Abstract
In many standards, e.g. SSL/TLS, IPSEC, WTLS, messages are first pre-formatted, then encrypted in CBC mode with a block cipher. Decryption needs to check if the format is valid. Validity of the format is easily leaked from communication protocols in a chosen ciphertext attack since the receiver usually sends an acknowledgment or an error message. This is a side channel.
In this paper we show various ways to perform an efficient side channel attack. We discuss potential applications, extensions to other padding schemes and various ways to fix the problem.
Chapter PDF
Similar content being viewed by others
Keywords
- Block Cipher
- Message Authentication Code
- Side Channel Attack
- Security Flaw
- Wireless Application Protocol
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Wireless Transport Layer Security. Wireless Application Protocol WAP-261-WTLS-20010406-a. Wireless Application Protocol Forum, 2001. http://www.wapforum.org/
R. Baldwin, R. Rivest. The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms RFC 2040, 1996.
M. Bellare, A. Boldyreva, L. Knudsen, C Namprempre. Online Ciphers and the Hash-CBC Construction. In Advances in Cryptology CRYPTO’01, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 2139, pp. 292–309, Springer-Verlag, 2001.
S. Bellovin. Problem Areas for the IP Security Protocols. In Proceedings of the 6th Usenix UNIX Security Symposium, San Jose, California, USENIX, 1996.
D. Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS#1. In Advances in Cryptology CRYPTO’98, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 1462, pp. 1–12, Springer-Verlag, 1998.
N. Borisov, I. Goldberg, D. Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. In Proceedings of the 7th Annual International Conference on Mobile Computing and Networking, ACM Press, 2001.
T. Dierks, C. Allen. The TLS Protocol Version 1.0. RFC 2246, standard tracks, the Internet Society, 1999.
M. Dworkin. Recommendation for Block Cipher Modes of Operation. US Department of Commerce, NIST Special Publication 800-38A, 2001.
S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, standard tracks, the Internet Society, 1998.
S. Kent, R. Atkinson. IP Encapsulating Security Payload (ESP). RFC 2406, standard tracks, the Internet Society, 1998.
H. Krawczyk. The Order of Encryption and Authentication for Protecting Communications (or: How Secure is SSL?). In Advances in Cryptology CRYPTO’01, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 2139, pp. 310–331, Springer-Verlag, 2001.
L.R. Knudsen. Block Ciphers — Analysis, Design and Applications, Aarhus University, 1994.
J. Manger. A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS#1 v2.0. In Advances in Cryptology CRYPTO’01, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 2139, pp. 230–238, Springer-Verlag, 2001.
A.J. Menezes, P.C. van Oorschot, S.A. Vanston. Handbook of Applied Cryptography, CRC, 1997.
E. Petrank, C. Rackoff. CBC MAC for Real-Time Data Sources. Journal of Cryptology, vol. 13, pp. 315–338, 2000.
B. Preneel, P. C. van Oorschot. Mdx-MAC and Building Fast MACs from Hash Functions. In Advances in Cryptology CRYPTO’95, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 963, pp. 1–14, Springer-Verlag, 1995.
B. Schneier. Applied Cryptography, 2nd Edition, John Wiley & Sons, 1996.
R. Shirey. Internet Security Glossary. RFC 2828, the Internet Society, 2000.
S. Vaudenay. Decorrelation over Infinite Domains: the Encrypted CBC-MAC Case. In Selected Areas in Cryptography’00, Waterloo, Ontario, Canada, Lectures Notes in Computer Science 2012, pp. 189–201, Springer-Verlag, 2001. Journal version: Communications in Information and Systems, vol. 1, pp. 75–85, 2001.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Vaudenay, S. (2002). Security Flaws Induced by CBC Padding — Applications to SSL, IPSEC, WTLS.... In: Knudsen, L.R. (eds) Advances in Cryptology — EUROCRYPT 2002. EUROCRYPT 2002. Lecture Notes in Computer Science, vol 2332. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-46035-7_35
Download citation
DOI: https://doi.org/10.1007/3-540-46035-7_35
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-43553-2
Online ISBN: 978-3-540-46035-0
eBook Packages: Springer Book Archive