Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption?

This paper is primarily concerned with the CBC block cipher mode. The impact on the usability of this mode of recently proposed padding oracle attacks, together with other related attacks described in this paper, is considered. For applications where unauthenticated encryption is required, the use of CBC mode is compared with its major symmetric rival, namely the stream cipher. It is argued that, where possible, authenticated encryption should be used, and, where this is not possible, a stream cipher would appear to be a superior choice. This raises a major question mark over the future use of CBC mode, except as part of a more complex mode designed to provide authenticated encryption.

[1]  Zvi Galil,et al.  Proceedings of the 30th IEEE symposium on Foundations of computer science , 1994, FOCS 1994.

[2]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[3]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[4]  Ronald L. Rivest,et al.  All-or-Nothing Encryption and the Package Transform , 1997, FSE.

[5]  Eli Biham Fast software encryption : 4th International Workshop, FSE '97, Haifa, Israel, January 20-22, 1997 : proceedings , 1997, FSE 1997.

[6]  Mihir Bellare,et al.  OCB: a block-cipher mode of operation for efficient authenticated encryption , 2001, CCS '01.

[7]  尚弘 島影 National Institute of Standards and Technologyにおける超伝導研究及び生活 , 2001 .

[8]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[9]  Aggelos Kiayias,et al.  Polynomial Reconstruction Based Cryptography , 2001, Selected Areas in Cryptography.

[10]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[11]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[12]  Thomas Johansson,et al.  A New Version of the Stream Cipher SNOW , 2002, Selected Areas in Cryptography.

[13]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, CRYPTO.

[14]  John Black,et al.  Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption , 2002, USENIX Security Symposium.

[15]  Lars R. Knudsen Advances in cryptology-EUROCRYPT 2002 : International Conference on the Theory and Applications of Cryptographic Techniques, Amsterdam, The Netherlands, April 28-May 2, 2002 : proceedings , 2002 .

[16]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[17]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[18]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[19]  Eli Biham,et al.  Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication , 2003, CRYPTO.

[20]  Morris Dworkin,et al.  Special Publication 800-38C, Recommendation for Block Cipher Modes of Operation: the CCM Mode for Authentication and Confidentiality , 2003 .

[21]  Russ Housley,et al.  Counter with CBC-MAC (CCM) , 2003, RFC.

[22]  Bart Preneel,et al.  A New Keystream Generator MUGI , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[23]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on the ISO CBC Mode Encryption Standard , 2004, CT-RSA.

[24]  Chris J. Mitchell,et al.  User's Guide To Cryptography And Standards (Artech House Computer Security) , 2004 .

[25]  Chris J. Mitchell,et al.  User's Guide To Cryptography And Standards , 2004 .

[26]  Tatsuaki Okamoto Topics in Cryptology – CT-RSA 2004 , 2004, Lecture Notes in Computer Science.

[27]  Mihir Bellare,et al.  The EAX Mode of Operation , 2004, FSE.

[28]  Phillip Rogaway,et al.  Nonce-Based Symmetric Encryption , 2004, FSE.

[29]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[30]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on CBC-Mode Encryption with Secret and Random IVs , 2005, FSE.

[31]  Eli Biham,et al.  Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication , 2003, Journal of Cryptology.