Side Channel Attacks on CBC Encrypted Messages in the PKCS - PowerPoint PPT Presentation

1 / 17
About This Presentation
Title:

Side Channel Attacks on CBC Encrypted Messages in the PKCS

Description:

Security and Protection of Information 2003, 2nd International Scientific ... padding oracle in the CBC mode was described by Serge Vaudenay at Eurocrypt 2002. ... – PowerPoint PPT presentation

Number of Views:136
Avg rating:3.0/5.0
Slides: 18
Provided by: vabo
Category:

less

Transcript and Presenter's Notes

Title: Side Channel Attacks on CBC Encrypted Messages in the PKCS


1
Side Channel Attacks on CBC Encrypted Messages in
the PKCS7 Format
  • Vlastimil Klíma 1 and Tomá Rosa 1,2
  • vlastimil.klima, tomas.rosa_at_i.cz
  • 1 ICZ a.s., 2 Czech Technical University in Prague

Security and Protection of Information 2003, 2nd
International Scientific Conference, NATO PfP/PWP
CATE, Brno, Czech Republic, 28.4.-30.4.2003
2
Preliminaries
  • Side channel attacks use side information from
    the system to unveil some secret information
  • The CBC mode of a block cipher with the
    combination of well-known PKCS5 padding method
    is de facto standard CBC usage
  • In the presentation we will assume n-byte block
    cipher (for the simplicity let n 8)
  • PKCS5 padding
  • data.... bb...b
  • b bytes of the value b are padded, where b is the
    number of padded bytes
  • C1 B2 01 A5 FE A1 02 02 is a valid block
  • C1 B2 01 A5 FE A1 01 02 is an invalid block

3
Valid-Padding Oracle
4
Vaudenay's attack
  • The first side channel attack based on a
    valid-padding oracle in the CBC mode was
    described by Serge Vaudenay at Eurocrypt 2002.
  • He showed that it is possible to use it to
    decipher any captured ciphertext.
  • It is very efficient, its complexity is about
    128(bytes of the ciphertext).
  • The valid-padding oracle is based on the fact
    that there exist valid and invalid padding
    strings.

5
ABYT-PAD - arbitrary byte tail padding -
  • Black and Urtubia at 11th USENIX Security
    Symposium (2002) proposed the ABYT-PAD padding
    scheme, where all padding strings are valid.
  • It thwarts the original Vaudenays attack.
  • data....d bb...b, b?d
  • ABYT-PAD The bytes of the same value b are
    padded to a multiple of n bytes, but the value b
    can be arbitrary. It only has to be different
    from the last data byte d.
  • The rule for removing the padding string is
    discard all the same bytes from the end, no
    matter of their value.
  • C1 B2 01 A5 FE A1 02 02 is a valid block
  • C1 B2 01 A5 FE A1 01 02 is also a valid
    block
  • Note that theoretically, it is possible to pad
    more then n bytes (one block) and that our attack
    works in this case too.

6
Using ABYT-PAD padding
  • Motivation When the new padding scheme is that
    good, what about using it in PKCS7 instead of
    PKCS5 padding?
  • PKCS7 describes the general syntax for
    cryptographically protected data, e.g. data which
    is encrypted, digitally signed, etc.

7
PKCS7 ver. 1.6 with ABYT-PAD instead of PKCS5
  • PKCS7 has its own syntax. We will work with an
    encrypted message, stored in the structure
    "enveloped data"
  • IV and a symmetric encryption key are generated
    randomly, the key is then encrypted by a PKC and
    also encapsulated in the structure "enveloped
    data"
  • A data being encrypted is at first encoded
    (formatted) according to ASN.1. It creates the
    message M (type-octets, length-octets,
    data-octets)
  • M is (ABYT-PAD) padded and the plaintext P (M,
    padding) is then encrypted in the CBC mode
  • The ciphertext C and IV are then placed into the
    structure "enveloped data"
  • Note assume there is usual type octet 0x04
    (OCTET STRING), one octet length L and maximally
    n bytes of padding.

8
The decryption process defines a "PKCS7
Confirmation Oracle"
  • Extract the ciphertext C (IV, CT) from the
    PKCS7 structure "enveloped data".
  • Decipher C to a plaintext P.
  • Remove the padding from the plaintext P. The
    result is a message M.
  • Parse M according to PKCS7 syntax
  • Check the type-octet of M (0x04). If it is not
    correct, an error has occurred.
  • Check the length-octet of M (L). L must be equal
    to the length of the remaining part of M. If it
    is not, an error has occurred.
  • If the two previous checks are successful, it is
    OK, otherwise something is BAD. Most of
    applications will tell OK/BAD to the attacker due
    to their error messages or a behaviour.
  • We define the oracle O(C) ANSWER OK/BAD
    according to the procedure described above

9
The main result of our paper
  • Using a PKCS7 confirmation oracle, we are able
    to decrypt the original plaintext
  • The complexity of the attack is roughly
    128(bytes of the original plaintext)
  • Attack scenario
  • The attacker intercepts a valid ciphertext C
    (IV, CT1, CT2, ... CTs), s ? 1
  • Then she creates her own ciphertexts C and on
    the base of oracle answers she deciphers the
    corresponding plaintext (P1, P2, ... Ps)
  • We will show that she is able to compute X
    DK(Y) for an arbitrary chosen ciphertext block Y,
    implying that she is able to decrypt C.

10
Description of the attack- Computing X DK(Y) -
  • Preparation phase finding out the length (L)
  • Computing X DK(Y) leaving one byte of
    uncertainty we obtain the set of equations X1 ?
    T1 X2 ? T2 ... Xn ? Tn A, with known Ti
    and unknown A
  • Determining the remaining byte (A) of uncertainty

11
The first phase determining of the length L
? 1
? 1
12
Computing X DK(Y) leaving one byte of
uncertainty
13
Determining the remaining byte of uncertainty (A)
14
Conclusions
  • The complexity of the attack is given mainly by
    second step the average of oracle calls is 128
    per one ciphertext byte.
  • ABYT-PAD padding scheme thwarts the Vaudenays
    attack.
  • We showed that even using this "perfect" padding
    scheme, we cannot fully remove side channel
    attacks in the CBC mode.
  • Our recommendation is to use strong cryptographic
    check of the ciphertext.

15
Further work ideas
  • Recall the basic properties of CBC
  • Changes in the block Ci propagates linearly and
    deterministically to changes of the plaintext
    block Pi1, no matter how strong the cipher is
  • It has good self synchronization properties an
    effect of a corruption of i-th block vanishes
    starting by block (i2)

16
Further work ideas
  • Basing on the basic properties of CBC
  • Processing of formatted data creates vital side
    channels with respect to the CBC mode
  • Practically speaking
  • Highly structured data format without strong
    authentication of ciphertexts may turn to be
    vulnerable
  • Example S/MIME, various proprietary
    Type-Length-Value formats, etc.

17
Finally wed like to stress
  • Elaborated problems with the CBC mode are quite
    obviously not only stories of proper padding
    methods
  • In other words Padding was just a beginning...
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Side Channel Attacks on CBC Encrypted Messages in the PKCS" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!