"LuckyMinus20": Yet Another Padding Oracle in OpenSSL CBC Cipher Suites

Datetime:2016-08-22 21:47:12          Topic: OpenSSL           Share

Early this week, a new OpenSSL error code padding oracle dropped . Padding oracles are one of the most fun crypto vulnerabilities, so I gave this one the full treatment:

I'm pretty happy about the writeup. It comes with hand drawn diagrams :)

Also read the writeup by Juraj Somorovsky , who found the vulnerability with his cool new Java TLS test framework .

We chatted a bit with Juraj about how to extend this attack to full-message decryption (instead of only 16 bytes), and we are both pretty convinced that there's no way now.

A surprisingly high number of high-profile websites hadn't patched yet 10 hours after the release .

The vulnerable code was introduced while fixing Lucky13 ( not by Adam Langley's patch , but in a multi-purpose uncommented function with three levels of #ifdef ), and as Kenny Paterson points out, they even warned about it in the L13 paper!

@FiloSottile Was worried we'd missed this issue in the L13 paper. Turns out we didn't... pic.twitter.com/dGsQJfLPkU

— kennyog (@kennyog) 4 May 2016




About List