Rijkswatch: RSA and other encryption servers vulnerable to 25-year old Marvin attack

26 September 2023

RSA and other encryption servers vulnerable to 25-year old Marvin attack

Among others, popular OpenSSL and GnuTLS implementations are vulnerable.

The authors recommend to stop using RSA PKCS#1 v1.5 and switch to Elliptic curve Diffie-Hellman.

They suspect that any cryptographic library using general purpose integer implementations ( (default mode of OpenSSL's BIGNUM, Java's BigInteger, Python's `int`, Rust's `apin...`) is vulnerable.

What can the attackers gain?

The attacker is able to decrypt RSA ciphertexts and forge signatures.
For a TLS server that defaults to RSA encryption key exchanges, that means the attacker can record a session and decrypt it later.

more...

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

tags

java (96)

security (40)

google (34)

Microsoft (33)

Oracle (31)

DWS-4050-EE6 (23)

FJ-310 (23)

solaris (23)

Java EE (19)

SL-314-EE6 (17)

SL-351-EE5 (16)

STS-276-S10 (16)

JPA (14)

SL-370-EE6 (14)

e-commerce (14)

IntelliJ (13)

SA-300-S10 (13)

Windows (13)

OO-226 (12)

firefox (12)

legal (12)

patternsEE6 (12)

privacy (12)

sun (12)

web (12)

SL-314-EE5 (11)

UML (11)

hybris (11)

software engineering (11)

jhtp (10)

Android (9)

JSP (9)

netbeans (9)

network (9)

AI (8)

SL-340-EE6 (8)

SL-385 (8)

XML (8)

EJB (7)

cloud (7)

doodle (7)

git (7)

spring (7)

china (6)

patch (6)

patterns (6)

servlet (6)

spr420 (6)

uniway (6)

DOM (5)

JSTL (5)

MS Office (5)

SPR410 (5)

amazon (5)

belgium (5)

database (5)

glassfish (5)

google drive (5)

javascript (5)

plugins (5)

solaris 10 (5)

weblogic (5)

windows 10 (5)

GDPR (4)

Identity and Access Management (4)

JAXB (4)

JAXP (4)

Java EE 7 (4)

SL-500 (4)

adobe (4)

browser (4)

censorship (4)

chrome (4)

encryption (4)

excel (4)

facebook (4)

ide (4)

java 7 (4)

jax-rs (4)

jetbrains (4)

maven (4)

powerpoint (4)

quote (4)

search (4)

tomcat (4)

Bill Gates (3)

DB1 (3)

JUnit (3)

Java 8 (3)

MS teams (3)

MVC (3)

SAP (3)

SAX (3)

Vista (3)

Word (3)

corona (3)

design (3)

eclipse (3)

education (3)

filter (3)

fowler (3)

hacking (3)

hibernate (3)

install (3)

java 9 (3)

node.js (3)

office (3)

onenote (3)

openoffice (3)

pdf (3)

schema (3)

servlet 3 (3)

sql (3)

struts (3)

umlet (3)

unix (3)

virus (3)

Applying UML and patterns (2)

Belgacom (2)

EL (2)

Google App Engine (2)

Google drive file stream (2)

IPv4 (2)

JAX-WS (2)

JEE5 (2)

JSF (2)

JSON (2)

Jakarta EE (2)

Java EE5 (2)

Java EE6 (2)

PATH (2)

RAID (2)

REST (2)

SMF (2)

SOAPUI (2)

agile (2)

android studio (2)

anti-virus (2)

apache (2)

apple (2)

architecture (2)

canon pixma (2)

certification (2)

cookies (2)

credential manager (2)

cygwin (2)

derby (2)

devoxx (2)

disk (2)

dns (2)

drupal (2)

e-gov (2)

ecology (2)

eid (2)

electronic identity card (2)

enum (2)

europe (2)

free speech (2)

google maps (2)

gwt (2)

icann (2)

iphone (2)

itunes (2)

light field camera (2)

linkedIn (2)

linux (2)

logging (2)

lucene (2)

lytro (2)

microservices (2)

mobile (2)

newspapers (2)

olympics (2)

open software (2)

photo (2)

porn (2)

printer (2)

routing (2)

russia (2)

searchblox (2)

site (2)

solaris 11 (2)

spam (2)

spring boot (2)

springsource (2)

unified process (2)

us (2)

webservices (2)

wikileaks (2)

xpath (2)

yahoo (2)

