[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in Some Usages of PKCS#1

Title: Vulnerability in Some Usages of PKCS#1
Released by: CERT
Date: 26th June 1998
Printable version: Click here

Hash: SHA1


CERT* Advisory CA-98.07

Original issue date: June 26, 1998

Last revised: August 24, 1998

              Added vendor information for Silicon Graphics, Inc.

              A complete revision history is at the end of this file.

Topic: Vulnerability in Some Usages of PKCS#1

- -----------------------------------------------------------------------------

The CERT Coordination Center has received a report regarding a vulnerability

in some implementations of products utilizing RSA Laboratories' Public-Key

Cryptography Standard #1 (PKCS#1). Under some situations, a sophisticated

intruder may be able to use the vulnerability in PKCS#1 to recover

information from SSL-encrypted sessions.

The CERT/CC team recommends that sites install patches immediately as

described in Appendix A. Appendix A also contains pointers to web pages

containing additional information maintained by some vendors.

We will update this advisory as we receive additional information.  Please

check our advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     PKCS#1 is a standard for encrypting data using the RSA public-key

     cryptosystem. Its intended use is in the construction of digital

     signatures and digital envelopes.

     One use for the digital envelopes constructed using PKCS#1 is to provide

     confidentiality during the session key negotiation of an SSL-encrypted

     session. The SSL protocol is widely used to encrypt traffic to and from

     web servers to protect the privacy of information such as personal data

     or a credit card number, as it traverses the internet. A sophisticated

     intruder may be able to use the vulnerability in PKCS#1 to recover

     information from an SSL-encrypted session.

     Web pages employing SSL are accessed using the HTTPS protocol, rather

     than the HTTP protocol.

     More information about PKCS#1 can be found at


     Additional information regarding this vulnerability will be

     available at


     This vulnerability does not affect all PKCS#1-enabled products. The

     attack is not effective against protocols in which there is not an

     interactive session setup, or where the error messages returned by the

     server do not distinguish among the types of failures. In particular,

     this vulnerability does not affect S/MIME or SET.

II.  Impact

     Under some circumstances, an intruder who is able to observe an

     SSL-encrypted session, and subsequently interrogate the server involved

     in the session, may be able to recover the session key used in that

     session, and then recover the encrypted data from that session.

     The vulnerability can only be exploited if the intruder is able to make

     repeated session-establishment attempts to the same vulnerable web server

     which was involved in the original session.  In addition, the server must

     return error messages that distinguish between several modes of

     failure. Although the number of session-establishment requests is large,

     it is significantly more efficient than a brute-force attack against the

     session key. Note that, although web servers comprise the majority of

     vulnerable servers, other PKCS#1-enabled servers may be vulnerable.

     Note that the server's public and private key are not at risk from this

     vulnerability, and that an intruder is only able to recover data from a

     single session per attack. Compromising a single session does not give an

     intruder any additional ability to compromise subsequent sessions.

     Further, as mentioned above, this vulnerability does not affect all

     PKCS#1-enabled products.

III. Solution

     A.  Obtain and install a patch for this problem.

         Appendix A contains input from vendors who have provided information

         for this advisory. We will update the appendix as we receive more

         information. If you do not see your vendor's name, the CERT/CC did

         not hear from that vendor. Please contact your vendor directly.

     B.  Although applying vendor patches is the recommended course of action,

         you may wish to consider some of the following steps to reduce your

         exposure to this vulnerability:

         -- Examine your log files for repeated error messages indicating

         failed requests for session-establishment. For example, sites using

         C2Net's Stronghold server would see error messages of the form

[Tue Jun 23 22:08:17 1998] SSL accept error

1575:error:0407006B:rsa routines:RSA_padding_check_PKCS1_type_2:block type is not 02:rsa_pk1.c:207

1575:error:04064072:rsa routines:RSA_EAY_PRIVATE_DECRYPT:padding check failed:rsa_eay.c:330

1575:error:1408B076:SSL routines:SSL3_GET_CLIENT_KEY_EXCHANGE:bad rsa decrypt:s3_srvr.c:1259

         -- If you are unable to upgrade for an extended period of time, you

         may wish to consider obtaining a new public/private key pair for

         servers. Changing the key pair only protects those sessions which may

         have been previously recorded by an intruder. This does not prevent

         an intruder from launching attacks against newly-recorded

         sessions. This should only be considered in those cases where

         upgrading is infeasible. Again, note that the public/private key pair

         is not at risk from this vulnerability.

         -- Avoid using the same public/private key pair across multiple


         -- A large increase in CPU utilization or network traffic may

         accompany an attack. If your web server does not provide sufficient

         detail in its logs to detect failures, you may wish to look for

         substantial deviation from established usage patterns, which may be

         indicative of an attack.

