1 / 17

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format. Vlastimil Klíma 1 and Tomáš Rosa 1,2 {vlastimil.klima, tomas.rosa}@i.cz 1 ICZ a.s., 2 Czech Technical University in Pragu e.

shadow
Download Presentation

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format Vlastimil Klíma 1 and Tomáš Rosa 1,2 {vlastimil.klima, tomas.rosa}@i.cz 1 ICZ a.s., 2 Czech Technical University in Prague Security and Protection of Information 2003, 2nd International Scientific Conference, NATO PfP/PWP – CATE, Brno, Czech Republic, 28.4.-30.4.2003

  2. Preliminaries • Side channel attacks use side information from the system to unveil some secret information • The CBC mode of a block cipher with the combination of well-known PKCS#5 padding method is de facto standard CBC usage • In the presentation we will assume n-byte block cipher (for the simplicity let n = 8) • PKCS#5 padding: • [data....] bb...b • b bytes of the value b are padded, where b is the number of padded bytes • C1 B2 01 A5 FE A1 02 02 is a valid block • C1 B2 01 A5 FE A1 01 02 is an invalid block

  3. Valid-Padding Oracle

  4. Vaudenay's attack • The first side channel attack based on a valid-padding oracle in the CBC mode was described by Serge Vaudenay at Eurocrypt 2002. • He showed that it is possible to use it to decipher any captured ciphertext. • It is very efficient, its complexity is about 128*(#bytes of the ciphertext). • The valid-padding oracle is based on the fact that there exist valid and invalid padding strings.

  5. ABYT-PAD - arbitrary byte tail padding - • Black and Urtubia at 11th USENIX Security Symposium (2002) proposed the ABYT-PAD padding scheme, where all padding strings are valid. • It thwarts the original Vaudenay´s attack. • [data....d] bb...b, b≠d • ABYT-PAD: The bytes of the same value b are padded to a multiple of n bytes, but the value b can be arbitrary. It only has to be different from the last data byte d. • The rule for removing the padding string is: discard all the same bytes from the end, no matter of their value. • C1 B2 01 A5 FE A1 02 02 is a valid block • C1 B2 01 A5 FE A1 01 02 is also a valid block • Note that theoretically, it is possible to pad more then n bytes (one block) and that our attack works in this case too.

  6. Using ABYT-PAD padding • Motivation: When the new padding scheme is thatgood, what about using it in PKCS#7 instead of PKCS#5 padding? • PKCS#7 describes the general syntax for cryptographically protected data, e.g. data which is encrypted, digitally signed, etc.

  7. PKCS#7 ver. 1.6 with ABYT-PAD instead of PKCS#5 • PKCS#7 has its own syntax. We will work with an encrypted message, stored in the structure "enveloped data" • IV and a symmetric encryption key are generated randomly, the key is then encrypted by a PKC and also encapsulated in the structure "enveloped data" • A data being encrypted is at first encoded (formatted) according to ASN.1. It creates the message M = (type-octets, length-octets, data-octets) • M is (ABYT-PAD) padded and the plaintext P = (M, padding) is then encrypted in the CBC mode • The ciphertext C and IV are then placed into the structure "enveloped data" • Note: assume there is usual type octet 0x04 (OCTET STRING), one octet length L and maximally n bytes of padding.

  8. The decryption process defines a "PKCS#7 Confirmation Oracle" • Extract the ciphertext C = (IV, CT) from the PKCS#7 structure "enveloped data". • Decipher C to a plaintext P. • Remove the padding from the plaintext P. The result is a message M. • Parse M according to PKCS#7 syntax: • Check the type-octet of M (0x04). If it is not correct, an error has occurred. • Check the length-octet of M (L). L must be equal to the length of the remaining part of M. If it is not, an error has occurred. • If the two previous checks are successful, it is OK, otherwise something is BAD. Most of applications will tell OK/BAD to the attacker due to their error messages or a behaviour. • We define the oracle O(C)= ANSWER OK/BAD according to the procedure described above

  9. The main result of our paper • Using a PKCS#7 confirmation oracle, we are able to decrypt the original plaintext • The complexity of the attack is roughly 128*(#bytes of the original plaintext) Attack scenario: • The attacker intercepts a valid ciphertext C = (IV, CT1, CT2, ... CTs), s  1 • Then she creates her own ciphertexts C* and on the base of oracle answers she deciphers the corresponding plaintext (P1, P2, ... Ps) • We will show that she is able to compute X = DK(Y) for an arbitrary chosen ciphertext block Y, implying that she is able to decrypt C.

  10. Description of the attack- Computing X = DK(Y) - • Preparation phase: finding out the length (L) • Computing X = DK(Y) leaving one byte of uncertainty – we obtain the set of equations X1 T1 = X2 T2 = ... = Xn Tn = A, with known Ti and unknown A • Determining the remaining byte (A) of uncertainty

  11. The first phase: determining of the length L  1  1

  12. Computing X = DK(Y) leaving one byte of uncertainty

  13. Determining the remaining byte of uncertainty (A)

  14. Conclusions • The complexity of the attack is given mainly by second step – the average of oracle calls is 128 per one ciphertext byte. • ABYT-PAD padding scheme thwarts the Vaudenay´s attack. • We showed that even using this "perfect" padding scheme, we cannot fully remove side channel attacks in the CBC mode. • Our recommendation is to use strong cryptographic check of the ciphertext.

  15. Further work & ideas • Recall the basic properties of CBC • Changes in the block Ci propagates linearly and deterministically to changes of the plaintext block Pi+1, no matter how strong the cipher is • It has good self synchronization properties – an effect of a corruption of i-th block vanishes starting by block (i+2)

  16. Further work & ideas • Basing on the basic properties of CBC • Processing of formatted data creates vital side channels with respect to the CBC mode • Practically speaking • Highly structured data format without strong authentication of ciphertexts may turn to be vulnerable • Example: S/MIME, various proprietary Type-Length-Value formats, etc.

  17. Finally we’d like to stress • Elaborated problems with the CBC mode are quite obviously not only “stories of proper padding methods” • In other words: “Padding was just a beginning...”

More Related