Chosen Ciphertext Attacks on RSA PKCS#1v1.5

Consequences

Compromise of plaintext

Access required for attack

Access to a ciphertext and a decryption function that behaves differently

Explanation

RSA PKCS#1v1.5 is always vulnerable to padding oracle attacks to some extent. However, a careful implementation can keep the leak of information to a minimum, making the attack inefficient. A bad implementation, on the other hand, leaks more information than is necessary making the attack more powerful. This test checks the return value of the RSA PKCS#1v1.5 decryption function under various conditions to evaluate the information leaked by padding errors.

References

• Efficient Padding Oracle Attacks on Cryptographic Hardware (PDF)
• Google Wycheproof Bugs List