A Decade After Bleichenbacher '06, RSA Signature Forgery Still Works

Explore a Black Hat conference talk that delves into RSA signature forgery vulnerabilities persisting a decade after Bleichenbacher's 2006 attack. Learn about the researchers' use of dynamic symbolic execution to analyze signature verification logic across various implementations, resulting in 6 new CVEs. Discover the systematic approach used to uncover these flaws, including the release of a toolchain and relevant artifacts. Gain insights into why such vulnerabilities continue to exist and how to prevent similar mistakes in the future. Follow the presentation's structure, covering topics from textbook RSA signatures to PKCS#1 v1.5 Signature Scheme, Bleichenbacher's low exponent attack, and specific case studies involving Openswan and strongSwan implementations.

Intro
Textbook RSA signature
Beyond textbook RSA
PKCS#1 v1.5 Signature Scheme
Bleichenbacher's low exponent attack
A little brain teaser
Why was the attack possible?
To find these attacks
Automatically generate concolic test cases
Testing with Symbolic Execution
Implementations Tested
Leniency in Openswan 2.6.50
New unit test in Openswan
Leniency in strongSwan 5.6.3
strongSwan Security Update
Lessons Learned