ROBOT Attack
What is ROBOT Attack?
ROBOT AttackA 2017 resurrection of Bleichenbacher's 1998 RSA PKCS#1 v1.5 padding oracle on TLS servers, enabling session decryption or impersonation.
ROBOT (Return Of Bleichenbacher's Oracle Threat) was published in 2017 by Boeck, Somorovsky and Young. It showed that many TLS stacks still leaked enough information during RSA key-exchange to mount Bleichenbacher's adaptive chosen-ciphertext attack on PKCS#1 v1.5 padding. Vulnerable products from F5, Citrix, Cisco, Erlang, Bouncy Castle and others received separate CVEs. With a few thousand to a few million queries an attacker can recover the premaster secret of a captured session and decrypt it, or sign data with the server's private key. Mitigations: disable static-RSA key-exchange ciphersuites, prefer (EC)DHE, and adopt TLS 1.3 which removes PKCS#1 v1.5 RSA encryption entirely.
● Examples
- 01
Decrypting recorded HTTPS sessions to Facebook's load balancers (CVE-2017-1428x family).
- 02
Forging a TLS signature with the server's private key to impersonate it to a client.
● Frequently asked questions
What is ROBOT Attack?
A 2017 resurrection of Bleichenbacher's 1998 RSA PKCS#1 v1.5 padding oracle on TLS servers, enabling session decryption or impersonation. It belongs to the Attacks & Threats category of cybersecurity.
What does ROBOT Attack mean?
A 2017 resurrection of Bleichenbacher's 1998 RSA PKCS#1 v1.5 padding oracle on TLS servers, enabling session decryption or impersonation.
How does ROBOT Attack work?
ROBOT (Return Of Bleichenbacher's Oracle Threat) was published in 2017 by Boeck, Somorovsky and Young. It showed that many TLS stacks still leaked enough information during RSA key-exchange to mount Bleichenbacher's adaptive chosen-ciphertext attack on PKCS#1 v1.5 padding. Vulnerable products from F5, Citrix, Cisco, Erlang, Bouncy Castle and others received separate CVEs. With a few thousand to a few million queries an attacker can recover the premaster secret of a captured session and decrypt it, or sign data with the server's private key. Mitigations: disable static-RSA key-exchange ciphersuites, prefer (EC)DHE, and adopt TLS 1.3 which removes PKCS#1 v1.5 RSA encryption entirely.
How do you defend against ROBOT Attack?
Defences for ROBOT Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for ROBOT Attack?
Common alternative names include: ROBOT, Return Of Bleichenbacher's Oracle Threat.
● Related terms
- attacks№ 103
Bleichenbacher Attack
A 1998 adaptive chosen-ciphertext attack by Daniel Bleichenbacher that recovers RSA plaintext when the server leaks whether PKCS#1 v1.5 padding is valid.
- attacks№ 786
Padding Oracle Attack
A cryptographic attack (Vaudenay 2002) that decrypts CBC ciphertext when a server reveals whether a tampered message has correct PKCS#7 padding.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- attacks№ 1093
SSL/TLS Downgrade Attack
An active man-in-the-middle attack that forces a client and server to negotiate a weaker protocol version, cipher, or key size to enable further compromise.
● See also
- № 631Logjam
- № 434FREAK Attack