International Conference on the Theory and Applications of Cryptographic Techniques

EUROCRYPT 2002: Advances in Cryptology — EUROCRYPT 2002 pp 534-545

Security Flaws Induced by CBC Padding — Applications to SSL, IPSEC, WTLS...

  • Serge Vaudenay
Conference paper

DOI: 10.1007/3-540-46035-7_35

Volume 2332 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Vaudenay S. (2002) Security Flaws Induced by CBC Padding — Applications to SSL, IPSEC, WTLS.... In: Knudsen L.R. (eds) Advances in Cryptology — EUROCRYPT 2002. EUROCRYPT 2002. Lecture Notes in Computer Science, vol 2332. Springer, Berlin, Heidelberg


In many standards, e.g. SSL/TLS, IPSEC, WTLS, messages are first pre-formatted, then encrypted in CBC mode with a block cipher. Decryption needs to check if the format is valid. Validity of the format is easily leaked from communication protocols in a chosen ciphertext attack since the receiver usually sends an acknowledgment or an error message. This is a side channel.

In this paper we show various ways to perform an efficient side channel attack. We discuss potential applications, extensions to other padding schemes and various ways to fix the problem.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Serge Vaudenay
    • 1
  1. 1.Swiss Federal Institute of Technology (EPFL)Sweden