Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks

Christopher Meyer, Juraj Somorovsky, Eugen Weiss, Jörg Schwenk, Sebastian Schinzel, Erik Tews

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

67 Citations (Scopus)
20 Downloads (Pure)


As a countermeasure against the famous Bleichenbacher attack on RSA based ciphersuites, all TLS RFCs starting from RFC 2246 (TLS 1.0) propose “to treat incorrectly formatted messages in a manner indistinguishable from correctly formatted RSA blocks”. In this paper we show that this objective has not been achieved yet (cf. Table 1): We present four new Bleichenbacher side channels, and three successful Bleichenbacher attacks against the Java Secure Socket Extension (JSSE) SSL/TLS implementation and against hardware security appliances using the Cavium NITROX SSL accelerator chip. Three of these side channels are timingbased, and two of them provide the first timing-based Bleichenbacher attacks on SSL/TLS described in the literature. Our easurements confirmed that all these side channels are observable over a switched network, with timing differences between 1 and 23 microseconds. We were able to successfully recover the PreMasterSecret using three of the four side channels in a realistic measurement setup.
Original languageEnglish
Title of host publicationProceedings of the 23rd USENIX Security Symposium
Number of pages16
Publication statusPublished - 2014
Externally publishedYes
Event23rd USENIX Security Symposium 2014 - San Diego, United States
Duration: 20 Aug 201422 Aug 2014
Conference number: 23


Conference23rd USENIX Security Symposium 2014
Abbreviated titleUSENIX Security
Country/TerritoryUnited States
CitySan Diego
Internet address


Dive into the research topics of 'Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks'. Together they form a unique fingerprint.

Cite this