Side Channel Analyses of CBC Mode Encryption

A block cipher encrypts data one block at a time. For bulk data encryption, a block cipher is usually used in a mode of operation. Cipher Block Chaining (CBC) mode encryption is one of the most commonly used modes of operation. The security properties of CBC mode encryption have been studied extensively. One well-known attack against CBC mode encryption allows an attacker, with some restrictions, to flip abitrary bits in the plaintext. In this thesis we present attacks using the bit flipping technique, in the presence of a side channel, to recover plaintext with varying degrees of efficiency. A side channel is a means by which confidential information about the plaintext is inadvertently leaked to an attacker, who then exploits the information to further his attacks. Error reporting is a common type of side channel in real cryptographic systems. We first examine the use of CBC mode encryption with some padding methods specified by ISO standards, and analyse the security of those combinations in the presence of a padding oracle as a side channel. A padding oracle, first introduced in a paper by Vaudenay, is a type of error oracle that reveals padding correctness information to an attacker. We show that, in a relaxed attack model in which initialisation vectors (IVs) are public, we can exploit a padding oracle to efficiently extract plaintext bits. We then show that in a stricter attack model (secret and random IVs), the padding schemes are still vulnerable to padding oracle attacks and therefore still weak. Putting theory into practice, we go on to investigate the applicability of error oracle attacks to IPsec, a suite of protocols commonly used to implement Virtual Private Networks (VPNs) to secure the exchange of IP datagrams at the network layer. When IPsec is configured not to use integrity protection, a usage mode supported by IPsec standards, we show that a variety of efficient attacks are available for an attacker to recover plaintext datagrams, sometimes highly efficiently. By carefully manipulating encrypted IP datagrams, the attacker triggers the generation of Internet Control Message Protocol (ICMP) messages which he then intercepts. The ICMP messages, providing an error reporting side channel, contain plaintext information which can then be used to reconstruct plaintext datagrams in full. Finally, we present our view on the future of CBC mode encryption in the light of our attacks, and conclude with reflections on our experience of cryptography in theory and practice.