bleichenbacher

How many antequated implementations of RSA are used in practice today (see recent Bleichenbacher flaw in NSS)?

Two years ago, Daniel Bleichenbacher demonstrated a pencil and paper attack on the RSA validation procedure used by OpenSSL.

When the Bleichenbacher e=3 attack happened, the monoculture helped: the most popular TLS clientsides weren't vulnerable, but the oddballs were.

Postel's Law is a big part of the reason Bleichenbacher attacks (adaptive chosen-ciphertext attacks)[1] stayed so common for so long.

For example, didn't Java SSL recently manage to reincarnate the Bleichenbacher padding oracle?

The researchers in this case have actually made a significant improvement to the Bleichenbacher attack, extending it to use division (multiplication by an inverse) as well as multiplication as in the classic attack.

But it's virtually always as part of teams of otherwise well-established cryptography researchers, and it's clearly not of the same kind as say Joan Daemen or Daniel Bleichenbacher or Don Coppersmith or Philip Rogaway.

Now my point: this is actually way old news --- back to Bleichenbacher and Vaudenay and probably before that (I'm not the resident expert) --- but attacks like this have broken peer-reviewed versions of TLS, the most peer-reviewed crypto protocol ever designed.

They reference this attack briefly on page two of the linked article; grep for "Bleichenbacher".

(That bug is due to Bleichenbacher, who called it a "pencil-and-paper" attack in the rump session he presented it in).

It's a Cryptography Research paper from earlier this year and involves both a series of lattice reductions and the inverse fourier transform, which smooths out a very sharply defined bound into a much broader bound to make a search faster --- the latter trick is due to Bleichenbacher and referred to in the CRI paper as an "underground" attack.

The latter is Bleichenbacher's, very well known in the literature but not widely exploited (this is a crypto attack that involves some linear algebra).

ASN parsing code, in general, does not check for presence of trailing bytes (see Bleichenbacher's original signature forgery attack, and CVEs passim).

It is vulnerable to a padding oracle attack known as Bleichenbacher's Attack [2].