believe the compatibility costs of disabling RSA encryption modes are relatively low. Cloudflare shared with us that around one percent of their connections use the RSA encryption modes. Disabling these modes on the HTTPS server operated by one of the authors caused no notable problems."
Thank you for your answer, Gilles, apparently this has a name; (the first source never gave any name). Such appears to be the nature of everything crypto.
https://robotattack.org/
"ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic Curve Diffie Hellman key exchange and need RSA only for signatures. We believe RSA encryption modes are so risky that the only safe course of action is to disable them. Apart from being risky these modes also lack forward secrecy.
By disabling RSA encryption we mean all ciphers that start with TLS_RSA. It does not include the ciphers that use RSA signatures and include DHE or ECDHE in their name. These ciphers are not affected by our attack.
Based on some preliminary data we also believe the compatibility costs of disabling RSA encryption modes are relatively low. Cloudflare shared with us that around one percent of their connections use the RSA encryption modes. Disabling these modes on the HTTPS server operated by one of the authors caused no notable problems."
answered 2 hours ago
TylerTyler
597
597
add a comment |
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f203289%2fnew-tls-encryption-busting-attack-also-impacts-the-newer-tls-1-3-is-ecdhe-rsa-a%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown