Side Channel Analyses of CBC Mode Encryption

نویسنده

  • Arnold K. L. Yau
چکیده

A block cipher encrypts data one block at a time. For bulk data encryption, a block cipher is usually used in a mode of operation. Cipher Block Chaining (CBC) mode encryption is one of the most commonly used modes of operation. The security properties of CBC mode encryption have been studied extensively. One well-known attack against CBC mode encryption allows an attacker, with some restrictions, to flip abitrary bits in the plaintext. In this thesis we present attacks using the bit flipping technique, in the presence of a side channel, to recover plaintext with varying degrees of efficiency. A side channel is a means by which confidential information about the plaintext is inadvertently leaked to an attacker, who then exploits the information to further his attacks. Error reporting is a common type of side channel in real cryptographic systems. We first examine the use of CBC mode encryption with some padding methods specified by ISO standards, and analyse the security of those combinations in the presence of a padding oracle as a side channel. A padding oracle, first introduced in a paper by Vaudenay, is a type of error oracle that reveals padding correctness information to an attacker. We show that, in a relaxed attack model in which initialisation vectors (IVs) are public, we can exploit a padding oracle to efficiently extract plaintext bits. We then show that in a stricter attack model (secret and random IVs), the padding schemes are still vulnerable to padding oracle attacks and therefore still weak. Putting theory into practice, we go on to investigate the applicability of error oracle attacks to IPsec, a suite of protocols commonly used to implement Virtual Private Networks (VPNs) to secure the exchange of IP datagrams at the network layer. When IPsec is configured not to use integrity protection, a usage mode supported by IPsec standards, we show that a variety of efficient attacks are available for an attacker to recover plaintext datagrams, sometimes highly efficiently. By carefully manipulating encrypted IP datagrams, the attacker triggers the generation of Internet Control Message Protocol (ICMP) messages which he then intercepts. The ICMP messages, providing an error reporting side channel, contain plaintext information which can then be used to reconstruct plaintext datagrams in full. Finally, we present our view on the future of CBC mode encryption in the light of our attacks, and conclude with reflections on our experience of cryptography in theory and practice.

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS

In many standards, e.g. SSL/TLS, IPSEC, WTLS, messages are first pre-formatted, then encrypted in CBC mode with a block cipher. Decryption needs to check if the format is valid. Validity of the format is easily leaked from communication protocols in a chosen ciphertext attack since the receiver usually sends an acknowledgment or an error message. This is a side channel. In this paper we show va...

متن کامل

Provable Security in Practice: Analysis of SSH and CBC mode with Padding

This thesis illustrates and examines the gap that exists between theoretical and practical cryptography. Provable security is a useful tool which allows cryptographers to perform formal security analyses within a strict mathematical framework. Unfortunately, the formal modelling of provable security sometimes fails to match how particular schemes or protocols are implemented in real life. We ex...

متن کامل

Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption

Vaudenay recently demonstrated side-channel attacks on a common encryption scheme, CBC Mode encryption, exploiting a “valid padding” oracle [Vau02]. Mirroring the side-channel attacks of Bleichenbacher [Ble98] and Manger [Man01] on asymmetric schemes, he showed that symmetric encryption methods are just as vulnerable to side-channel weaknesses when an adversary is able to distinguish between va...

متن کامل

Password Interception in a SSL/TLS Channel

Simple password authentication is often used e.g. from an email software application to a remote IMAP server. This is frequently done in a protected peer-to-peer tunnel, e.g. by SSL/TLS. At Eurocrypt’02, Vaudenay presented vulnerabilities in padding schemes used for block ciphers in CBC mode. He used a side channel, namely error information in the padding verification. This attack was not possi...

متن کامل

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Vaudenay has shown in [5] that a CBC encryption mode ([2], [9]) combined with the PKCS#5 padding [3] scheme allows an attacker to invert the underlying block cipher, provided she has access to a valid-padding oracle which for each input ciphertext tells her whether the corresponding plaintext has a valid padding or not. Having on mind the countermeasures against this attack, different padding s...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

برای دانلود متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2009