Presentation is loading. Please wait.

Presentation is loading. Please wait.

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Published bySydney Eldredge Modified over 9 years ago

Similar presentations

Presentation on theme: "Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format"— Presentation transcript:

1 Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
Vlastimil Klíma 1 and Tomáš Rosa 1,2 {vlastimil.klima, 1 ICZ a.s., 2 Czech Technical University in Prague Security and Protection of Information 2003, 2nd International Scientific Conference, NATO PfP/PWP – CATE, Brno, Czech Republic,

2 Preliminaries Side channel attacks use side information from the system to unveil some secret information The CBC mode of a block cipher with the combination of well-known PKCS#5 padding method is de facto standard CBC usage In the presentation we will assume n-byte block cipher (for the simplicity let n = 8) PKCS#5 padding: [data....] bb...b b bytes of the value b are padded, where b is the number of padded bytes C1 B2 01 A5 FE A is a valid block C1 B2 01 A5 FE A is an invalid block

3 Valid-Padding Oracle

4 Vaudenay's attack The first side channel attack based on a valid-padding oracle in the CBC mode was described by Serge Vaudenay at Eurocrypt 2002. He showed that it is possible to use it to decipher any captured ciphertext. It is very efficient, its complexity is about 128*(#bytes of the ciphertext). The valid-padding oracle is based on the fact that there exist valid and invalid padding strings.

5 ABYT-PAD - arbitrary byte tail padding -
Black and Urtubia at 11th USENIX Security Symposium (2002) proposed the ABYT-PAD padding scheme, where all padding strings are valid. It thwarts the original Vaudenay´s attack. [data....d] bb...b, b≠d ABYT-PAD: The bytes of the same value b are padded to a multiple of n bytes, but the value b can be arbitrary. It only has to be different from the last data byte d. The rule for removing the padding string is: discard all the same bytes from the end, no matter of their value. C1 B2 01 A5 FE A is a valid block C1 B2 01 A5 FE A is also a valid block Note that theoretically, it is possible to pad more then n bytes (one block) and that our attack works in this case too.

6 Using ABYT-PAD padding
Motivation: When the new padding scheme is that good, what about using it in PKCS#7 instead of PKCS#5 padding? PKCS#7 describes the general syntax for cryptographically protected data, e.g. data which is encrypted, digitally signed, etc.

7 PKCS#7 ver. 1.6 with ABYT-PAD instead of PKCS#5
PKCS#7 has its own syntax. We will work with an encrypted message, stored in the structure "enveloped data" IV and a symmetric encryption key are generated randomly, the key is then encrypted by a PKC and also encapsulated in the structure "enveloped data" A data being encrypted is at first encoded (formatted) according to ASN.1. It creates the message M = (type-octets, length-octets, data-octets) M is (ABYT-PAD) padded and the plaintext P = (M, padding) is then encrypted in the CBC mode The ciphertext C and IV are then placed into the structure "enveloped data" Note: assume there is usual type octet 0x04 (OCTET STRING), one octet length L and maximally n bytes of padding.

8 The decryption process defines a "PKCS#7 Confirmation Oracle"
Extract the ciphertext C = (IV, CT) from the PKCS#7 structure "enveloped data". Decipher C to a plaintext P. Remove the padding from the plaintext P. The result is a message M. Parse M according to PKCS#7 syntax: Check the type-octet of M (0x04). If it is not correct, an error has occurred. Check the length-octet of M (L). L must be equal to the length of the remaining part of M. If it is not, an error has occurred. If the two previous checks are successful, it is OK, otherwise something is BAD. Most of applications will tell OK/BAD to the attacker due to their error messages or a behaviour. We define the oracle O(C)= ANSWER OK/BAD according to the procedure described above

9 The main result of our paper
Using a PKCS#7 confirmation oracle, we are able to decrypt the original plaintext The complexity of the attack is roughly 128*(#bytes of the original plaintext) Attack scenario: The attacker intercepts a valid ciphertext C = (IV, CT1, CT2, ... CTs), s  1 Then she creates her own ciphertexts C* and on the base of oracle answers she deciphers the corresponding plaintext (P1, P2, ... Ps) We will show that she is able to compute X = DK(Y) for an arbitrary chosen ciphertext block Y, implying that she is able to decrypt C.

10 Description of the attack - Computing X = DK(Y) -
Preparation phase: finding out the length (L) Computing X = DK(Y) leaving one byte of uncertainty – we obtain the set of equations X1  T1 = X2  T2 = ... = Xn  Tn = A, with known Ti and unknown A Determining the remaining byte (A) of uncertainty

11 The first phase: determining of the length L
 1  1

12 Computing X = DK(Y) leaving one byte of uncertainty

13 Determining the remaining byte of uncertainty (A)

14 Conclusions The complexity of the attack is given mainly by second step – the average of oracle calls is 128 per one ciphertext byte. ABYT-PAD padding scheme thwarts the Vaudenay´s attack. We showed that even using this "perfect" padding scheme, we cannot fully remove side channel attacks in the CBC mode. Our recommendation is to use strong cryptographic check of the ciphertext.

15 Further work & ideas Recall the basic properties of CBC
Changes in the block Ci propagates linearly and deterministically to changes of the plaintext block Pi+1, no matter how strong the cipher is It has good self synchronization properties – an effect of a corruption of i-th block vanishes starting by block (i+2)

16 Further work & ideas Basing on the basic properties of CBC
Processing of formatted data creates vital side channels with respect to the CBC mode Practically speaking Highly structured data format without strong authentication of ciphertexts may turn to be vulnerable Example: S/MIME, various proprietary Type-Length-Value formats, etc.

17 Finally we’d like to stress
Elaborated problems with the CBC mode are quite obviously not only “stories of proper padding methods” In other words: “Padding was just a beginning...”

Download ppt "Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format"

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.

Xiutao Feng Institute of Software Chinese Academy of Sciences A Byte-Based Guess and Determine Attack on SOSEMANUK.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
About a new generation of block ciphers and hash functions - DN and HDN Vlastimil Klíma Independent consultant

About a new generation of block ciphers and hash functions - DN and HDN Vlastimil Klíma Independent consultant
1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.

1 Lecture 3: Secret Key Cryptography Outline concepts DES IDEA AES.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.

Akelarre 1 Akelarre Akelarre 2 Akelarre  Block cipher  Combines features of 2 strong ciphers o IDEA — “mixed mode” arithmetic o RC5 — keyed rotations.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …

Intro To Encryption Exercise 1. Monoalphabetic Ciphers Examples:  Caesar Cipher  At Bash  PigPen (Will be demonstrated)  …

Similar presentations

Ads by Google