Zpět na osobní stránky

MD5 collisions homepage: English, Czech,
DN, HDN, SNMAC homepage: English, Czech,
PGP attack homepage: English, Czech,
SSL attack homepage: English, Czech.


V. Klíma: Slabiny v protokolech SSL/TLS, konference Network Security, Hotel Diplomat, Praha, 11.-12.11.2003, more info.

V. Klíma: Nešifrovaný e-mail je jako výkladní skříň, Právo, příloha FIRMA, str. 8, 31.10.2003.

V. Klíma, T.Rosa: Protokoly SSL/TLS pod palbou roku 2003, DSM č. 5/2003, str. 26 - 29.


Klíma, V., Pokorný, O., Rosa, T.:  Attacking RSA-based Sessions in SSL/TLS, presented at CHES 2003, pp. 426 - 440, Springer-Verlag, 2003, Preliminary version: 2003/052.

Ohlasy na článek z různých médií: CZ, ENG. 

Abstract: In this paper we present a practically feasible attack on RSA-based sessions in SSL/TLS protocols. We show that incorporating a version number check over PKCS#1 plaintext used in the SSL/TLS creates a side channel that allows an attacker to invert the RSA encryption. The attacker can then either recover the premaster-secret or sign a message on behalf of the server. Practical tests showed that two thirds of randomly chosen Internet SSL/TLS servers were vulnerable. The attack is an extension of Bleichenbacher’s attack on PKCS#1 (v. 1.5). We introduce the concept of a bad-version oracle (BVO) that covers the side channel leakage, and present several methods that speed up the original algorithm. Our attack was successfully tested in practice and the results of complexity measurements are presented in the paper.

Klíma, V., Rosa, T.: Side Channel Attacks - Highly Promising Directions in Modern Cryptanalysis, TATRACRYPT '03, The 3rd Central European Conference on Cryptology, June 26-28, 2003, Bratislava, Slovakia.

Abstract: The traditional cryptanalysis tends to examine cryptosystems as purely abstract mathematical functions without any direct connection with the objective physical reality. The theory and practice of side channels is completely changing such an understanding of cryptanalysis. In a short time after being introduced (in 1996 by Dr. Paul Kocher), it brought us fascinating results which would be very hard to achieve when viewing the cryptanalysis in the traditional way. In the speech, we briefly introduce the theory of side channel cryptanalysis and point out several interesting thoughs behind side channel attacks.


V. Klíma, T.Rosa: Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format, NATO PfP/PWP - 2nd International Scientific Conference Security and Protection of Information, Brno, Czech Republic, 28. - 30.4.2003,  2003/098, press release.

Abstract: Vaudenay has shown in [5] that a CBC encryption mode ([2], [9]) combined with the PKCS#5 padding [3] scheme allows an attacker to invert the underlying block cipher, provided she has access to a valid-padding oracle which for each input ciphertext tells her whether the corresponding plaintext has a valid padding or not. Having on mind the countermeasures against this attack, different padding schemes have been studied in [1]. The best one is referred to as the ABYT-PAD. It is designed for byte-oriented messages. It removes the valid-padding oracle, thereby defeating Vaudenay's attack, since all deciphered plaintexts are valid in this padding scheme. In this paper, we try to combine the well-known cryptographic message syntax standard PKCS#7 [8] with the use of ABYT-PAD instead of PKCS#5. Let us assume that we have access to a PKCS#7CONF oracle that tells us for a given ciphertext (encapsulated in the PKCS#7 structure) whether the deciphered plaintext is correct or not according to the PKCS#7 (v1.6) syntax. This is probably a very natural assumption, because applications usually have to reflect this situation in its behavior. It could be a message for the user, an API error message, an entry in the log file, different timing behavior, etc. We show that access to such an oracle again enables an attacker to invert the underlying block cipher. The attack requires single captured ciphertext and approximately 128 oracle calls per one ciphertext byte. It shows that we cannot hope to fully solve problems with side channel attacks on the CBC encryption mode by using a “magic” padding method or an obscure message-encoding format. Strong cryptographic integrity checks of ciphertexts should be incorporated instead.

Konference Openweekend

V. Klíma, T.Rosa: Na kanálu se pracuje aneb O revolučním objevu v kryptoanalýze, 16.3.. 2003, Openweekend, ČVUT, ppt.

Přednášky na MFF UK

V. Klíma: Aplikovaná (počítačová) kryptologie, MFF UK, 12.3. 2003, prosloveno v rámci přednášek oboru "Matematické metody informační bezpečnosti", prednasky.

Seminář na Vojenské akademii

V. Klíma: Symetrická kryptografie, Seminář z oblasti aplikované kryptografie, bezpečnosti počítačových sítí a biometriky, Vojenská akademie, Brno, 8.-9.1.2003

V. Klíma, T.Rosa: Vybrané aspekty moderní kryptoanalýzy, Sdělovací technika, 3/2003, str. 3 - 7, pdf.

V. Klíma, T.Rosa: Kryptologie pro praxi (1) - úvod k seriálu o aplikované kryptologii, Sdělovací technika, 6/2003, str. 19, pdf.

V. Klíma, T.Rosa: Kryptologie pro praxi (2) - symetrická a asymetrická kryptografie, Sdělovací technika, 7/2003, str. 16, pdf.

V. Klíma, T.Rosa: Kryptologie pro praxi (3) - asymetrické metody, Sdělovací technika, 8/2003, str. 22, pdf.

V. Klíma, T.Rosa: Kryptologie pro praxi (4) - operační mód, Sdělovací technika, 9/2003, str. 16, pdf.

V. Klíma, T.Rosa: Kryptologie pro praxi (5) - formátování a bezpečnost,Sdělovací technika,10/2003, str.14-15, pdf.

V. Klíma, T.Rosa: Kryptologie pro praxi (6) - neupoužívanější šifry, Sdělovací technika, 11/2003, str. 17 - 18, pdf.

V. Klíma, T.Rosa: Kryptologie pro praxi (7) - tipy a triky, Sdělovací technika, 12/2003, str. 18 - 19, pdf.