Marvin ndiko kudzoka kwekusagadzikana kwemakore makumi maviri neshanu kunobvumira kusaina kweRSA uye kudhirowa mabasa.
Munguva yeESORICS 2023 (European Symposium paComputer Security Research) yakaitwa kubva munaGunyana 25 kusvika 29 muNetherlands, muongorori wezvekuchengetedza anoshanda kuRed Hat, akapa "Marvin Attack", nzira yekurwisa iyo inobvumira kuti data yepakutanga ionekwe nekuyera kunonoka panguva yekushanda decryption yakavakirwa paRSA algorithm.
Marvin Attack, Icho mutsauko weBleichenbacher nzira, yakatsanangurwa muna 1998, uye inoenderera mberi nekuvandudzwa kweROBOT uye New CAT kurwiswa kwakaburitswa muna 2017 na2019.
Kurwiswa kweMarvin ndiko kudzoka kwekusagadzikana kwemakore makumi maviri neshanu kunobvumira kusaina kweRSA uye mashandiro edecryption kuti aitwe seanorwisa achikwanisa kuona chete nguva yekudhirowa kwakaitwa nekiyi yakavanzika.
Muna 1998, Daniel Bleichenbacher akawana kuti mameseji ekukanganisa aipihwa nemaseva eSSL ekukanganisa muPKCS #1 v1.5 padding aigonesa kurwisa kwemazwi akasarudzika; Kurwiswa uku kunotyora zvachose kuvanzika kweTLS kana kuchishandiswa neRSA encryption. Muna 2018, Hanno Böck, Juraj Somorovsky naCraig Young vakaratidza makore gumi nemapfumbamwe gare gare kuti maseva mazhinji eInternet aive achiri panjodzi yekusiyana kudiki kwekurwiswa kwekutanga.
Kunyanya kunotaurwa kuti musimboti wenzira yacho anorwisa, zvichibva pane zvakasiyana-siyana zvema server uye nguva dzakasiyana dzekuita, inokwanisa kupatsanura mabhuroko chaiwo uye asiri iwo Yakawedzerwa nePKCS #1 v1.5 yakajairwa kurongedza data rakavharidzirwa pamwe nemuganhu webhuroka. Nekugadzirisa ruzivo nezve kurongeka kwepadding block, munhu anorwisa anogona kushandisa hutsinye chisimba kugadzira zvakare ciphertext yakakodzera.
Muchiitiko ichi, kurwiswa hakutore zvakananga kiyi yakavanzika, asi kunongobvisa zvinyorwa. encryption kana kugadzira meseji yenhema yakasainwa. Kuti uite kurwisa kwakabudirira, zvinodikanwa kutumira yakakura kwazvo vhoriyamu yebvunzo mameseji kuti adzingwe.
Kushandisa kurwisa maseva TLS uchishandisa encryption zvichibva pamakiyi eRSA anobvumira munhu anorwisa kuti angochengeta traffic yakavharirwa obva ainyora. Kune maseva anotsigira PFS, kuita kurwisa kunowedzera kuoma uye kubudirira kunoenderana nekuti nekukurumidza kurwiswa kunoitwa sei.
Uyewo, iyo nzira inobvumira kugadzira yekunyepedzera yedhijitari siginecha iyo inoongorora zviri muTLS 1.2 ServerKeyExchange mameseji kana TLS 1.3 CertificateVerify meseji inofambiswa mukiyi yekuchinjana nhanho, inogona kushandiswa kuita MITM kurwisa kuvharira kubatana kweTLS pakati pemutengi neseva.
Izvo zvinotaurwa kuti musiyano pakati penzira Marvin akaderedzwa kusvika a Yakavandudzwa tekinoroji yekuparadzanisa yakarurama uye isiriyo yekuwedzera data, sefa manyepo enhema, kunyatsoona kunonoka kwekuverenga, uye shandisa mamwe echitatu-bato chiteshi panguva yekuyera.
Mukuita, iyo nzira yakatsanangurwa inobvumira kudhipfenyura traffic kana kugadzira masiginecha edhijitari usingazive kiyi yeRSA yakavanzika. Kuedza kushanda kwekurwiswa, chinyorwa chakakosha chekutarisa maseva eTLS uye maturusi ekuona matambudziko mumaraibhurari akaburitswa.
Dambudziko inokanganisa akati wandei maitirwo eprotocol anoshandisa RSA nePKCS. Kunyangwe maraibhurari emazuva ano e-cryptographic ane dziviriro kubva pakurwiswa kwakavakirwa panzira yeBleichenbacher, ongororo yakaratidza kuti maraibhurari ane nzira dzakavhurika dzekuvuza uye usape inogara ichigadzirisa nguva yemapakiti akazadzwa nemazvo uye zvisizvo. Semuenzaniso, kuita kwaMarvin kurwiswa kweGnuTLS hakuna kusungirirwa kune kodhi inoita zvakananga maverengero ane chekuita neRSA, asi anoshandisa nguva dzakasiyana dzekumhanya kwekodhi inosarudza kana kuratidza imwe kukanganisa meseji.
Munyori wechidzidzo ichi anotendawo kuti kirasi yekusagadzikana inotariswa haina kuganhurirwa kuRSA uye inogona kukanganisa mamwe akawanda cryptographic algorithms anoenderana neakajairwa maraibhurari ehuwandu hwekuverenga.
Kuti asimbise mukana wekuita kurwisa kwaMarvin mukuita, muongorori akaratidza kushanda kweiyo nzira kune zvikumbiro zvichibva paM2Crypto uye pyca/cryptography raibhurari, umo maawa mashoma aive akakwana kukanganisa encryption nekuita bvunzo pa avhareji laptop.
Chekupedzisira, kana iwe uchida kukwanisa kuziva zvakawanda nezvazvo, unogona kubvunza iwo ruzivo mu inotevera chinongedzo.