3

Looking at this excellent explaination of the attack, I have one additional question:

It says that: ""To prevent this attack, SSL servers do not inform the client about padding woes. If decryption fails because of a bad padding, then the server continues with a random pre-master secret (the true failure will then occur when processing the Finished message).""

Why does this prevent the attack? Why doesn't the attacker just infer that the connection failed because of the bad padding? Why else could the connection fail?

Community
  • 1
Mark
  • 33
  • 3

2 Answers2

4

Why does this prevent the attack? Why doesn't the attacker just infer that the connection failed because of the bad padding? Why else could the connection fail?

Well, the connection may fail because the host decrypted a valid pre-master secret, and it wasn't the pre-master secret that we expect.

That is, when the attacker injects his encrypted message, one of two things can happen:

  1. The server attempts to decrypt the message, and finds that the padding is invalid

  2. The server decrypts the message, and finds a value there.

The information that the attacker needs to know is whether (1) or (2) happened; if he can determine that, then he knows whether the padding looked correct or not.

Now, with the attack, if (2) happens, then the attacker has no idea what the value would be. Hence, if we react to (1) in a way that mimics the behavior in (2), we prevent the attacker from learning that.

poncho
  • 154,064
  • 12
  • 239
  • 382
3

Bleichenbacher's attack relies on being able to determine whether the padding was correct or not. The patch tries to ensure that the following two (previously distinguishable) cases look identical to an attacker:

  • the padding was correct, but the attacker has no knowledge of the transmitted pre-master secret — hence he can't use the resulting symmetric keys to generate a correctly encrypted and authenticated record, resulting in a connection failure.
  • the padding was incorrect, so the server creates a pseudorandom pre-master secret — thus the resulting symmetric keys are pseudorandom and, just like in the other case, the attacker is unable to generate a valid record, so the connection fails.

Assuming the patch is properly implemented, this makes plausible that the previously exploitable padding oracle no longer exists, rendering the attack unapplicable.

yyyyyyy
  • 12,261
  • 4
  • 48
  • 68