.Net (1)

12.1.2 (1)

5.1 (1)

64bit (1)

7.4 (1)

7u51 (1)

9/11 (1)

ANSI SQL (1)

BDD (1)

BEA (1)

Babbage (1)

CERN (1)

CMS (1)

Calendra (1)

ClearApp (1)

ConnectionPool (1)

Covalent (1)

Craig Larman (1)

DAO (1)

DRM (1)

DSL (1)

DTD (1)

DataSource (1)

Defect Driven Design (1)

EDAM (1)

EDF (1)

EDPS (1)

EE4J (1)

EJB client (1)

EJB2 (1)

EJB3 (1)

ESB (1)

ESM (1)

Flex (1)

Floyd Landis (1)

GCHQ (1)

GPL (1)

GUI (1)

Gears (1)

GlobalCollect (1)

Google Apps (1)

Google docs (1)

Greenpeace (1)

HP (1)

HTML (1)

HTML 5 (1)

IPMP (1)

ISOC (1)

Igenico (1)

JAVA_HOME (1)

JDBC (1)

JSR (1)

JavaFX (1)

Jshell (1)

Keccak (1)

LexicalHandler (1)

Luminus (1)

MDA (1)

MDB (1)

MySQL (1)

NFC (1)

NSA (1)

OAuth (1)

OMG (1)

OO (1)

ORM (1)

OSI (1)

Ogone (1)

OpenIndiana (1)

OpenSolaris (1)

PAC (1)

POSIX (1)

PPID (1)

Passlogix (1)

QR code (1)

RDISC (1)

RIP (1)

RSA (1)

RTBF (1)

Rosario (1)

SABAM (1)

SCBCD (1)

SDL (1)

SHA-3 (1)

SII (1)

SL-275 (1)

SL-285 (1)

SOA (1)

SOAP UI (1)

SUA (1)

ServletContextListener (1)

Sybase (1)

TCPIP (1)

TV (1)

Tour de France (1)

TypeScript (1)

Virtual Clone Drive (1)

Visual Studio (1)

Vue.js (1)

WSDL (1)

WebGL (1)

Word 2007 (1)

absorbtiekussen (1)

acquia (1)

acquisition (1)

acrobat (1)

action (1)

adblock (1)

adidas (1)

adobe marketing cloud (1)

adoptopenjdk (1)

advertising (1)

annotations (1)

ant (1)

antikera (1)

april fools day (1)

aqua (1)

archeology (1)

arthur weasley (1)

assessment (1)

assistive technology (1)

astah (1)

astronomy (1)

asynchronous (1)

automation (1)

awt (1)

bash (1)

beer (1)

big data (1)

blended learning (1)

blogger (1)

brain (1)

builder (1)

canvas (1)

canvas LMS (1)

captcha (1)

caroussel (1)

cartoon (1)

chat (1)

chip (1)

civilization (1)

civworld (1)

classloader (1)

classpath (1)

cmd (1)

cmmi (1)

cognitum (1)

coica (1)

coin (1)

commercial (1)

commission (1)

contact tracing (1)

content filter (1)

copyleft (1)

copyright (1)

corrupted (1)

course (1)

cream (1)

criteria (1)

css (1)

customer experience (1)

customer journey (1)

dabbleboard (1)

daemen (1)

dagvers (1)

date (1)

defender (1)

deprecated (1)

digsby (1)

disconnect (1)

docx (1)

dos (1)

dozer (1)

drive letter (1)

dzone (1)

e-book (1)

earth day (1)

eclipse4sl (1)

epf (1)

epic (1)

erd (1)

ethernet (1)

etl (1)

eventviewer (1)

exams (1)

extensions (1)

figma (1)

find (1)

fingerprinting (1)

fleet (1)

font awesome (1)

forefront (1)

forrester (1)

gemini (1)

geocache (1)

gherkin (1)

github (1)

gitlab (1)

gmail (1)

google photos (1)

google presentations (1)

google scribe (1)

google slides (1)

google talk (1)

gosling (1)

gradle (1)