         Implementors and researchers should consult RSA Laboratories Bulletin

         Number 7 for additional measures to reduce the effectiveness of this

         attack. This document will be available at



Appendix A - Vendor Information

Below is a list of the vendors who have provided information for this

advisory. We will update this appendix as we receive additional information.

If you do not see your vendor's name, the CERT/CC did not hear from that

vendor. Please contact the vendor directly.

        C2Net Software, Inc.


        C2Net has developed a patch and is deploying new builds to combat this

        problem. More information is available at


        Microsoft Corporation


        The Microsoft Product Security Response Team has produced an update

        for the following affected Microsoft Internet server software:

        - Microsoft Internet Information Server 3.0 and 4.0

        - Microsoft Site Server 3.0, Commerce Edition

        - Microsoft Site Server, Enterprise Edition

        - Microsoft Exchange 5.0 and 5.5 (for SSL-enabled POP3 and SMTP)

        Microsoft's Internet server software provides SSL 2.0, SSL 3.0, PCT

        1.0, and TLS 1.0 for securing Internet-based communications. These

        protocols are all implemented in a single file called SCHANNEL.DLL,

        which is shared by the Microsoft Internet server software listed

        above. Updating this single file will resolve this vulnerability for

        these Microsoft server products.

        No updates are required for Internet client software, such as Internet


        This update is now available. Microsoft strongly recommends that

        customers using secure SSL Internet services with any of the Microsoft

        products listed above should update to the latest version of


        Please visit the Microsoft Security Advisor web site for more

        information, or link directly to our Microsoft security

        bulletin MS98-002 at


        Netscape Communications Corporation


        Netscape recommends that all customers running Netscape Enterprise

        Server software, Netscape Proxy Server, Netscape Messaging Server and

        Netscape Collabra Server download and install a simple patch before an

        attack ever happens.

        Product updates and full information about the countermeasures are

        available immediately from the Netscape Internet site at:


        Open Market, Inc.


        Some of Open Market's products are affected by this

        vulnerability. Patches are available. For more information, go to


        RSA Data Security, Inc.


        Information from RSA regarding this vulnerability is available at


        Silicon Graphics, Inc.


        See Silicon Graphics Inc. Security Advisory, "Vulnerability

        in Public-Key Cryptography Standard #1 (PKCS#1),"

        19980606-01-A, issued June 26, 1998.

        Currently, Silicon Graphics Inc. is investigating and is in

        communication with Netscape.  No further information is

        available for public release at this time.

        The SGI anonymous FTP site is sgigate.sgi.com (

        or its mirror, ftp.sgi.com.  Security information and patches

        can be found in the ~ftp/security and ~ftp/patches

        directories, respectfully.

        For subscribing to the wiretap mailing list and other SGI security

        related information, please refer to the Silicon Graphics

        Security Headquarters website located at:




        Information and SSLeay source patches related to this vulnerability

        are available at:


        Terisa Systems, Inc. / Spyrus, Inc.


        Terisa has determined that the SSL implementation in the Terisa

        SecureWeb Toolkit is vulnerable to this attack. A patch to fix this

        vulnerability has been developed for existing versions of the Toolkit.

        Further information may be found at http://www.terisa.com/.

- -----------------------------------------------------------------------------

This vulnerability was originally discovered by Daniel Bleichenbacher of the

Secure Systems Research Department of Bell Labs, the research and development

arm of Lucent Technologies.

The CERT Coordination Center thanks Scott Schnell of RSA and Jason Garms of

Microsoft for reporting this problem to us and providing technical advice and

other valuable input into the construction of this advisory. In addition, our

thanks goes to Simona Nass, Douglas Barnes, and Tim Hudson of C2Net and David

Wagner of the University of California at Berkeley for the example log files

contained herein as well as additional technical advice and clarification

during the production of this advisory.

- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident Response

and Security Teams (see http://www.first.org/team-info/).

CERT/CC Contact Information

- ----------------------------

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)

                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address

         CERT Coordination Center

         Software Engineering Institute

         Carnegie Mellon University

         Pittsburgh PA 15213-3890


Using encryption

   We strongly urge you to encrypt sensitive information sent by email. We can

   support a shared DES key or PGP. Contact the CERT/CC for more information.

   Location of CERT PGP key


Getting security information

   CERT publications and other security information are available from



   CERT advisories and bulletins are also posted on the USENET newsgroup


   To be added to our mailing list for advisories and bulletins, send

   email to


   In the subject line, type

        SUBSCRIBE  your-email-address

- ---------------------------------------------------------------------------

Copyright 1998 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff/legal_stuff.html and

http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

*CERT is registered in the U.S. Patent and Trademark Office.

- ---------------------------------------------------------------------------

This file: http://ftp.cert.org/pub/cert_advisories/CA-98.07.PKCS



Revision history

Aug. 24, 1998  Added vendor information for Silicon Graphics, Inc.

July 27, 1998  Added vendor information for Terisa Systems, Inc. / Spyrus, Inc.


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.