Silence Will Fall (Or How It Can Take 2 Years to Get Your Vuln Registered)

Photo credit:



Basic RSA

  1. Alice randomly picks two prime numbers (p and q) of predefined length (for example, 1024 bits).
  2. Alice computes their product N (the modulus).
  3. Alice takes the predefined public exponent e. The most common value is 65537, because it has just 2 bits set. In the past 3 and 17 have also been used, but they are not guaranteed to wrap the modulus during exponentiation.
  4. Alice computes private exponent d. Now (d, N) is Alice’s private key and (e, N) is Alice’s public key.
  5. Alice sends her public key to Bob.
  6. Bob converts the message M which he wants to send to Alice into a number m less than N. He exponentiates the number to e modulo N and sends the result to Alice.
  7. Alice takes the result, exponentiates it to d modulo N and gets the initial m as a result, which she then converts back into M
    ! On a side note, since Medium does not support Latex, some exponents are expressed in brackets using the ^ symbol.
    =pq, where p, q are prime
    e∗d = 1(mod (p-1)(q-1))
    ∀m ≠ 0: m ^(e∗ d) (mod N)=m^(1+k∗(p−1)∗(q−1)) (mod N)=m (mod N),
    where k∈ N

RSA teething problems


  1. BT=00, all octets in PS are set to 00
  2. BT=01, all octets in PS are set to FF
  3. BT=02, all octets in PS are pseudorandomly generated and not equal to 00
  1. With BT=01, D can be unpadded regardless of its contents, with BT=00 the first byte of D, which is equal to 00, will also be unpadded, thereby creating a problem.
  2. Both BT=01 and BT=02 create large integers for encryption, so all attacks requiring a small (short) D don’t work

Bleichenbacher’s Padding Oracle Attack

  1. Alice decrypts the ciphertext with the RSA primitive.
  2. Alice unpads the message.
  3. Alice parses the message and performs actions based on the message.
  1. Blinding the ciphertext, creating cₒ, that corresponds to unknown mₒ
  2. Finding small sᵢ, such that mₒsᵢ mod N is PKCS-conforming. For every such sᵢ the attacker computes intervals that must contain mₒ using previously known information
  3. Starts when only one interval remains. The attacker has sufficient information about mₒ to choose sᵢ such that mₒsᵢ mod N is more likely to be PKCS conforming than a randomly chosen message. The size of sᵢ is increased gradually, narrowing the possible range of mₒ until only one possible value remains.
  1. Intercept some message from Bob to Alice.
  2. Use Alice as a padding oracle to decrypt the message.

Back to disclosure

  • They didn’t want to register a CVE, because they just followed the specification and the library itself didn’t return any padding errors (this is just partially true)
  • They were developing PKCS#1v2.2 (a newer specification with safer padding) and were going to publish it with a new version of X-CUBE-CRYPTOLIB in the spring.

Proof of Concepts

General information

  • The full attack (will take a long time on MLA, an absurdly long time on ST)
  • The attack with precalculated successful steps

Preliminary steps

  • requirements.txt (file with python requirements for “” and python attack clients)
  • (python script which parses a pem file, creates headers and imports for vulnerable servers and clients, also encrypts one message, which is to be decrypted by the attacking clients and creates a trace to show the attack without taking too much time)
  • (runs openssl to create a 2048-bit RSA key, then runs “”)
sudo apt install openssl python3 python3-pip python3-gmpy2 && python3 -m pip install -r requirements.txt

Microchip PoC

  • bigint_helper_16bit_intel.S (rewritten “bigint_helper_16bit.S” from the bigint library inside MLA. It was written for PIC architecture, making the library unusable on a PC. I rewrote all functions in intel (x86_64) assembly, to use the same bigint library that crypto_sw in MLA uses)
  • bleichenbacher_oracle_mla.c (the main file containing high-level server functions)
  • crypto_support_params.h (enums and function definitions for cryptographic functions)
  • crypto_sw.patch (a patchfile that comments out one line in crypto_sw library to stop type collision when building on a PC)
  • crypto.c (contains all functions which initialize and deinitialize MLA’s RSA implementation and functions that wrap around encryption and decryption routines)
  • (a simple bash script to apply the patch)
  • makefile
  • oracle_params.h (some server parameters)
  • support.c (decrypted message checking function)
  • support.h (check_message function and return values’ definitions and seed length definition)
cd Microchip/vulnerable_server
cp -r ~/microchip/mla/v2018_11_26/framework/bigint .
cp -r ~/microchip/mla/v2018_11_26/framework/crypto_sw .
cp ../../Preparation/microchip_files/key_params.h .
cp ../Preparation/attacker/ .
cp ../Preparation/speedup/trace.txt .
  1. Run the full attack (you will have to wait a long time, however)
python3 -t trace.txt -s
python3 -t trace.txt


cd qemu_stm32-stm32_v0.1.2
sudo apt install arm-none-eabi-gcc-arm-non-eabi-newlib gcc
./configure --extra-cflags="-w" --enable-debug --target-list="arm-softmmu"
#include <sys/sysmacros.h>
cd qemu_stm32-stm32_v0.1.2
cp ../stm32_qemu.patch .
cp ../ .
cp -r STM32CubeExpansion_Crypto_V3.1.0/Fw_Crypto/STM32F1/Middlewares/ST/STM32_Cryptographic stm32_p103_demos-0.3.0/
cd stm32_p103_demos-0.3.0
cp ../ .
cp ../stm32_p103_demos.patch .
  • main.c — the main file containing high-level functionality of the server
  • stm32f10x_conf.h — configuration file
  • support.c — message parsing and fixing
  • support.h — definitions for the use of support.c
cp ../../../../Preparation/st_files/key_params.h demos/bleich/
make bleich_ALL
  • Server QEMU terminal
  • Server GDB terminal
  • Attacker terminal
#Server QEMU terminal
./qemu-system-arm -M stm32-p103 -kernel ../../stm32_p103_demos-0.3.0/demos/bleich/main.bin -gdb tcp::3333
  • Go to “<some_prefix>/ST/vulnerable_server/”
  • install gdb-multiarch if it’s not installed
  • run gdb-multiarch
  • load file “binary/stm32_p103_demos-0.3.0/demos/bleich/main.elf” (this is necessary for the script to work)
  • connect to qemu gdb server
  • load python script “<some_prefix>/ST/vulnerable_server/gdb_server/” (gdb has to use python3)
#Server GDB terminal
file binary/stm32_p103_demos-0.3.0/demos/bleich/main.elf
target remote localhost:3333
source gdb_server/
pkill -9 gdb

Back to disclosure… Again

  1. CVE-2020–20949 (Vulnerability in ST X-CUBE-CRYPTOLIB 3.1.0, 3.1.2)
  2. CVE-2020–20950 (Vulnerability in Microchip Libraries for Applications 2018–11–26)




BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Delio wallet, Protect customer’s asset with high security

What are the benefits of MXDR and how does it compare to other cybersecurity solutions?

What is Capture The Flag ?

The Loan Wars: Rules of Engagement

Triforce Protocol Is Now KYC Approved by Assure



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age

More from Medium

Play-and-Earn Instead of Play-to-Earn

Play and earn, not play to earn

How to draw realistic face — Dry brush technique

Diffie-Hellman Key Exchange via REST

CS371p Spring 2022: Winnie Chang