Abstract
Padding oracle attacks against CBC mode encryption were introduced by Vaudenay. They are a powerful class of side-channel, plaintext recovering attacks which have been shown to work in practice against CBC mode when it is implemented in specific ways in software. In particular, padding oracle attacks have been demonstrated for certain implementations of SSL/TLS and IPsec. In this paper, we extend the theory of provable security for symmetric encryption to incorporate padding oracle attacks. We develop new security models and proofs for CBC mode (with padding) in the chosen-plaintext setting. These models show how to select padding schemes which provably provide a strong security notion (indistinguishability of encryptions) in the face of padding oracle attacks. We also show that an existing padding method, OZ-PAD, that is recommended for use with CBC mode in ISO/IEC 10116:2006, provably resists Vaudenay’s original attack, even though it does not attain our indistinguishability notion.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 1997), pp. 394–403. IEEE, Los Alamitos (1997)
Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the ssh authenticated encryption scheme: A case study of the encode-then-encrypt-and-MAC paradigm. ACM Transactions on Information and Systems Security 7, 206–241 (2004)
Black, J., Urtubia, H.: Side-channel attacks on symmetric encryption schemes: The case for authenticated encryption. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, 2002, pp. 327–338 (2002)
Boldyreva, A., Kumar, V.: Provable-security analysis of authenticated encryption in kerberos. In: IEEE Symposium on Security and Privacy, pp. 92–100. IEEE Computer Society, Los Alamitos (2007)
Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)
Degabriele, J.P., Paterson, K.G.: Attacking the IPsec standards in encryption-only configurations. In: IEEE Symposium on Security and Privacy, pp. 335–349. IEEE Computer Society, Los Alamitos (2007)
Kent, S.: IP encapsulating security payload (ESP). RFC 4303 (December 2005)
Krawczyk, H.: The order of encryption and authentication for protecting communications (or: How secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)
Mitchell, C.J.: Error oracle attacks on CBC mode: Is there a future for CBC mode encryption? In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 244–258. Springer, Heidelberg (2005)
Paterson, K.G., Yau, A.K.L.: Padding oracle attacks on the ISO CBC mode encryption standard. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 305–323. Springer, Heidelberg (2004)
Vaudenay, S.: Security flaws induced by CBC padding – applications to SSL, IPSEC, WTLS. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–546. Springer, Heidelberg (2002)
Yau, A.K.L., Paterson, K.G., Mitchell, C.J.: Padding oracle attacks on CBC-mode encryption with secret and random IVs. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 299–319. Springer, Heidelberg (2005)
Zhou, Y., Feng, D.: Side-channel attacks: Ten years after its publication and the impacts on cryptographic module security testing. Cryptology ePrint Archive, Report 2005/388 (2005), http://eprint.iacr.org/
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2008 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Paterson, K.G., Watson, G.J. (2008). Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds) Security and Cryptography for Networks. SCN 2008. Lecture Notes in Computer Science, vol 5229. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85855-3_23
Download citation
DOI: https://doi.org/10.1007/978-3-540-85855-3_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-85854-6
Online ISBN: 978-3-540-85855-3
eBook Packages: Computer ScienceComputer Science (R0)