Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment

  • Kenneth G. Paterson
  • Gaven J. Watson
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5229)


Padding oracle attacks against CBC mode encryption were introduced by Vaudenay. They are a powerful class of side-channel, plaintext recovering attacks which have been shown to work in practice against CBC mode when it is implemented in specific ways in software. In particular, padding oracle attacks have been demonstrated for certain implementations of SSL/TLS and IPsec. In this paper, we extend the theory of provable security for symmetric encryption to incorporate padding oracle attacks. We develop new security models and proofs for CBC mode (with padding) in the chosen-plaintext setting. These models show how to select padding schemes which provably provide a strong security notion (indistinguishability of encryptions) in the face of padding oracle attacks. We also show that an existing padding method, OZ-PAD, that is recommended for use with CBC mode in ISO/IEC 10116:2006, provably resists Vaudenay’s original attack, even though it does not attain our indistinguishability notion.


Block Cipher Symmetric Encryption Oracle Query Challenge Ciphertext Decryption Oracle 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 1997), pp. 394–403. IEEE, Los Alamitos (1997)CrossRefGoogle Scholar
  2. 2.
    Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the ssh authenticated encryption scheme: A case study of the encode-then-encrypt-and-MAC paradigm. ACM Transactions on Information and Systems Security 7, 206–241 (2004)CrossRefGoogle Scholar
  3. 3.
    Black, J., Urtubia, H.: Side-channel attacks on symmetric encryption schemes: The case for authenticated encryption. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, 2002, pp. 327–338 (2002)Google Scholar
  4. 4.
    Boldyreva, A., Kumar, V.: Provable-security analysis of authenticated encryption in kerberos. In: IEEE Symposium on Security and Privacy, pp. 92–100. IEEE Computer Society, Los Alamitos (2007)CrossRefGoogle Scholar
  5. 5.
    Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)Google Scholar
  6. 6.
    Degabriele, J.P., Paterson, K.G.: Attacking the IPsec standards in encryption-only configurations. In: IEEE Symposium on Security and Privacy, pp. 335–349. IEEE Computer Society, Los Alamitos (2007)CrossRefGoogle Scholar
  7. 7.
    Kent, S.: IP encapsulating security payload (ESP). RFC 4303 (December 2005)Google Scholar
  8. 8.
    Krawczyk, H.: The order of encryption and authentication for protecting communications (or: How secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Mitchell, C.J.: Error oracle attacks on CBC mode: Is there a future for CBC mode encryption? In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 244–258. Springer, Heidelberg (2005)Google Scholar
  10. 10.
    Paterson, K.G., Yau, A.K.L.: Padding oracle attacks on the ISO CBC mode encryption standard. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 305–323. Springer, Heidelberg (2004)Google Scholar
  11. 11.
    Vaudenay, S.: Security flaws induced by CBC padding – applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–546. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  12. 12.
    Yau, A.K.L., Paterson, K.G., Mitchell, C.J.: Padding oracle attacks on CBC-mode encryption with secret and random IVs. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 299–319. Springer, Heidelberg (2005)Google Scholar
  13. 13.
    Zhou, Y., Feng, D.: Side-channel attacks: Ten years after its publication and the impacts on cryptographic module security testing. Cryptology ePrint Archive, Report 2005/388 (2005),

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Kenneth G. Paterson
    • 1
  • Gaven J. Watson
    • 1
  1. 1.Information Security GroupRoyal Holloway, University of LondonEghamU.K.

Personalised recommendations