Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption?

Chris J. Mitchell

(2005)

Chris J. Mitchell (2005) Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption? .

Our Full Text Deposits

Full text access: Open

Full Text - 160.73 KB

Links to Copies of this Item Held Elsewhere

Mathematics Departmental Web Page

Abstract

This paper is primarily concerned with the CBC block cipher mode. The impact on the usability of this mode of recently proposed padding oracle attacks, together with other related attacks described in this paper, is considered. For applications where unauthenticated encryption is required, the use of CBC mode is compared with its major symmetric rival, namely the stream cipher. It is argued that, where possible, authenticated encryption should be used, and, where this is not possible, a stream cipher would appear to be a superior choice. This raises a major question mark over the future use of CBC mode, except as part of a more complex mode designed to provide authenticated encryption.

Information about this Version

This is a Published version
This version's date is: 20/04/2005
This item is peer reviewed

Link to this Version

https://repository.royalholloway.ac.uk/items/d456be15-50d1-7729-2408-b3b45ceb06f1/1/

Item TypeMonograph (Technical Report)
TitleError Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption?
AuthorsMitchell, Chris J.
DepartmentsFaculty of Science\Mathematics

Deposited by () on 13-Jul-2010 in Royal Holloway Research Online.Last modified on 10-Dec-2010

Notes

References

[1] E. Barkan, E. Biham, and N. Keller, Instant ciphertext-only cryptanalysis
of GSM encrypted communications, Advances in Cryptology
— CRYPTO 2003, 23rd Annual International Cryptology Conference,
Santa Barbara, California, USA, August 17-21, 2003, Proceedings
(D. Boneh, ed.), Lecture Notes in Computer Science, vol. 2729, Springer-
Verlag, Berlin, 2003, pp. 600–616.

[2] M. Bellare, A. Desai, E. Jokipii, and P. Rogaway, A concrete security
treatment of symmetric encryption, Proceedings of the 38th IEEE symposium
on Foundations of Computer Science, IEEE, 1997, pp. 394–403.

[3] M. Bellare, T. Kohno, and C. Namprempre, Breaking and provably repairing
the SSH authenticated encryption scheme: A case study of the
encode-then-encrypt-and-MAC paradigm, ACM Transactions on Information
and System Security 7 (2004), 206–241.

[4] M. Bellare, P. Rogaway, and D. Wagner, The EAX mode of operation,
Fast Software Encryption, 11th InternationalWorkshop, FSE 2004,
Delhi, India, February 5-7, 2004, Revised Papers (B. Roy and W. Meier,
eds.), Lecture Notes in Computer Science, vol. 3017, Springer-Verlag,
Berlin, 2004, pp. 389–407.

[5] J. Black and H. Urtubia, Side-channel attacks on symmetric encryption
schemes: The case for authenticated encryption, Proceedings of the 11th
USENIX Security Symposium, San Francisco, CA, USA, August 5-9,
2002, USENIX, 2002, pp. 327–338.

[6] B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux, Password interception
in a SSL/TLS channel, Advances in Cryptology — CRYPTO
2003, 23rd Annual International Cryptology Conference, Santa Barbara,
California, USA, August 17-21, 2003, Proceedings (D. Boneh, ed.), Lecture
Notes in Computer Science, vol. 2729, Springer-Verlag, Berlin, 2003,
pp. 583–599.

[7] A. W. Dent and C. J. Mitchell, User’s guide to cryptography and standards,
Artech House, 2005.

[8] P. Ekdahl and T. Johansson, A new version of the stream cipher SNOW,
Selected Areas in Cryptography, 9th Annual International Workshop,
SAC 2002, St. John’s, Newfoundland, Canada, August 15-16, 2002, Revised
Papers (K. Nyberg and H. Heys, eds.), Lecture Notes in Computer
Science, vol. 2595, Springer-Verlag, Berlin, 2003, pp. 47–61.

[9] International Organization for Standardization, Gen`eve, Switzerland,
ISO/IEC 10116: 1997, Information technology — Security techniques
— Modes of operation for an n-bit block cipher, 2nd ed., 1997.

