Bleichenbacher Attack
What is Bleichenbacher Attack?
Bleichenbacher AttackA 1998 adaptive chosen-ciphertext attack by Daniel Bleichenbacher that recovers RSA plaintext when the server leaks whether PKCS#1 v1.5 padding is valid.
Daniel Bleichenbacher published this attack at CRYPTO 1998 against the SSL handshake using RSA-PKCS#1 v1.5 encryption. The server accidentally acts as a padding oracle: any distinguishable response (TLS alert code, connection reset, or timing) tells the attacker whether a tampered ciphertext decrypts to a value beginning with the bytes 0x00 0x02. Because RSA is multiplicatively homomorphic, the attacker multiplies the captured ciphertext by chosen values s, submits the result, and uses each "valid padding" answer to shrink the set of possible plaintexts. After roughly a million queries the interval collapses to a single value and the RSA-encrypted premaster secret is recovered — without ever touching the private key — letting the attacker decrypt the session or forge an RSA signature.
The flaw is hard to kill because PKCS#1 v1.5 unpadding resists constant-time implementation. It returned as DROWN (CVE-2016-0800), which used an SSLv2 oracle to break modern TLS sessions, and as ROBOT (Return Of Bleichenbacher's Oracle Threat, 2017) — researchers Böck, Somorovsky and Young found F5 (CVE-2017-6168), Citrix, Cisco and others still vulnerable, and demonstrated it against Facebook and PayPal. Defences: identical error handling for good and bad padding, prefer RSA-OAEP, disable RSA key-exchange cipher suites, and adopt TLS 1.3, which removes RSA encryption from the handshake entirely.
flowchart TD
A[Attacker captures RSA ciphertext c] --> B["Pick multiplier s, send c·s^e mod n"]
B --> C{Server padding check}
C -->|"Starts 0x00 0x02 → valid"| D[Narrow plaintext interval]
C -->|"Invalid → distinct response"| E[Discard this s]
D --> F{Interval = 1 value?}
E --> B
F -->|No| B
F -->|Yes| G[Premaster secret recovered]● Examples
- 01
Recovering the SSL premaster secret from a 1990s web server that returned different alerts for bad padding.
- 02
The DROWN and ROBOT attacks both reuse this oracle against modern TLS stacks.
● Frequently asked questions
What is Bleichenbacher Attack?
A 1998 adaptive chosen-ciphertext attack by Daniel Bleichenbacher that recovers RSA plaintext when the server leaks whether PKCS#1 v1.5 padding is valid. It belongs to the Attacks & Threats category of cybersecurity.
What does Bleichenbacher Attack mean?
A 1998 adaptive chosen-ciphertext attack by Daniel Bleichenbacher that recovers RSA plaintext when the server leaks whether PKCS#1 v1.5 padding is valid.
How do you defend against Bleichenbacher Attack?
Defences for Bleichenbacher Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Bleichenbacher Attack?
Common alternative names include: Million Message Attack, Bleichenbacher 1998.