Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Presented at 31C3 (2014), Dec. 27, 2014, 4 p.m. (60 minutes).

We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip. 16 years ago, Daniel Bleichenbacher presented a protocol-level padding oracle attack against SSL/TLS. As a countermeasure, all TLS RFCs starting from RFC 2246 (TLS 1.0) propose "to treat incorrectly formatted messages in a manner indistinguishable from correctly formatted RSA blocks". In our recent paper [1] we show that this objective has not been achieved yet: We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip. Three of these side channels are timing-based, and two of them provide the first timing-based Bleichenbacher attacks on SSL/TLS described in the literature. Our measurements confirmed that all these side channels are observable over a switched network, with timing differences between 1 and 23 microseconds. We were able to successfully recover the PreMasterSecret using three of the four side channels in a realistic measurement setup. Besides the academic relevance of breaking common SSL/TLS implementations, the timing attacks we performed are quite interesting for the hacking community. In our talk, we will thus focus on the challenges we had to solve during our attacks and on the challenges of fixing these issues. The talk extends the topics that I presented at 28c3 [2] and 29c3 [3]. [1]: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks. Meyer, Somorovsky, Weiss, Schwenk, Schinzel, Tews. Usenix Security Symposium 2014. [2]: https://media.ccc.de/browse/congress/2011/28c3-4640-en-time_is_on_my_side.html [3]: https://media.ccc.de/browse/congress/2012/29c3-5044-en-time_is_not_on_your_side_h264.html

Presenters:

  • Sebastian Schinzel
    Sebastian is professor for IT security at Münster University of Applied Sciences. Since 2013, Sebastian leads the IT Security Lab at Münster University of Applied Sciences. His research interests involve penetration testing, software security and side channel attacks.

Links:

Similar Presentations: