Tags: oracle timing-attack oaep rsa 

Rating:

tldr;
- [Manger's attack](https://www.iacr.org/archive/crypto2001/21390229.pdf) on RSA OAEP decryption oracle.
- Use timings to distinguish ciphertexts (path traversal bug in the label parameter lets us choose a large label which makes timing differences more obvious). It helps to use a machine in the same datacenter as the server.
- Most of the heavy lifting is already done: https://github.com/kudelskisecurity/go-manger-attack

[writeup](https://www.josephsurin.me/posts/2021-01-31-justctf-2020-crypto-writeups#oracles)

Original writeup (https://www.josephsurin.me/posts/2021-01-31-justctf-2020-crypto-writeups#oracles).
gabrielbezerraFeb. 2, 2021, 12:18 a.m.

> It helps to use a machine in the same datacenter as the server.

One can also leverage the X-Response-Time header added by the "response-time" express middleware to get a more precise timer:

https://www.npmjs.com/package/response-time