Is SecureAuth IdP Impacted by the ROBOT Attack Vulnerability?

In December 2017, Hanno Böck, Juraj Somorovsky, and Craig Young wrote a research paper titled “Return of Bleichenbacher’s Oracle Threat (ROBOT)” that explains how an HTTPS hosts can still be vulnerable to the original 1998 Bleichenbacher attack. The ROBOT Attack targets a weakness in the PKCS #1 v1.5 RSA encryption standard that lets an attacker obtain a secured website’s private key within a brief timespan.

ROBOT only affects TLS cipher modes that use RSA encryption. Most modern TLS connections use an Elliptic-curve Diffie-Hellman key exchange and only require RSA for signatures. SecureAuth IdP Appliances already prioritize modern cryptography ciphers in the product which mitigates the attack. This assurance has been confirmed by using scanning tools provided by researchers at The ROBOT Attack.

While SecureAuth IdP Appliances prioritize modern cryptography, connections from RSA ciphers are still allowed for compatibility with legacy software solutions.

SecureAuth recommends disabling RSA encryption entirely (ciphers starting with TLS_RSA) to ensure full resolution of the vulnerability. Internet-wide metrics show this setup should have minimal impact on browser compatibility.

In addition, SecureAuth strongly recommends auditing your network for compatibility before implementing the suggested configuration changes.