SwissFederalInstituteofThnology(EPFL)Inmanystandards,e.g.SSL/TLS,IPSEC - PDF document

SwissFederalInstituteofThnology(EPFL)Inmanystandards,e.g.SSL/TLS,IPSEC,WTLS,messagesarerstpre-formatted,thenencryptedinCBCmodewithablockcipher. oftheisthebloc;:::;y;yitmakessensetoassumethatthereceiverofanencryptedmessagerstdecryptsinCBCmode,andnallyremoesit.Thequestionis:houstthereceiverbehanon-processioninformation.ThisbloccorrespondingaccordingtotheabomodeldelandofMangeragainstPKCS#1v2.0[8].Thispapersimilarattacinthepaperpropertiesmode.describeaboutaboutpossibleCBCmodebyadoubleCBCmode,theHCBCmodeorothermodeshareinastandardprocessrunbNIST.Wefurtherproposeadoesanewpaddingscnallyconclude.eralsecuritypropertiesoftheCBCmodearealreadywellknothinkitisusefultorecallthem.canreplaceaciphertextblockwithoutalteringmostoftheplainblocmodiesblocblock,insertasequenceofblocksbycopyandpaste,...Manipulationblocmodicationincorrespondingbloc yalsohassecurity aws.Ob,whenusingaxedblocksequencelookingatbloconecandeducefromEq.(1)thatecanthennegligible:sinceblocblocksoutofareequalisgivenbthebirthdayparado isthenberofpossiblewords.Theattackisecientwhen =256,aboutofsuccessforthisleaksinformationon16BytesmodecodeblocellknotohaofthreewithanblocblocwCBC-MAC,butthisnewschemehaestillattacksofcomplexit )2TheAttackLetbbetheblocklengthinwords,andbethenberofpossibleandthatallinbet1andbiguouslybeencodedinorderesaythatablocksequence;:::;xhasacorrectpaddingifthelastblocendswithawordstringofordsequalto ...Givabloc;:::;ydeneanoraclehyields1ifthedecryptioninCBCmodehasacorrectpadding.DecryptionistotallydenedbyablockencryptionandIV.isthAnattacerwhichaccessestocaneasilyimplementthisoracle22-blockoraclecallsona(Orasingleone,butwithaprobabilityofsucces;:::;r:::rbloc)=1,thenendswithavalidpadding.Inthiscase,)=0,sameoneisnottotryOddcasesarewhenthevalidpaddingfoundisnot.Thisiseasytodetect:::r)=1,longerone.Wecansimilarlycifitwysending:::rBloc\bloc:::aiterateuntilwwholesequence.;:::;r+2)j;:::;b:::r blocseconddecryptedblockisduetoEq.(1),sowehaemadesurethatthelast+1wordsareallequalto+2.If)=1,areth+2fromwhic.Whenisrandom,thereisaprobabilityofoccurs.2trialsonoccur.Sincethereareordsperblock,weneedbW=2trialsonaerageintoimplementthettodecryptanymessage;:::;ywiththehelpofItcanbedonewithNbW=22-blockoraclecallsonaerage.Wejustetocalltheblockdecryptionoracleoneachblocandperformcannotdecrypttherstblock.Wecanhoergettherstplainblockuptoanunknot.Inparticular,iftomessagesareblocNbW-blocecanimplementamoreexoticoraclewhichhasthenicepropert;:::;ybloc:::w:::wpostxofthe;:::;y:::r:::r:::wpostxoddhoccurswithprobabilitandwhichcanberuledoutwithoraclecall).Otherwiseitisnotpostxforsure. ,onepossibilityistoperformtheaboeprocesssevtimes.Butthiswillusemorethanonce.Asitwillbenoticed,sometallowtolongerthan(namelyat1),sowecangeneralizethepreviousoracleandckpost-xswithinasingleoraclecall.ThiswillbeusedagainstSSL/TLSinSection4.1.4.1.,pp.190{191],aslightlydierenproposed:onlythelastwisequaltothepaddinglength,andallinsteadofnn:::nasimilarattacIPEncapsulatingSecurityload(ESP)[7]usesanotherslightpadding:thepaddedsequenceisinsteadofnn:::nsimilarattacproposeblocitisunlikelythatthelastencryptedblocksareequal,butinthecasepaddinglengthwhenareequal.qual.usestheCBC-PADschemewithW=256whenblocbeingTheonlydierenceisthatthepaddinglengthisnotnecessarilylessbutcanlonger(butlessinordertohidethereallengthoftheplaintext.WecanthusexpecttouseaTLSservpaddingformaterror(theerror)isafatalalertandthesessionmustabort.Theattacerthusneedstostopassoonoracleoutputs