We add many copies of the second block (the original one) afterwards, e.g. We modify the second block according to Bleichenbacher attackģ.
We take the first block of a 2-block message and re-use it.Ģ. Then I forced decrypt_bigfile() to implements a perfect Bleichenbacher oracle:ġ. The PoW does not help stopping an attacker from building long messages, since the hash target is little affected by additional blocks (since a contant payloadLengthExtraBytes is added to make short messages more difficult)Īt this time I had all the tools to implement a Bleichenbacher attack. Since the first block of each message contains the headers, it’s possible to take the first block of an existing message and append blocks of some other messages, creating completely valid new ones. Also the attacker can construct a new message by mixing blocks from other captured messages. That means that an attacker can reorder blocks within a message and still create a valid message. Then I noticed that decrypt_bigfile(), which is used to decrypt broadcast messages, does not use hybrid encryption (it uses plain RSA!) and has no method for chaining.Įach message is broken into blocks, and each block is independently encrypted using RSA. Also the same RSA keys are used both for signing and for encryption/decryption. The protocol does not use Authenticated encryption ( ) or MACs to verify messages before decrypting public key encrypted messages. I realized that this could probably be used as a side channel to recover the user’s private key. One thing I noticed is that clients sends acknowledge messages when they are able to decrypt a message. It seems that was not the intend of the developers to create a snake-oil cryptography product, since the application is open-source, nevertheless it implements the crypto so badly that the protocol would need a complete redesign to be of real use.
When I heard about Bitmessage ( ) I was pleased to find a new privacy/security preserving project being born.īut after I looked at the source code and grasped the crypto protocol (which is not described in the white paper), I got disappointed. EDIT: This posts covered Bitmessage protocol v1.0 before it switched to OpenSSL ECC because of these problems.