Bleichenbacher Attack in Restify with Bearer Tokens

A Bleichenbacher attack is a chosen-ciphertext attack against asymmetric encryption padding schemes, commonly RSAES-PKCS1-v1_5. In a Restify service that uses Bearer Tokens protected by RSA encryption, this attack can be viable when token validation is performed in a way that exposes timing differences or error message distinctions based on padding validity. The attack does not target Bearer Tokens directly, but targets the cryptographic operation used to verify a token’s signature or decryption. If your Restify API validates encrypted or signed Bearer Tokens using a routine that returns different timing or distinct error responses for padding errors versus other failures, an attacker can iteratively submit modified ciphertexts and learn the plaintext token material without having any valid credentials.

In a typical Restify setup, Bearer Tokens are passed via the Authorization header (Authorization: Bearer ). If the token is a cryptographically signed JWT, developers sometimes incorrectly perform asymmetric verification by first decrypting an RSA-encrypted payload and then checking structure, or they compare signatures in a non-constant-time manner. When such validation logic is reachable without authentication, the unauthenticated attack surface allows an adversary to perform the Bleichenbacher adaptive chosen-ciphertext procedure against the public key component used in the token verification path. Each request that triggers a padding error versus a signature mismatch produces a distinguishable response, enabling the attacker to gradually decrypt or forge a valid Bearer Token. This is especially relevant when the server performs decryption server-side before validation, or when error handling inadvertently leaks whether a decryption or padding check failed.

Consider a Restify route that expects an encrypted Bearer Token in a custom header and uses Node.js crypto functions with RSA-OAEP or PKCS1 padding. If the server returns 401 for malformed tokens but distinguishes between padding errors and signature errors, the attacker can mount a Bleichenbacher attack to recover the plaintext token or to forge a valid one. Even when tokens are JWTs, if the verification implementation is flawed (e.g., accepting tokens with alg: none or incorrectly handling key selection), the attack surface expands. The combination of Restify’s routing behavior, Bearer Token usage for authorization, and non-hardened cryptographic validation creates a scenario where an unauthenticated remote attacker can obtain valid token material by exploiting timing and error behavior across many crafted requests.

Remediation focuses on ensuring that Bearer Token validation does not leak information via timing or error messages and that cryptographic operations are performed safely. In Restify, you should centralize token validation and use constant-time comparison for signatures, avoid branching on padding errors, and return uniform error responses for any invalid token. Below are concrete code examples that demonstrate a secure approach.

First, use a constant-time verification method for token signatures. When using JSON web tokens with an RSA public key, prefer libraries that handle constant-time verification internally, and avoid manual comparisons that short-circuit on byte differences. Here is an example using Node.js and the jsonwebtoken library with a public key:

const jwt = require('jsonwebtoken');
const fs = require('fs');

const publicKey = fs.readFileSync('public.key');

function verifyBearerToken(token) {
  try {
    const decoded = jwt.verify(token, publicKey, { algorithms: ['RS256'] });
    return { valid: true, decoded };
  } catch (err) {
    // Return a generic token invalid error without revealing the specific cause
    return { valid: false, error: 'invalid_token' };
  }
}

module.exports = { verifyBearerToken };

Second, ensure your route handler uses the verifier uniformly and does not expose different error paths for padding versus signature failures. In Restify, define a preValidation hook that checks the Authorization header and rejects malformed requests with a consistent 401 response:

const restify = require('restify');
const server = restify.createServer();
const { verifyBearerToken } = require('./verifyBearerToken');

server.preValidation((req, res, next) => {
  const auth = req.headers.authorization;
  if (!auth || !auth.startsWith('Bearer ')) {
    res.send(401, { error: 'invalid_token' });
    return next();
  }
  const token = auth.slice(7);
  const result = verifyBearerToken(token);
  if (!result.valid) {
    res.send(401, { error: 'invalid_token' });
    return next();
  }
  req.user = result.decoded;
  return next();
});

server.get('/protected', (req, res) => {
  res.send({ message: 'access granted', user: req.user });
});

server.listen(8080, () => console.log('server listening on 8080'));

Third, if you use encrypted tokens where you must perform RSA decryption before validation, use a library and settings that do not expose padding errors. Prefer RSA-OAEP and ensure you do not implement custom padding checks. Always catch all errors and return a generic invalid token response so that timing or error-type differences do not guide an attacker. For key management, rotate keys and use JWKS when applicable, and avoid accepting the alg: none method. These practices reduce the effectiveness of Bleichenbacher-style adaptive attacks by removing the oracle that distinguishes padding failures from other errors.

Finally, complement code fixes with operational measures: enforce transport-layer encryption, monitor for anomalous repeated 401s from a single source, and rotate cryptographic keys periodically. By combining constant-time verification, uniform error handling, and robust key management in Restify, you mitigate the risk of token recovery via Bleichenbacher attacks while maintaining a secure Bearer Token authorization flow.