Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Security)  >   OpenSSL Vendors:
(OpenBSD Issues Fix) OpenSSL Side Channel Leakage Lets Remote Users Determine SSL Session Keys
SecurityTracker Alert ID:  1006335
SecurityTracker URL:
CVE Reference:   CVE-2003-0131   (Links to External Site)
Date:  Mar 20 2003
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.9.7a and prior versions
Description:   A vulnerability was reported in OpenSSL. A remote user could, in certain situations, recover session keys.

Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa have described a method of attacking RSA-based SSL/TLS sessions. Their method implements a version number check using known PKCS#1 plaintext values to create a side channel, allowing a remote user to "invert" the RSA encryption. This allows the remote user to recover the premaster-secret or to sign a message acting as the target server. Because the premaster-secret is the only secret valued used to derive session keys, the remote user can then determine specific session keys. However, the vendor reports that the server's RSA key is not compromised via this method.

The attack method is an extension of Bleichenbacher s attack on PKCS#1 (v. 1.5) that makes the attack more effective (i.e., quicker). According to the authors, a 1024-bit premaster-secret RSA key on a test server was successfully attacked with messages sent at a rate of 67.7 calls per second over the course of about 55 hours. The attack requires the remote user to send specially crafted RSA-encrypted text over millions of connections with the server inorder to determine the premaster-secret key.

The report (titled "Attacking RSA-based Sessions in SSL/TLS") is available at:

[Editor's note: This vulnerability is separate from the recently reported RSA-timing attack vulnerability.]

Impact:   A remote user can, in certain situations, determine the keys used for SSL sessions.
Solution:   OpenBSD has released the following patches:

Patch for OpenBSD 3.1:

Patch for OpenBSD 3.2:

Vendor URL: (Links to External Site)
Cause:   Randomization error, State error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  3.1, 3.2

Message History:   This archive entry is a follow-up to the message listed below.
Mar 20 2003 OpenSSL Side Channel Leakage Lets Remote Users Determine SSL Session Keys

 Source Message Contents

Subject:  patches available for Klima-Pokorny-Rosa attack on RSA in OpenSSL

Researchers have discovered an extension of the "Bleichenbacher
attack" on RSA with PKCS #1 v1.5 padding.  The attack affects TLS
1.0 (aka SSL 3.0) but does *not* affect OpenSSH.  Exploitation
requires that an attacker open millions of TLS connections to the
machine being attacked.

Users who run services utilizing TLS and RSA encryption should
update their OpenSSL to the version now in OpenBSD-current and the
3.1 and 3.2 -stable branches or use one of the patches below.

Patch for OpenBSD 3.1:

Patch for OpenBSD 3.2:

The OpenSSL advisory (from which the patches are derived) is:

The following paper describes the attack in detail:


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, LLC