Abstract

As a countermeasure against the famous Bleichenbacher
\nattack on RSA based ciphersuites, all TLS RFCs starting
\nfrom RFC 2246 (TLS 1.0) propose “to treat incorrectly
\nformatted messages in a manner indistinguishable from
\ncorrectly formatted RSA blocks”.
\nIn this paper we show that this objective has not been
\nachieved yet (cf. Table 1): We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension
\n(JSSE) SSL/TLS implementation and against hardware
\nsecurity appliances using the Cavium NITROX SSL accelerator chip. Three of these side channels are timingbased, and two of them provide the first timing-based
\nBleichenbacher attacks on SSL/TLS described in the literature. Our measurements confirmed that all these side
\nchannels are observable over a switched network, with
\ntiming differences between 1 and 23 microseconds. We
\nwere able to successfully recover the PreMasterSecret
\nusing three of the four side channels in a realistic measurement setup.