A nearly twenty year old vulnerability in SSL using RSA for encryption has been retooled to exploit current implementations of TLS.  The attack is the ROBOT attack.   The problem is when a TLS server uses RSA ciphers for both authentication and encryption.  The ciphers are as follows:


Essentially any cipher using TLS_RSA is vulnerable, the reason is that with the ciphers the static RSA private key is used for both authentication (which is ok) and encryption.  Herein lies the problem.  This has been known for quite awhile that these ciphers do not provide perfect forward secrecy (PFS).  What is PFS?  Well is means someone could monitor and record all of the network traffic and at a later date decrypt the traffic.  The reason is that the same public key is used to encrypt the symmetric key that is used to encrypt the data.  At a later date and time if the private key on the server is stolen or recovered, then potentially all of the previous encrypted data could be decrypted using the server’s now known private key.  The decrypted symmetric key used for data encryption could then be used to decrypt the encrypted data.

Researchers have discovered that using a modified ROBOT attack can allow a attacker to figure out the server’s private key.

How to protect yourself?

Disable all TLS_RSA ciphers in TLS and use the Elliptic Curve ciphers.

TLS Recommended Ciphers:

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_192_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_192_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_192_GCM_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_192_CBC_SHA256 as defined in RFC 5289

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 as defined in RFC 5289