Tags: rsa oaep timing-attack oracle
Rating:
tldr;
- [Manger's attack](https://www.iacr.org/archive/crypto2001/21390229.pdf) on RSA OAEP decryption oracle.
- Use timings to distinguish ciphertexts (path traversal bug in the label parameter lets us choose a large label which makes timing differences more obvious). It helps to use a machine in the same datacenter as the server.
- Most of the heavy lifting is already done: https://github.com/kudelskisecurity/go-manger-attack
[writeup](https://jsur.in/posts/2021-01-31-justctf-2020-crypto-writeups#oracles)
Comments
> It helps to use a machine in the same datacenter as the server.
One can also leverage the X-Response-Time header added by the "response-time" express middleware to get a more precise timer:
https://www.npmjs.com/package/response-time
