Protecting against RSA Encryption Flaws and Network attacks: ensuring safe data transmission of private information and how we nearly didn’t arrive there.
If you didn’t know, RSA encryption was one of the first and foremost ways we protected data. It’s still widely used today, though rarely for encrypting and decrypting user information due to better alternatives. However, RSA is still relied upon in many circles, and a 25-year-old vulnerability has reared its ugly head.
RSA & Encryption Standards
Since computers took over the world, there has always been a demand to protect the data we create and send to one another. RSA was one of the first algorithms for generating public keys, necessary in all encryption methods. Since then, other standards have come and gone like DES, and AES currently leads the community. Encryption is just one part of cryptography, the art of hiding information for its intended recipient.
Most websites nowadays use encryption through the TLS/SSL standard – signalled by HTTPS in the URL. Websites that handle a lot of information and money take a lot of security precautions that go above and beyond RSA. This isn’t just limited to government or banking websites – entertainment industries also use it. In iGaming, an industry that exists wholly online, sites that host casino slots and games also need this higher level of security to process transactions and keep customer data safe. Most big businesses opt to run their own data centres, responsible for hosting and storing data, and it gives them more control over the physical security of the server room.
The Million Message Attack
In 1998, over 20 years after MIT first published the RSA standard, Swiss cryptography doctor Daniel Bleichenbacher devised a way to compromise it. The attack targeted now-outdated SSL servers that a system connects to, using a method called an adaptive chosen-ciphertext attack.
These are simpler than they sound – the attacker sends encrypted data (ciphertext) to the target for decryption. Instead, it sends back an error message. The attacker then uses that feedback to choose their next ciphertext message. Do this enough, you can figure out what’s right by ruling out all the wrong ciphertexts. If the right ciphertext is a needle in a haystack, this attack sets the haystack on fire until the needle can be found.
That’s come to be known as the Million Message Attack, or the Bleichenbacher Attack after the man himself. In this case, an SSL error message allowed him to chip away at the RSA encryption padding many web servers back then relied upon. Unlike many other hacking methods, this could be completed within a day.
The Marvin Attack
So, where does Marvin factor into this? That’s where Red Hat come in, the open-source software company owned by IBM. In 2023, they published research into the Marvin Attack, also called the Marvin workaround.
Previously, variations of Bleichenbacher’s Attack were dubbed the fun acronym ROBOT – Return Of Bleichenbacher’s Oracle Threat. The folks at Red Hat decided to have even more fun with the name by calling their research into ROBOT attack variations Marvin. It’s a reference to the paranoid android from The Hitchhiker’s Guide to the Galaxy, who becomes older than the universe due to time travel. It’s a cutesy way of saying this problem won’t go away soon or at least, will always come back.
The attack was proven to be effective in a matter of hours. It isn’t RSA-specific either, so it can subvert most systems that use asymmetric cryptographic keys. The nature of the attack makes a single, universally applied fix impossible since no one Marvin will look the same.
In their paper, Red Hat says that FIPS Level 4 is the best current protection since it can bar side-channel attacks. Fortunately, there are no known cases of the Marvin Attack compromising RSA systems.
