Not too long ago I published on Github Go code to perform the famous Manger’s attack against RSA OAEP. This code allows us to leverage a padding Oracle in order to break RSA OAEP encryption, even though it has been mathematically proven secure… How come?! may be your first reaction, but although a scheme is secure it doesn’t mean that its implementation aren’t leaking knowledge which can be leveraged to break the said scheme!
This is exactly what’s happening there with Manger’s attack, we use just one tiny bit of information and yet we can break a message encrypted using 2048 bits RSA in less than 2300 queries. Provided we have the Oracle we need, obviously! And in practice such Oracles are generally not easily built and use side-channels such as timings or caches to extract that one bit of information with enough probability to be correct.
However, the code I release isn’t doing anything like that, instead it assumes it has an Oracle which provides him with the little tiny bit of information we’ll rely on to perform Manger’s attack. Since the Go\Crypto library does hopefully not provides us with such an oracle out of the box, I had to tweak the RSA code a bit, to have an information leak I could then exploit as an Oracle.
I was fairly astonished not to find any previous implementation except for one! One would think that someone already leveraged the power of Manger’s attack to break weak libraries, but it seems like those who did it either kept the code for themselves and only showed its results or didn’t even publish the said results.
You may find my code in my go-manger-attack Github repository. I was really pleased to implement it in Go, because it allowed for a fairly direct translation from mathematical formulas to code.
EDIT: see my follow-up post on the topic: “Understanding and implementing Manger attack”