Paper 2003/052

Attacking RSA-based Sessions in SSL/TLS

Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa


In this paper we present a practically feasible attack on RSA-based sessions in SSL/TLS protocols. These protocols incorporate the PKCS#1 (v. 1.5) encoding method for the RSA encryption of a premaster-secret value. The premaster-secret is the only secret value that is used for deriving all the particular session keys. Therefore, an attacker who can recover the premaster-secret can decrypt the whole captured SSL/TLS session. We show that incorporating a version number check over PKCS#1 plaintext used in the SSL/TLS creates a side channel that allows the attacker to invert the RSA encryption. The attacker can then either recover the premaster-secret or sign a message on behalf of the server. Practical tests showed that two thirds of randomly chosen Internet SSL/TLS servers were vulnerable. The attack is an extension of Bleichenbacher’s attack on PKCS#1 (v. 1.5). We introduce the concept of a bad-version oracle (BVO) that covers the side channel leakage, and present several methods that speed up the original algorithm. Our attack was successfully tested in practice and the results of complexity measurements are presented in the paper. Plugging a testing server (2x Pentium III/1.4 GHz, 1 GB RAM, 100 Mb/s Ethernet, OS RedHat 7.2, Apache 1.3.27), it was possible to achieve a speed of 67.7 BVO calls per second for a 1024 bits RSA key. The median time for a whole attack on the premaster-secret could be then estimated as 54 hours and 42 minutes. We also propose and discuss countermeasures, which are both cryptographically acceptable and practically feasible.

Available format(s)
Publication info
Published elsewhere. Extended version of the paper presented at CHES 2003, September 7-11, Cologne, Germany
cryptanalysisside channel attacksSSLTLSRSA
Contact author(s)
t_rosa @ volny cz
2003-08-29: revised
2003-03-18: received
See all versions
Short URL
Creative Commons Attribution


      author = {Vlastimil Klima and Ondrej Pokorny and Tomas Rosa},
      title = {Attacking {RSA}-based Sessions in {SSL}/{TLS}},
      howpublished = {Cryptology ePrint Archive, Paper 2003/052},
      year = {2003},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.