The Marvin Attack
(people.redhat.com)
from tedu to cryptography on 01 Oct 2023 18:28
https://azorius.net/g/cryptography/p/4l9gC1367Kq841dYxY-The-Marvin-Attack
from tedu to cryptography on 01 Oct 2023 18:28
https://azorius.net/g/cryptography/p/4l9gC1367Kq841dYxY-The-Marvin-Attack
The Marvin Attack is a return of a 25 year old vulnerability that allows performing RSA decryption and signing operations as an attacker with the ability to observe only the time of the decryption operation performed with the private key.
In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 v1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption. In 2018, Hanno Böck, Juraj Somorovsky, and Craig Young have shown 19 years later that many internet servers were still vulnerable to slight variations of the original attack.
We show that many implementations previously thought immune, are vulnerable to the timing variant of the same attack.
threaded - newest
Ouch.