Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment

Padding oracle attacks against CBC mode encryption were introduced by Vaudenay. They are a powerful class of side-channel, plaintext recovering attacks which have been shown to work in practice against CBC mode when it is implemented in specific ways in software. In particular, padding oracle attacks have been demonstrated for certain implementations of SSL/TLS and IPsec. In this paper, we extend the theory of provable security for symmetric encryption to incorporate padding oracle attacks. We develop new security models and proofs for CBC mode (with padding) in the chosen-plaintext setting. These models show how to select padding schemes which provably provide a strong security notion (indistinguishability of encryptions) in the face of padding oracle attacks. We also show that an existing padding method, OZ-PAD, that is recommended for use with CBC mode in ISO/IEC 10116:2006, provably resists Vaudenay's original attack, even though it does not attain our indistinguishability notion.

[1]  Gerhard Goos,et al.  Fast Software Encryption , 2001, Lecture Notes in Computer Science.

[2]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on CBC-Mode Encryption with Secret and Random IVs , 2005, FSE.

[3]  Aggelos Kiayias,et al.  Traitor Tracing with Constant Transmission Rate , 2002, EUROCRYPT.

[4]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[5]  Randall J. Atkinson,et al.  IP Encapsulating Security Payload (ESP) , 1995, RFC.

[6]  Serge Vaudenay,et al.  Password Interception in a SSL/TLS Channel , 2003, CRYPTO.

[7]  Tatsuaki Okamoto Topics in Cryptology – CT-RSA 2004 , 2004, Lecture Notes in Computer Science.

[8]  Chanathip Namprempre,et al.  Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the Encode-then-Encrypt-and-MAC paradigm , 2004, TSEC.

[9]  Virendra Kumar,et al.  Provable-Security Analysis of Authenticated Encryption in Kerberos , 2007, IACR Cryptol. ePrint Arch..

[10]  Chris J. Mitchell,et al.  Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption? , 2005, ISC.

[11]  Kenneth G. Paterson,et al.  Attacking the IPsec Standards in Encryption-only Configurations , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[12]  Dengguo Feng,et al.  Side-Channel Attacks: Ten Years After Its Publication and the Impacts on Cryptographic Module Security Testing , 2005, IACR Cryptol. ePrint Arch..

[13]  Mihir Bellare,et al.  A concrete security treatment of symmetric encryption , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[14]  Hugo Krawczyk,et al.  The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?) , 2001, CRYPTO.

[15]  John Black,et al.  Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption , 2002, USENIX Security Symposium.

[16]  Virendra Kumar,et al.  Extended Abstract: Provable-Security Analysis of Authenticated Encryption in Kerberos , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[17]  Kenneth G. Paterson,et al.  Padding Oracle Attacks on the ISO CBC Mode Encryption Standard , 2004, CT-RSA.

[18]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[19]  Dan Boneh,et al.  Advances in Cryptology - CRYPTO 2003 , 2003, Lecture Notes in Computer Science.