22:
154:
decryption device (e.g. SSL-equipped web server) somehow reveals whether the padding is valid, it also serves as an "oracle" that reveals information on the secret key. Finding the whole key requires sending several million test ciphertexts to the target. In practical terms, this means that an SSL session key can be exposed in a reasonable amount of time, perhaps a day or less.
178:
model, OAEP was incorporated into PKCS#1 as of version 2.0 published in 1998 as the now-recommended encoding scheme, with the older scheme still supported but not recommended for new applications. However, the golden standard for security is to show the system secure without relying on the Random
153:
The
Bleichenbacher attacks, also known as the million message attack, took advantage of flaws within the PKCS #1 v1.5 padding function to gradually reveal the content of an RSA encrypted message. Under this padding function, padded plaintexts have a fixed format that it should follow. If the
94:
to be decrypted chosen adaptively, and then uses the results to distinguish a target ciphertext without consulting the oracle on the challenge ciphertext. In an adaptive attack, the attacker is further allowed adaptive queries to be asked after the target is revealed (but the target query is
169:
and a proof of security of the system. After the theoretical and foundation level development of CCA secure systems, a number of systems have been proposed in the Random Oracle model: the most common standard for RSA encryption is
439:
114:
In certain practical settings, the goal of this attack is to gradually reveal information about an encrypted message, or about the decryption key itself. For
130:
Adaptive-chosen-ciphertext attacks were perhaps considered to be a theoretical concern, but not to have been be manifested in practice, until 1998, when
157:
With slight variations, this vulnerability still exists in many modern servers, under the new name "Return Of
Bleichenbacher's Oracle Threat" (ROBOT).
432:
165:
In order to prevent adaptive-chosen-ciphertext attacks, it is necessary to use an encryption or encoding scheme that limits ciphertext
122:— that is, a ciphertext can be modified in specific ways that will have a predictable effect on the decryption of that message.
425:
174:(OAEP). Unlike improvised schemes such as the padding used in the early versions of PKCS#1, OAEP has been proven secure in the
405:
236:
171:
490:
65:
43:
187:
In complexity-theoretic cryptography, security against adaptive chosen-ciphertext attacks is commonly modeled using
36:
473:
515:
358:
188:
538:
103:
and Dan Simon defined CCA2 and suggested a system building on the non-adaptive CCA1 definition and system of
166:
119:
480:
314:
96:
87:
30:
468:
209:
115:
294:
497:
463:
309:
47:
131:
111:(which was the first treatment of chosen ciphertext attack immunity of public key systems).
372:
143:
138:) demonstrated a practical attack against systems using RSA encryption in concert with the
118:, adaptive-chosen-ciphertexts are generally applicable only when they have the property of
8:
502:
211:
Chosen
Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS #1
510:
327:
401:
331:
232:
135:
218:
362:
319:
222:
293:
Fujisaki, Eiichiro; Okamoto, Tatsuaki; Pointcheval, David; Stern, Jacques (2004).
417:
100:
375:
352:
323:
532:
452:
400:(2 ed.). Boca Raton: Chapman & Hall/CRC. pp. 174–175, 179–181.
175:
448:
253:
221:. Santa Barbara, California: Springer Berlin Heidelberg. pp. 1–12.
227:
147:
91:
367:
108:
104:
99:(CCA1) where the second stage of adaptive queries is not allowed.
270:
292:
139:
254:"Can you explain Bleichenbacher's CCA attack on PKCS#1 v1.5?"
272:
354:
97:
indifferent (non-adaptive) chosen-ciphertext attack
447:
530:
350:
207:
142:encoding function, including a version of the
433:
295:"RSA-OAEP Is Secure under the RSA Assumption"
208:Bleichenbacher, Daniel (August 23–27, 1998).
90:in which an attacker first sends a number of
395:
271:Hanno Böck; Juraj Somorovsky; Craig Young.
440:
426:
366:
351:Kaliski, B.; Staddon, J. (October 1998).
313:
226:
66:Learn how and when to remove this message
396:Katz, Jonathan; Lindell, Yehuda (2015).
29:This article includes a list of general
531:
251:
421:
182:
172:Optimal Asymmetric Encryption Padding
160:
146:(SSL) protocol used by thousands of
125:
15:
398:Introduction to Modern Cryptography
389:
13:
35:it lacks sufficient corresponding
14:
550:
95:disallowed). It is extending the
80:adaptive chosen-ciphertext attack
20:
189:ciphertext indistinguishability
344:
286:
264:
245:
201:
1:
194:
86:) is an interactive form of
7:
258:Cryptography Stack Exchange
10:
555:
459:
324:10.1007/s00145-002-0204-y
88:chosen-ciphertext attack
252:Pornin, Thomas (2014).
