Security Flaws Induced by CBC Padding — Applications to SSL, IPSEC, WTLS...

  • Serge Vaudenay
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2332)

Abstract

In many standards, e.g. SSL/TLS, IPSEC, WTLS, messages are first pre-formatted, then encrypted in CBC mode with a block cipher. Decryption needs to check if the format is valid. Validity of the format is easily leaked from communication protocols in a chosen ciphertext attack since the receiver usually sends an acknowledgment or an error message. This is a side channel.

In this paper we show various ways to perform an efficient side channel attack. We discuss potential applications, extensions to other padding schemes and various ways to fix the problem.

References

  1. 1.
    Wireless Transport Layer Security. Wireless Application Protocol WAP-261-WTLS-20010406-a. Wireless Application Protocol Forum, 2001. http://www.wapforum.org/
  2. 2.
    R. Baldwin, R. Rivest. The RC5, RC5-CBC, RC5-CBC-Pad, and RC5-CTS Algorithms RFC 2040, 1996.Google Scholar
  3. 3.
    M. Bellare, A. Boldyreva, L. Knudsen, C Namprempre. Online Ciphers and the Hash-CBC Construction. In Advances in Cryptology CRYPTO’01, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 2139, pp. 292–309, Springer-Verlag, 2001.Google Scholar
  4. 4.
    S. Bellovin. Problem Areas for the IP Security Protocols. In Proceedings of the 6th Usenix UNIX Security Symposium, San Jose, California, USENIX, 1996.Google Scholar
  5. 5.
    D. Bleichenbacher. Chosen Ciphertext Attacks Against Protocols Based on the RSA Encryption Standard PKCS#1. In Advances in Cryptology CRYPTO’98, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 1462, pp. 1–12, Springer-Verlag, 1998.Google Scholar
  6. 6.
    N. Borisov, I. Goldberg, D. Wagner. Intercepting Mobile Communications: The Insecurity of 802.11. In Proceedings of the 7th Annual International Conference on Mobile Computing and Networking, ACM Press, 2001.Google Scholar
  7. 7.
    T. Dierks, C. Allen. The TLS Protocol Version 1.0. RFC 2246, standard tracks, the Internet Society, 1999.Google Scholar
  8. 8.
    M. Dworkin. Recommendation for Block Cipher Modes of Operation. US Department of Commerce, NIST Special Publication 800-38A, 2001.Google Scholar
  9. 9.
    S. Kent, R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, standard tracks, the Internet Society, 1998.Google Scholar
  10. 10.
    S. Kent, R. Atkinson. IP Encapsulating Security Payload (ESP). RFC 2406, standard tracks, the Internet Society, 1998.Google Scholar
  11. 11.
    H. Krawczyk. The Order of Encryption and Authentication for Protecting Communications (or: How Secure is SSL?). In Advances in Cryptology CRYPTO’01, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 2139, pp. 310–331, Springer-Verlag, 2001.Google Scholar
  12. 12.
    L.R. Knudsen. Block Ciphers — Analysis, Design and Applications, Aarhus University, 1994.Google Scholar
  13. 13.
    J. Manger. A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS#1 v2.0. In Advances in Cryptology CRYPTO’01, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 2139, pp. 230–238, Springer-Verlag, 2001.Google Scholar
  14. 14.
    A.J. Menezes, P.C. van Oorschot, S.A. Vanston. Handbook of Applied Cryptography, CRC, 1997.Google Scholar
  15. 15.
    E. Petrank, C. Rackoff. CBC MAC for Real-Time Data Sources. Journal of Cryptology, vol. 13, pp. 315–338, 2000.MATHCrossRefMathSciNetGoogle Scholar
  16. 16.
    B. Preneel, P. C. van Oorschot. Mdx-MAC and Building Fast MACs from Hash Functions. In Advances in Cryptology CRYPTO’95, Santa Barbara, California, U.S.A., Lectures Notes in Computer Science 963, pp. 1–14, Springer-Verlag, 1995.Google Scholar
  17. 17.
    B. Schneier. Applied Cryptography, 2nd Edition, John Wiley & Sons, 1996.Google Scholar
  18. 18.
    R. Shirey. Internet Security Glossary. RFC 2828, the Internet Society, 2000.Google Scholar
  19. 19.
    S. Vaudenay. Decorrelation over Infinite Domains: the Encrypted CBC-MAC Case. In Selected Areas in Cryptography’00, Waterloo, Ontario, Canada, Lectures Notes in Computer Science 2012, pp. 189–201, Springer-Verlag, 2001. Journal version: Communications in Information and Systems, vol. 1, pp. 75–85, 2001.Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Serge Vaudenay
    • 1
  1. 1.Swiss Federal Institute of Technology (EPFL)Sweden

Personalised recommendations