Matthew Green's blog provides a nice write-up.
Romain Bardou (INRIA project Secsi, France), Riccardo Focardi (Unversità Ca' Foscari Venezia, Italy), Yusuke Kawamoto (University of Birmingham, UK), Lorenzo Simionato (Unversità Ca' Foscari Venezia, Italy), Graham Steel (INRIA project ProSecCo, France), Joe-Kai Tsay (Norges teknisk-naturvitenskapelige universitet, Norway).
Some of the work was carried out while Kawamoto, Steel, and Tsay were working in INRIA project Secsi at LSV, ENS-Cachan. Simionato is now at Google.
You need access to the UnwrapKey function. This
could be achieved, for example, directly by putting malware on the host machine, or
indirectly if the unwrap key functionality is exposed via a network
protocol.
The modified version of the Bleichenbacher attack reveals a
plaintext encrypted under an RSA key. That plaintext, in the context
of the PKCS#11 UnwrapKey command, is a symmetric key. The same attack can also be used to forge a signature, though this takes longer. Our paper gives full details.
The Vaudenay CBC attack may reveal either a symmetric key or a private RSA key if it has been
exported from a device under a symmetric cipher like AES using
CBC_PAD.
The best previous attack was due to Klima et al., which is roughly twice as fast as Bleichenbacher's original algorithm on a standard PKCS1v1.5 padding oracle. Our attack is more then ten times as fast as the original algorithm, so a factor of five improvement on the best previously known attack. Here we measure speed as the median number of oracle calls required to complete the attack, measured over 1000 runs with different RSA keypairs.
Yes, use a padding mode that has IND-CCA security proofs, like OAEP as standardised in PKCS#1v2, and make sure this is the only mode available at the API.
Like the original algroithm, our version of the Bleichenbacher attack does not reveal the private half of the RSA key used for encryption.
No.
Yes. All affected vendors were informed more then 12 months before the paper was published.