Authenticated-Encryption with Padding: A Formal Security Treatment

Vaudenay's padding oracle attacks are a powerful type of side-channel attack against systems using CBC mode encryption. They have been shown to work in practice against certain implementations of important secure network protocols, including IPsec and SSL/TLS. A formal security analysis of CBC mode in the context of padding oracle attacks in the chosen-plaintext setting was previously performed by the authors. In this paper, we consider the chosen-ciphertext setting, examining the question of how CBC mode encryption, padding, and an integrity protection mechanism should be combined in order to provably defeat padding oracle attacks. We introduce new security models for the chosen-ciphertext setting which we then use to formally analyse certain authenticated-encryption schemes, namely the three compositions: Pad-then-Encrypt-then-Authenticate (as used in particular configurations of IPsec), Pad-then-Authenticate-then-Encrypt, and Authenticate-then-Pad-then-Encrypt (as used in SSL/TLS).

[1]  Chris J. Mitchell,et al.  Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption? , 2005, ISC.

[2]  Kenneth G. Paterson,et al.  Attacking the IPsec Standards in Encryption-only Configurations , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[3]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[4]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[5]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on CBC-Mode Encryption with Secret and Random IVs , 2005, FSE.

[6]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[7]  Kenneth G. Paterson,et al.  Plaintext Recovery Attacks against SSH , 2009, 2009 30th IEEE Symposium on Security and Privacy.

[8]  Henri Gilbert,et al.  Advances in Cryptology - EUROCRYPT 2010, 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Monaco / French Riviera, May 30 - June 3, 2010. Proceedings , 2010, EUROCRYPT.

[9]  Gaven J. Watson Provable Security in Practice: Analysis of SSH and CBC mode with Padding , 2010 .

[10]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.

[11]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[12]  Kenneth G. Paterson,et al.  Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment , 2008, SCN.

[13]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[14]  Thai Duong,et al.  Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET , 2011, 2011 IEEE Symposium on Security and Privacy.

[15]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on the ISO CBC Mode Encryption Standard , 2004, CT-RSA.

[16]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[17]  John Black,et al.  Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption , 2002, USENIX Security Symposium.

[18]  Tatsuaki Okamoto,et al.  Advances in Cryptology — ASIACRYPT 2000 , 2000, Lecture Notes in Computer Science.

[19]  Kenneth G. Paterson,et al.  Plaintext-Dependent Decryption: A Formal Security Treatment of SSH-CTR , 2010, IACR Cryptol. ePrint Arch..

[20]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[21]  Kenneth G. Paterson,et al.  On the (in)security of IPsec in MAC-then-encrypt configurations , 2010, CCS '10.

[22]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[23]  Chanathip Namprempre,et al.  Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm , 2000, Journal of Cryptology.

[24]  Tatsuaki Okamoto Topics in Cryptology – CT-RSA 2004 , 2004, Lecture Notes in Computer Science.

[25]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.