Version 1.7 a new dawn
lecture: Revisiting SSL/TLS Implementations
New Bleichenbacher Side Channels and Attacks
We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip.
16 years ago, Daniel Bleichenbacher presented a protocol-level padding oracle attack against SSL/TLS. As a countermeasure, all TLS RFCs starting from RFC 2246 (TLS 1.0) propose "to treat incorrectly formatted messages in a manner indistinguishable from correctly formatted RSA blocks".
In our recent paper  we show that this objective has not been achieved yet: We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip. Three of these side channels are timing-based, and two of them provide the first timing-based Bleichenbacher attacks on SSL/TLS described in the literature. Our measurements confirmed that all these side channels are observable over a switched network, with timing differences between 1 and 23 microseconds. We were able to successfully recover the PreMasterSecret using three of the four side channels in a realistic measurement setup.
Besides the academic relevance of breaking common SSL/TLS implementations, the timing attacks we performed are quite interesting for the hacking community. In our talk, we will thus focus on the challenges we had to solve during our attacks and on the challenges of fixing these issues.
The talk extends the topics that I presented at 28c3  and 29c3 .
: Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks.
Meyer, Somorovsky, Weiss, Schwenk, Schinzel, Tews.
Usenix Security Symposium 2014.
Start time: 16:00
Room: Saal 2
Track: Security & Hacking