Presentation is loading. Please wait.

Presentation is loading. Please wait.

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Similar presentations

Presentation on theme: "Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format"— Presentation transcript:

1 Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
Vlastimil Klíma 1 and Tomáš Rosa 1,2 {vlastimil.klima, 1 ICZ a.s., 2 Czech Technical University in Prague Security and Protection of Information 2003, 2nd International Scientific Conference, NATO PfP/PWP – CATE, Brno, Czech Republic,

2 Preliminaries Side channel attacks use side information from the system to unveil some secret information The CBC mode of a block cipher with the combination of well-known PKCS#5 padding method is de facto standard CBC usage In the presentation we will assume n-byte block cipher (for the simplicity let n = 8) PKCS#5 padding: [data....] bb...b b bytes of the value b are padded, where b is the number of padded bytes C1 B2 01 A5 FE A is a valid block C1 B2 01 A5 FE A is an invalid block

3 Valid-Padding Oracle

4 Vaudenay's attack The first side channel attack based on a valid-padding oracle in the CBC mode was described by Serge Vaudenay at Eurocrypt 2002. He showed that it is possible to use it to decipher any captured ciphertext. It is very efficient, its complexity is about 128*(#bytes of the ciphertext). The valid-padding oracle is based on the fact that there exist valid and invalid padding strings.

5 ABYT-PAD - arbitrary byte tail padding -
Black and Urtubia at 11th USENIX Security Symposium (2002) proposed the ABYT-PAD padding scheme, where all padding strings are valid. It thwarts the original Vaudenay´s attack. [data....d] bb...b, b≠d ABYT-PAD: The bytes of the same value b are padded to a multiple of n bytes, but the value b can be arbitrary. It only has to be different from the last data byte d. The rule for removing the padding string is: discard all the same bytes from the end, no matter of their value. C1 B2 01 A5 FE A is a valid block C1 B2 01 A5 FE A is also a valid block Note that theoretically, it is possible to pad more then n bytes (one block) and that our attack works in this case too.

6 Using ABYT-PAD padding
Motivation: When the new padding scheme is that good, what about using it in PKCS#7 instead of PKCS#5 padding? PKCS#7 describes the general syntax for cryptographically protected data, e.g. data which is encrypted, digitally signed, etc.

7 PKCS#7 ver. 1.6 with ABYT-PAD instead of PKCS#5
PKCS#7 has its own syntax. We will work with an encrypted message, stored in the structure "enveloped data" IV and a symmetric encryption key are generated randomly, the key is then encrypted by a PKC and also encapsulated in the structure "enveloped data" A data being encrypted is at first encoded (formatted) according to ASN.1. It creates the message M = (type-octets, length-octets, data-octets) M is (ABYT-PAD) padded and the plaintext P = (M, padding) is then encrypted in the CBC mode The ciphertext C and IV are then placed into the structure "enveloped data" Note: assume there is usual type octet 0x04 (OCTET STRING), one octet length L and maximally n bytes of padding.

8 The decryption process defines a "PKCS#7 Confirmation Oracle"
Extract the ciphertext C = (IV, CT) from the PKCS#7 structure "enveloped data". Decipher C to a plaintext P. Remove the padding from the plaintext P. The result is a message M. Parse M according to PKCS#7 syntax: Check the type-octet of M (0x04). If it is not correct, an error has occurred. Check the length-octet of M (L). L must be equal to the length of the remaining part of M. If it is not, an error has occurred. If the two previous checks are successful, it is OK, otherwise something is BAD. Most of applications will tell OK/BAD to the attacker due to their error messages or a behaviour. We define the oracle O(C)= ANSWER OK/BAD according to the procedure described above

9 The main result of our paper
Using a PKCS#7 confirmation oracle, we are able to decrypt the original plaintext The complexity of the attack is roughly 128*(#bytes of the original plaintext) Attack scenario: The attacker intercepts a valid ciphertext C = (IV, CT1, CT2, ... CTs), s  1 Then she creates her own ciphertexts C* and on the base of oracle answers she deciphers the corresponding plaintext (P1, P2, ... Ps) We will show that she is able to compute X = DK(Y) for an arbitrary chosen ciphertext block Y, implying that she is able to decrypt C.

10 Description of the attack - Computing X = DK(Y) -
Preparation phase: finding out the length (L) Computing X = DK(Y) leaving one byte of uncertainty – we obtain the set of equations X1  T1 = X2  T2 = ... = Xn  Tn = A, with known Ti and unknown A Determining the remaining byte (A) of uncertainty

11 The first phase: determining of the length L
 1  1

12 Computing X = DK(Y) leaving one byte of uncertainty

13 Determining the remaining byte of uncertainty (A)

14 Conclusions The complexity of the attack is given mainly by second step – the average of oracle calls is 128 per one ciphertext byte. ABYT-PAD padding scheme thwarts the Vaudenay´s attack. We showed that even using this "perfect" padding scheme, we cannot fully remove side channel attacks in the CBC mode. Our recommendation is to use strong cryptographic check of the ciphertext.

15 Further work & ideas Recall the basic properties of CBC
Changes in the block Ci propagates linearly and deterministically to changes of the plaintext block Pi+1, no matter how strong the cipher is It has good self synchronization properties – an effect of a corruption of i-th block vanishes starting by block (i+2)

16 Further work & ideas Basing on the basic properties of CBC
Processing of formatted data creates vital side channels with respect to the CBC mode Practically speaking Highly structured data format without strong authentication of ciphertexts may turn to be vulnerable Example: S/MIME, various proprietary Type-Length-Value formats, etc.

17 Finally we’d like to stress
Elaborated problems with the CBC mode are quite obviously not only “stories of proper padding methods” In other words: “Padding was just a beginning...”

Download ppt "Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format"

Similar presentations

Ads by Google