[10] International Organization for Standardization, Gen`eve, Switzerland,
ISO/IEC 9797–1, Information technology — Security techniques —
Message Authentication Codes (MACs) — Part 1: Mechanisms using
a block cipher, 1999.

[11] International Organization for Standardization, Gen`eve, Switzerland,
ISO/IEC 2nd WD 19772: 2004, Information technology — Security
techniques — Authenticated encryption mechanisms, November 2004.

[12] International Organization for Standardization, Gen`eve, Switzerland,
ISO/IEC FCD 10116, Information technology — Security techniques —
Modes of operation for an n-bit block cipher, 3rd ed., 2004.

[13] International Organization for Standardization, Gen`eve, Switzerland,
ISO/IEC WD 19772: 2004, Information technology — Security techniques
— Authenticated encryption mechanisms, 2004.

[14] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone, Handbook of
applied cryptography, CRC Press, Boca Raton, 1997.

[15] National Institute of Standards and Technology (NIST), Gaithersburg,
MD, Federal Information Processing Standards Publication 81 (FIPS
PUB 81): DES Modes of Operation, December 1980.

[16] National Institute of Standards and Technology (NIST), Gaithersburg,
MD, Federal Information Processing Standards Publication 46-3 (FIPS
PUB 46-3): Data Encryption Standard, October 1999.

[17] National Institute of Standards and Technology (NIST), NIST Special
Publication 800-38C, Draft Recommendation for Block Cipher Modes
of Operation: The CCM Mode For Authentication and Confidentiality,
September 2003.

[18] K. G. Paterson and A. Yau, Padding oracle attacks on the ISO CBC
mode padding standard, Topics in Cryptology — CT-RSA 2004, The
Cryptographers’ Track at the RSA Conference 2004, San Francisco, CA,
USA, February 23-27, 2004, Proceedings (T. Okamoto, ed.), Lecture
Notes in Computer Science, vol. 2964, Springer-Verlag, Berlin, 2004,
pp. 305–323.

[19] P. Rogaway, Nonce-based symmetric encryption, Fast Software Encryption,
11th International Workshop, FSE 2004, Delhi, India, February
5-7, 2004, Revised Papers (B. Roy and W. Meier, eds.), Lecture Notes
in Computer Science, vol. 3017, Springer-Verlag, Berlin, 2004, pp. 348–
359.

[20] P. Rogaway, M. Bellare, and J. Black, OCB: A block-cipher mode of
operation for efficient authenticated encryption, ACM Transactions on
Information and System Security 6 (2003), 365–403.

[21] S. Vaudenay, Security flaws induced by CBC padding — Applications
to SSL, IPSEC, WTLS . . . , Advances in Cryptology — EUROCRYPT
2002, International Conference on the Theory and Applications of Cryptographic
Techniques, Amsterdam, The Netherlands, April 28 – May 2,
2002, Proceedings (L. Knudsen, ed.), Lecture Notes in Computer Science,
vol. 2332, Springer-Verlag, Berlin, 2002, pp. 534–545.

[22] D.Watanabe, S. Furuya, H. Yoshida, K. Takaragi, and B. Preneel, A new
keystream generator MUGI, Fast Software Encryption, 9th International
Workshop, FSE 2002, Leuven, Belgium, February 4-6, 2002, Revised
Papers (J. Daemen and V. Rijmen, eds.), Lecture Notes in Computer
Science, vol. 2365, Springer-Verlag, Berlin, 2002, pp. 179–194.

[23] D. Whiting, R. Housley, and N. Ferguson, RFC 3610, Counter with
CBC-MAC (CCM), Internet Engineering Task Force, September 2003.

[24] A. K. L. Yau, K. G. Paterson, and C. J. Mitchell, Padding oracle attacks
on CBC-mode encryption with secret and random IVs, Fast Software Encryption,
12th International Workshop, FSE 2005, Paris, France, February
21-23, 2005, Revised Papers, Lecture Notes in Computer Science,
Springer-Verlag, Berlin, 2005, p. to appear.

Details