120:ciphertext malleability
50:more precise citations.
539:Cryptographic attacks
302:Journal of Cryptology
179:Oracle idealization.
132:Daniel Bleichenbacher
144:Secure Sockets Layer
228:10.1007/BFb0055716
183:Mathematical model
161:Preventing attacks
116:public-key systems
526:
525:
481:Chosen-ciphertext
407:978-1-4665-7027-6
238:978-3-540-64892-5
136:Bell Laboratories
126:Practical attacks
76:
75:
68:
546:
507:Open key models
469:Chosen-plaintext
442:
435:
428:
419:
418:
412:
411:
393:
387:
386:
384:
382:
370:
368:10.17487/RFC2437
348:
342:
341:
339:
338:
317:
299:
290:
284:
283:
281:
279:
268:
262:
261:
249:
243:
242:
230:
216:
205:
82:(abbreviated as
71:
64:
60:
57:
51:
46:this article by
37:inline citations
24:
23:
16:
554:
553:
549:
548:
547:
545:
544:
543:
529:
528:
527:
522:
498:Known-plaintext
464:Ciphertext-only
455:
446:
416:
415:
408:
394:
390:
380:
378:
349:
345:
336:
334:
297:
291:
287:
277:
275:
269:
265:
250:
246:
239:
214:
206:
202:
197:
185:
163:
128:
101:Charles Rackoff
72:
61:
55:
52:
42:Please help to
41:
25:
21:
12:
11:
5:
552:
542:
541:
524:
523:
521:
520:
519:
518:
513:
505:
500:
495:
494:
493:
488:
478:
477:
476:
466:
460:
457:
456:
445:
444:
437:
430:
422:
414:
413:
406:
388:
343:
315:10.1.1.11.7519
285:
273:"ROBOT attack"
263:
244:
237:
199:
198:
196:
193:
184:
181:
162:
159:
127:
124:
74:
73:
28:
26:
19:
9:
6:
4:
3:
2:
551:
540:
537:
536:
534:
517:
514:
512:
509:
508:
506:
504:
501:
499:
496:
492:
489:
487:
484:
483:
482:
479:
475:
472:
471:
470:
467:
465:
462:
461:
458:
454:
453:cryptanalysis
450:
449:Attack models
443:
438:
436:
431:
429:
424:
423:
420:
409:
403:
399:
392:
377:
374:
369:
364:
360:
356:
355:
347:
333:
329:
325:
321:
316:
311:
308:(2): 81–104.
307:
303:
296:
289:
274:
267:
259:
255:
248:
240:
234:
229:
224:
220:
213:
212:
204:
200:
192:
190:
180:
177:
176:random oracle
173:
168:
158:
155:
151:
150:at the time.
149:
145:
141:
137:
133:
123:
121:
117:
112:
110:
106:
102:
98:
93:
89:
85:
81:
70:
67:
59:
49:
45:
39:
38:
32:
27:
18:
17:
503:Side-channel
485:
397:
391:
381:February 20,
379:. Retrieved
353:
346:
335:. Retrieved
305:
301:
288:
278:February 27,
276:. Retrieved
266:
257:
247:
210:
203:
191:(IND-CCA2).
186:
167:malleability
164:
156:
152:
129:
113:
83:
79:
77:
62:
56:January 2011
53:
34:
511:Related-key
148:web servers
140:PKCS#1 v1.5
92:ciphertexts
48:introducing
337:2009-01-12
219:CRYPTO '98
195:References
31:references
516:Known-key
491:Lunchtime
332:218582909
310:CiteSeerX
134:(then of
109:Moti Yung
105:Moni Naor
533:Category
486:Adaptive
474:Adaptive
44:improve
404:
330:
312:
235:
33:, but
328:S2CID
298:(PDF)
215:(PDF)
402:ISBN
383:2019
376:2437
359:IETF
280:2018
233:ISBN
107:and
84:CCA2
451:in
373:RFC
363:doi
320:doi
223:doi
78:An
535::
371:.
361:.
357:.
326:.
318:.
306:17
304:.
300:.
256:.
231:.
217:.
441:e
434:t
427:v
410:.
385:.
365::
340:.
322::
282:.
260:.
241:.
225::
69:)
63:(
58:)
54:(
40:.
Text is available under the Creative Commons Attribution-ShareAlike License. Additional terms may apply.