grails (1)

groovy (1)

harry potter (1)

hiking (1)

hosting (1)

hostname (1)

hotmail (1)

html editor (1)

ian dury (1)

ie (1)

ifconfig (1)

ighome (1)

igoogle (1)

implants (1)

indigov (1)

inetd (1)

ink absorber (1)

intel (1)

interceptors (1)

internet (1)

ipv6 (1)

iso (1)

itsme (1)

java 10 (1)

java 12 (1)

java 14 (1)

java 15 (1)

java 16 (1)

java db (1)

java webstart (1)

java.nio.file (1)

java.policy (1)

javapath (1)

javaranch (1)

jdk (1)

jersey (1)

jest (1)

jetpack compose (1)

jms (1)

jobat (1)

joda time (1)

joke (1)

jpeg (1)

jpg (1)

jsr315 (1)

jsr339 (1)

keyboard (1)

kotlin (1)

la plagne (1)

larry ellison (1)

ldap (1)

lego (1)

library (1)

libreoffice (1)

life cycle callback (1)

lists (1)

live upgrade (1)

localdatetime (1)

log4j (1)

login (1)

logon (1)

london (1)

magnolia (1)

mail (1)

man (1)

markdown (1)

markdown enhanced plugin (1)

marvin attack (1)

mcafee (1)

mdm (1)

medicine (1)

mercurial (1)

model 2 (1)

mono (1)

mono sans symbols (1)

moonlight (1)

morro (1)

moshi (1)

mousegestures (1)

msn (1)

musk (1)

myriam makeba (1)

namespace (1)

neo (1)

netflix (1)

nethack (1)

neuralink (1)

newspass (1)

node.js v10 (1)

noopener (1)

nosql (1)

notes font (1)

npm (1)

ntp (1)

nuclear energy (1)

object relational mapping (1)

objectify (1)

online payment (1)

open grid scheduler (1)

openjdk (1)

openup (1)

oracle express (1)

oracle grid engine (1)

outlook (1)

page breaks (1)

password (1)

patents (1)

pca (1)

pedophilia (1)

performance (1)

phone (1)

pidgin (1)

pin to start (1)

power button (1)

powershell (1)

prince2 (1)

print (1)

protect IP (1)

proxy (1)

public domain software (1)

public transport (1)

pulse (1)

push (1)

quantum holographic encoding (1)

quantum physics (1)

real-time presence (1)

reasons to be (1)

record (1)

retail (1)

rider (1)

routeyou (1)

salesforce (1)

scam (1)

screen reader (1)

scrum (1)

self driving cars (1)

seo (1)

sequencediagram (1)

serge vleugels (1)

servlets (1)

session bean (1)

sha-1 (1)

sha-2 (1)

silverlight (1)

sint-niklaas (1)

ski (1)

slack (1)

slf4j (1)

smpatch (1)

sms (1)

sniff (1)

solr (1)

sports (1)

spring boot devtools (1)

spring data (1)

spring web flow (1)

sql developer (1)

ssh (1)

stack overflow (1)

staroffice (1)

start menu (1)

stijn de paepe (1)

storage (1)

strata (1)

streetview (1)

stub (1)

subversion (1)

sudan (1)

sun grid engine (1)

sunos (1)

surface (1)

swing (1)

syria (1)

tabniine (1)

tax on web (1)

teaching (1)

telesys (1)

terminalio (1)

tiktok (1)

tiles (1)

time (1)

tns (1)

tommee (1)

toots thielemans (1)

toughtworks (1)

trump (1)

ts-node (1)

tsx (1)

turkey (1)

tutoraat (1)

twitter (1)

uac (1)

uk (1)

univa (1)

unnethack (1)

upgrade (1)

usb (1)

user experience (1)

versioning (1)

vietnam (1)

vim (1)

virtual box (1)

vitest (1)

vox teneo (1)

vrt.nu (1)

vtoc (1)

web flow (1)

web server (1)

web-types (1)

websites (1)

websockets (1)

webstorm (1)

whiteboard (1)

wifi (1)

windows 11 (1)

wlntio.dll (1)

xp (1)

xpg4 (1)

youtube (1)

zap mama (1)

zfs (1)

zones (1)

zuckerberg (1)