Chris J. Mitchell (2005) Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption? .
Full text access: Open
This paper is primarily concerned with the CBC block cipher mode. The impact on the usability of this mode of recently proposed padding oracle attacks, together with other related attacks described in this paper, is considered. For applications where unauthenticated encryption is required, the use of CBC mode is compared with its major symmetric rival, namely the stream cipher. It is argued that, where possible, authenticated encryption should be used, and, where this is not possible, a stream cipher would appear to be a superior choice. This raises a major question mark over the future use of CBC mode, except as part of a more complex mode designed to provide authenticated encryption.
This is a Published version This version's date is: 20/04/2005 This item is peer reviewed
https://repository.royalholloway.ac.uk/items/d456be15-50d1-7729-2408-b3b45ceb06f1/1/
Deposited by () on 13-Jul-2010 in Royal Holloway Research Online.Last modified on 10-Dec-2010
[1] E. Barkan, E. Biham, and N. Keller, Instant ciphertext-only cryptanalysisof GSM encrypted communications, Advances in Cryptology— CRYPTO 2003, 23rd Annual International Cryptology Conference,Santa Barbara, California, USA, August 17-21, 2003, Proceedings(D. Boneh, ed.), Lecture Notes in Computer Science, vol. 2729, Springer-Verlag, Berlin, 2003, pp. 600–616.
[2] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, A concrete securitytreatment of symmetric encryption, Proceedings of the 38th IEEE symposiumon Foundations of Computer Science, IEEE, 1997, pp. 394–403.
[3] M. Bellare, T. Kohno, and C. Namprempre, Breaking and provably repairingthe SSH authenticated encryption scheme: A case study of theencode-then-encrypt-and-MAC paradigm, ACM Transactions on Informationand System Security 7 (2004), 206–241.
[4] M. Bellare, P. Rogaway, and D. Wagner, The EAX mode of operation,Fast Software Encryption, 11th InternationalWorkshop, FSE 2004,Delhi, India, February 5-7, 2004, Revised Papers (B. Roy and W. Meier,eds.), Lecture Notes in Computer Science, vol. 3017, Springer-Verlag,Berlin, 2004, pp. 389–407.
[5] J. Black and H. Urtubia, Side-channel attacks on symmetric encryptionschemes: The case for authenticated encryption, Proceedings of the 11thUSENIX Security Symposium, San Francisco, CA, USA, August 5-9,2002, USENIX, 2002, pp. 327–338.
[6] B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux, Password interceptionin a SSL/TLS channel, Advances in Cryptology — CRYPTO2003, 23rd Annual International Cryptology Conference, Santa Barbara,California, USA, August 17-21, 2003, Proceedings (D. Boneh, ed.), LectureNotes in Computer Science, vol. 2729, Springer-Verlag, Berlin, 2003,pp. 583–599.
[7] A. W. Dent and C. J. Mitchell, User’s guide to cryptography and standards,Artech House, 2005.
[8] P. Ekdahl and T. Johansson, A new version of the stream cipher SNOW,Selected Areas in Cryptography, 9th Annual International Workshop,SAC 2002, St. John’s, Newfoundland, Canada, August 15-16, 2002, RevisedPapers (K. Nyberg and H. Heys, eds.), Lecture Notes in ComputerScience, vol. 2595, Springer-Verlag, Berlin, 2003, pp. 47–61.
[9] International Organization for Standardization, Gen`eve, Switzerland,ISO/IEC 10116: 1997, Information technology — Security techniques— Modes of operation for an n-bit block cipher, 2nd ed., 1997.
[10] International Organization for Standardization, Gen`eve, Switzerland,ISO/IEC 9797–1, Information technology — Security techniques —Message Authentication Codes (MACs) — Part 1: Mechanisms usinga block cipher, 1999.
[11] International Organization for Standardization, Gen`eve, Switzerland,ISO/IEC 2nd WD 19772: 2004, Information technology — Securitytechniques — Authenticated encryption mechanisms, November 2004.
[12] International Organization for Standardization, Gen`eve, Switzerland,ISO/IEC FCD 10116, Information technology — Security techniques —Modes of operation for an n-bit block cipher, 3rd ed., 2004.
[13] International Organization for Standardization, Gen`eve, Switzerland,ISO/IEC WD 19772: 2004, Information technology — Security techniques— Authenticated encryption mechanisms, 2004.
[14] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook ofapplied cryptography, CRC Press, Boca Raton, 1997.
[15] National Institute of Standards and Technology (NIST), Gaithersburg,MD, Federal Information Processing Standards Publication 81 (FIPSPUB 81): DES Modes of Operation, December 1980.
[16] National Institute of Standards and Technology (NIST), Gaithersburg,MD, Federal Information Processing Standards Publication 46-3 (FIPSPUB 46-3): Data Encryption Standard, October 1999.
[17] National Institute of Standards and Technology (NIST), NIST SpecialPublication 800-38C, Draft Recommendation for Block Cipher Modesof Operation: The CCM Mode For Authentication and Confidentiality,September 2003.
[18] K. G. Paterson and A. Yau, Padding oracle attacks on the ISO CBCmode padding standard, Topics in Cryptology — CT-RSA 2004, TheCryptographers’ Track at the RSA Conference 2004, San Francisco, CA,USA, February 23-27, 2004, Proceedings (T. Okamoto, ed.), LectureNotes in Computer Science, vol. 2964, Springer-Verlag, Berlin, 2004,pp. 305–323.
[19] P. Rogaway, Nonce-based symmetric encryption, Fast Software Encryption,11th International Workshop, FSE 2004, Delhi, India, February5-7, 2004, Revised Papers (B. Roy and W. Meier, eds.), Lecture Notesin Computer Science, vol. 3017, Springer-Verlag, Berlin, 2004, pp. 348–359.
[20] P. Rogaway, M. Bellare, and J. Black, OCB: A block-cipher mode ofoperation for efficient authenticated encryption, ACM Transactions onInformation and System Security 6 (2003), 365–403.
[21] S. Vaudenay, Security flaws induced by CBC padding — Applicationsto SSL, IPSEC, WTLS . . . , Advances in Cryptology — EUROCRYPT2002, International Conference on the Theory and Applications of CryptographicTechniques, Amsterdam, The Netherlands, April 28 – May 2,2002, Proceedings (L. Knudsen, ed.), Lecture Notes in Computer Science,vol. 2332, Springer-Verlag, Berlin, 2002, pp. 534–545.
[22] D.Watanabe, S. Furuya, H. Yoshida, K. Takaragi, and B. Preneel, A newkeystream generator MUGI, Fast Software Encryption, 9th InternationalWorkshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, RevisedPapers (J. Daemen and V. Rijmen, eds.), Lecture Notes in ComputerScience, vol. 2365, Springer-Verlag, Berlin, 2002, pp. 179–194.
[23] D. Whiting, R. Housley, and N. Ferguson, RFC 3610, Counter withCBC-MAC (CCM), Internet Engineering Task Force, September 2003.
[24] A. K. L. Yau, K. G. Paterson, and C. J. Mitchell, Padding oracle attackson CBC-mode encryption with secret and random IVs, Fast Software Encryption,12th International Workshop, FSE 2005, Paris, France, February21-23, 2005, Revised Papers, Lecture Notes in Computer Science,Springer-Verlag, Berlin, 2005, p. to appear.