Marvin is the return of a 25-year-old vulnerability that allows RSA signing and decryption operations
During ESORICS 2023 (European Symposium on Computer Security Research) which was held from September 25 to 29 in the Netherlands, a security researcher who works for Red Hat, presented "Marvin Attack", an attack technique which allows the original data to be determined by measuring delays during operations decryption based on the RSA algorithm.
Marvin Attack, It is a variation of the Bleichenbacher method, proposed in 1998, and continues the development of the ROBOT and New CAT attacks published in 2017 and 2019.
The Marvin attack is the return of a 25-year-old vulnerability that allows RSA signing and decryption operations to be performed as an attacker with the ability to observe only the time of the decryption operation performed with the private key.
In 1998, Daniel Bleichenbacher discovered that error messages provided by SSL servers for errors in PKCS #1 v1.5 padding enabled an adaptively chosen ciphertext attack; This attack completely breaks the confidentiality of TLS when used with RSA encryption. In 2018, Hanno Böck, Juraj Somorovsky and Craig Young showed 19 years later that many Internet servers were still vulnerable to slight variations of the original attack.
Basically it is mentioned that the essence of the method is that an attacker, based on different server reactions and different execution times, can separate correct and incorrect oracle blocks Added with the PKCS #1 v1.5 standard to align encrypted data along the block boundary. By manipulating information about the correctness of padding blocks, an attacker can use brute force to recreate a suitable ciphertext.
In this case, the attack does not directly recover the private key, but only decrypts the text. encryption or generate a fake signed message. To carry out a successful attack, it is necessary to send a very large volume of test messages to be decrypted.
Using an attack against servers TLS using encryption based on RSA keys allows the attacker to passively store intercepted traffic and then decrypt it. For servers that support PFS, carrying out an attack becomes much more difficult and success depends on how quickly the attack is carried out.
In addition, the method allows generating a fictitious digital signature which verifies the content of TLS 1.2 ServerKeyExchange messages or TLS 1.3 CertificateVerify messages transmitted in the key exchange stage, which can be used to perform MITM attacks to intercept the TLS connection between the client and the server.
It is mentioned that the difference between the method Marvin is reduced to a Improved technology to separate correct and incorrect incremental data, filter false positives, more accurately determine calculation delays, and use additional third-party channels during measurement.
In practice, the proposed method allows decrypting traffic or generating digital signatures without knowing the private RSA key. To test the applicability of the attack, a special script for checking TLS servers and tools for identifying problems in libraries were published.
The problem affects several protocol implementations that use RSA and PKCS. Although modern cryptographic libraries contain some protection against attacks based on the Bleichenbacher method, study revealed that libraries have open leak channels and do not provide a constant processing time for correctly and incorrectly filled packets. For example, Marvin's implementation of the GnuTLS attack is not tied to code that directly performs RSA-related calculations, but rather uses different runtimes for code that decides whether to display a particular error message.
The author of the study also believes that the class of vulnerabilities considered is not limited to RSA and may affect many other cryptographic algorithms that depend on standard libraries for integer calculations.
To confirm the possibility of carrying out the Marvin attack in practice, the researcher demonstrated the applicability of the method to applications based on the M2Crypto and pyca/cryptography libraries, in which a few hours were enough to compromise the encryption by conducting an experiment on an average laptop.
Finally, if you are interested in being able to know more about it, you can consult the details in the following link