Cryptology ePrint Archive: Report 2017/1189

Return Of Bleichenbacher's Oracle Threat (ROBOT)

Hanno Böck and Juraj Somorovsky and Craig Young

Abstract: Many web hosts are still vulnerable to one of the oldest attacks against RSA in TLS. We show that Bleichenbacher’s RSA vulnerability from 1998 is still very prevalent in the Internet and affects almost a third of the top 100 domains in the Alexa Top 1 Million list, among them Facebook and Paypal. We identified vulnerable products from at least eight different vendors and open source projects, among them F5, Citrix, Radware, Cisco, Erlang, Bouncy Castle, and WolfSSL. Further we have demonstrated practical exploitation by signing a message with the private key of’s HTTPS certificate. Finally, we discuss countermeasures against Bleichenbacher attacks in TLS and recommend to deprecate the RSA encryption key exchange in TLS and the PKCS #1 v1.5 standard.

Category / Keywords: public-key cryptography / RSA, TLS, public-key cryptography,

Date: received 8 Dec 2017, last revised 12 Dec 2017

Contact author: hanno at hboeck de

Available format(s): PDF | BibTeX Citation

Note: Hopefully really last update, add Citrix advisory to bibliography.

Version: 20171212:150007 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]