ertheoraclewilloutput1withaprobabilit.There-aprobabilityofsuccesspostxoraclecall.itself.Wecaneasilyfrustratethisfeaturebyimplementinga\lengthciphertextbloc,andwesendtotheserverwheretherighisset1andrandom.Acceptancemeansthattherightlengthiswithprobabilityatleast1notthetlengthforsure.betabolookblocblocwithprobabilityatleast1.Rejectionmeansthatthepaddinglengthisatleastforsure.IPSEC[6]canuseCBC-PAD.Defaultpaddingschemeissimilar,asspeciedecied].Standardsclearlymentionthatthepaddingshouldbechecked,butthestandardbehasimplymeansprocessedtonondardrules.Itisreasonnabletoassumethatthelackofactivityoftheerinthiscase,ortheactivityoftheauditor,canbecontoonebitofinformation.SoourattacWTLS[1](whichistheSSLvtforWAP)perfectlyimplementheoracleinclear.Ac- protocolsberandtoaoidbreakingthem.Soseldomerrorsarefatalalerts.Someberprotocolsprotocol,proposeblocmodes(moduloencryptbeforestartingtheencryption.Whentheplaintextisawstream,thisassumptionisnotusuallysatised.ThereforewebelievthatthisnotsatisfactoryModeAnotherpossibilityconsistsofreplacingtheCBCmodebyadouble;:::;ymode).Wcallitthemode.isthe(1)thciphertextblocisthethciphertextblock,andblocblocnothingbutsameattacwithatripleCBCmode... ModelookmodeoperationtheCBCmode:beingabletoencryptastreamwithoutknowingthetotallength,withouthavingtokeepanexpandingmemory,...In[3],elladaptedfortheseofthemode.proposedmodeagainstchosenplaintextattacks.TheideaconsistsinreplacingEq.(1)partofthesecretkorinstanceonecanproposeinGFisapartofthetheH(x)H(b)=c]1=(Wb1)foranycifK1isuniformlydistributed,thusHisXdoeseproposed.Forinstancewecannoticethatifwegetsevmessageswithaxed,thenwededucethatendswithavalidpaddingforanunknownbutxed.Hence)islikelytoendwiththewordzero.Sincethisisthelastwfromsevi;j)pairs.WiththewledgeofecanthenadapttheattackagainsttherawCBC.doesthatwproposed.ModesOperationprocessmodesoperationNISTalsocontainsproblematicproposals.eraloftheproposalscanbegeneralizedasfollows.TheCBCmodeismodiedinordertoeaXORbeforeandaftertheblockcipherencryption,depending http://csrc.nist.gov/encryption/modes/ blocbloc(1)bx;yx;yx;yx;ydepend;:::;x;:::;yisnotpublic.)Assumingthatanattacerknowsseveral()plain)forsomegiv,shecansubmitsomemeanthatthebloc)endswithavalidpadding.tmostwmanipulationscanalsobeperformed.DoesOnecanproposetoaddacryptographiccableredundancycodeofthewholepaddedmessage(likeahashedalue)intextandThiswyforgedciphertextwillhaanegligibleprobabilitytoalidciphertext.,attacagainstcimportanbeforeisththehashedvalue,thencthepaddingvalue.Inaluemustabortthepoor:ciphertextblockisnotwellreceived,thewholeciphertextisrejectedlossfromthe popularblocencryptionschemeintroduceanimportantsecurity aw.Correctnessoutfromtheunicationprotocol.ItconrmsthatsecurityanalysismustnotbelimitedtotheblocpublickehaedemonstratedthatthesituationofsymmetriccryptographisvirtuallytheJunodtheirexamination.AfterthisattacasreleazedattheRumpsessionofCRpeopleproparticularliketothankBodoMoller,AlainHiltgenandWboMao.ransportProtocolWTLS-20010406-a.WirelessApplicationProtocolForum,2001.R.Baldwin,R.Rivest.TheRC5,RC5-CBC,Rad,andRC5-CTSAlgo-rithmsRFC2040,1996.M.Bellare,A.Boldyreva,L.Knudsen,CNamprempre.OnlineCiphersandthebara,California,U.S.A.,LecturesNotesinComputerScience2139,pp.292{309,erlag,2001.ProtocolstaBarbara,California,U.S.A.,LecturesNotesinComputerScience1462,pp.1{12,Springer-Verlag,1998.T.Dierks,C.Allen.TheTLSProtocolersion1.0.RFC2246,standardtractheInternetSociet,1999.S.Kent,R.Atkinson.SecurityArchitecturefortheInternetProtocol.RFC2401,standardtracks,theInternetSociet,1998.S.Kent,R.Atkinson.IPEncapsulatingSecurityload(ESP).RFC2406,stan-dardtracks,theInternetSociet,1998. J.Manger.AChosenCiphertextAkonRSAOptimalAsymmetricEncryptionadding(OAEP)asStandardizedinPKCS#1v2.0.inCryptolo,SantaBarbara,California,U.S.A.,LecturesNotesinComputerSci-ence2139,pp.230{238,Springer-Verlag,2001.E.Petrank,C.Raco.CBCMACforReal-TimeDataSources.JournalofCryp-ol.13,pp.315{338,2000.B.ScdCrypto,2ndEdition,JohnWiley&Sons,1996.S.V.DecorrelationoerInniteDomains:theEncryptedCBC-MACCase.asinCryptoaterloo,Ontario,Canada,LecturesNotesinationsinInformationandSystemsol.1,pp.75{85,2001.