Bleichenbacher Attack
What is Bleichenbacher Attack?
Bleichenbacher AttackA 1998 adaptive chosen-ciphertext attack by Daniel Bleichenbacher that recovers RSA plaintext when the server leaks whether PKCS#1 v1.5 padding is valid.
Daniel Bleichenbacher published this attack at CRYPTO 1998 against the SSL handshake using RSA-PKCS#1 v1.5 encryption. The server accidentally acts as a padding oracle: any distinguishable response (timing, alert, error) tells the attacker whether a tampered ciphertext begins with the bytes 0x00 0x02. By submitting roughly a million carefully crafted ciphertexts, the attacker narrows down the plaintext interval and recovers the premaster secret, breaking confidentiality. The attack has resurfaced repeatedly (DROWN 2016, ROBOT 2017) because PKCS#1 v1.5 is hard to implement in constant time. Mitigation requires uniform error handling, RSA-OAEP for new designs, and TLS 1.3 which removes RSA encryption from the handshake.
● Examples
- 01
Recovering the SSL premaster secret from a 1990s web server that returned different alerts for bad padding.
- 02
The DROWN and ROBOT attacks both reuse this oracle against modern TLS stacks.
● Frequently asked questions
What is Bleichenbacher Attack?
A 1998 adaptive chosen-ciphertext attack by Daniel Bleichenbacher that recovers RSA plaintext when the server leaks whether PKCS#1 v1.5 padding is valid. It belongs to the Attacks & Threats category of cybersecurity.
What does Bleichenbacher Attack mean?
A 1998 adaptive chosen-ciphertext attack by Daniel Bleichenbacher that recovers RSA plaintext when the server leaks whether PKCS#1 v1.5 padding is valid.
How does Bleichenbacher Attack work?
Daniel Bleichenbacher published this attack at CRYPTO 1998 against the SSL handshake using RSA-PKCS#1 v1.5 encryption. The server accidentally acts as a padding oracle: any distinguishable response (timing, alert, error) tells the attacker whether a tampered ciphertext begins with the bytes 0x00 0x02. By submitting roughly a million carefully crafted ciphertexts, the attacker narrows down the plaintext interval and recovers the premaster secret, breaking confidentiality. The attack has resurfaced repeatedly (DROWN 2016, ROBOT 2017) because PKCS#1 v1.5 is hard to implement in constant time. Mitigation requires uniform error handling, RSA-OAEP for new designs, and TLS 1.3 which removes RSA encryption from the handshake.
How do you defend against Bleichenbacher Attack?
Defences for Bleichenbacher Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Bleichenbacher Attack?
Common alternative names include: Million Message Attack, Bleichenbacher 1998.
● Related terms
- attacks№ 941
ROBOT Attack
A 2017 resurrection of Bleichenbacher's 1998 RSA PKCS#1 v1.5 padding oracle on TLS servers, enabling session decryption or impersonation.
- attacks№ 786
Padding Oracle Attack
A cryptographic attack (Vaudenay 2002) that decrypts CBC ciphertext when a server reveals whether a tampered message has correct PKCS#7 padding.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- vulnerabilities№ 1038
Side-Channel Attack
An attack that recovers secrets from a system by observing physical or implementation characteristics — timing, power, electromagnetic emissions, caches, acoustic signals — rather than logical flaws.