Abstract
Vaudenay’s padding oracle attacks are a powerful type of side-channel attack against systems using CBC mode encryption. They have been shown to work in practice against certain implementations of important secure network protocols, including IPsec and SSL/TLS. A formal security analysis of CBC mode in the context of padding oracle attacks in the chosen-plaintext setting was previously performed by the authors. In this paper, we consider the chosen-ciphertext setting, examining the question of how CBC mode encryption, padding, and an integrity protection mechanism should be combined in order to provably defeat padding oracle attacks. We introduce new security models for the chosen-ciphertext setting which we then use to formally analyse certain authenticated-encryption schemes, namely the three compositions: Pad-then-Encrypt-then-Authenticate (as used in particular configurations of IPsec), Pad-then-Authenticate-then-Encrypt, and Authenticate-then-Pad-then-Encrypt (as used in SSL/TLS).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Albrecht, M.R., Paterson, K.G., Watson, G.J.: Plaintext recovery attacks against SSH. In: IEEE Symposium on Security and Privacy, pp. 16–26. IEEE Computer Society, Los Alamitos (2009)
Bellare, M., Desai, A., Jokipii, E., Rogaway, P.: A concrete security treatment of symmetric encryption. In: Proceedings of 38th Annual Symposium on Foundations of Computer Science (FOCS 1997), pp. 394–403. IEEE, Los Alamitos (1997)
Bellare, M., Kohno, T., Namprempre, C.: Breaking and provably repairing the SSH authenticated encryption scheme: A case study of the encode-then-encrypt-and-MAC paradigm. ACM Transactions on Information and Systems Security 7(2), 206–241 (2004)
Bellare, M., Namprempre, C.: Authenticated encryption: Relations among notions and analysis of the generic composition paradigm. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 531–545. Springer, Heidelberg (2000)
Black, J., Urtubia, H.: Side-channel attacks on symmetric encryption schemes: The case for authenticated encryption. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, pp. 327–338 (2002)
Canvel, B., Hiltgen, A.P., Vaudenay, S., Vuagnoux, M.: Password interception in a SSL/TLS channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)
Degabriele, J.P., Paterson, K.G.: Attacking the IPsec standards in encryption-only configurations. In: IEEE Symposium on Security and Privacy, pp. 335–349. IEEE Computer Society, Los Alamitos (2007)
Degabriele, J.P., Paterson, K.G.: On the (in)security of IPsec in MAC-then-Encrypt configurations. In: Keromytis, A.D., Shmatikov, V. (eds.) ACM Conference on Computer and Communications Security, pp. 493–504. ACM, New York (2010)
Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard) (August 2008), http://www.ietf.org/rfc/rfc5246.txt
Duong, T., Rizzo, J.: Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET. In: IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos (to appear, 2011)
Krawczyk, H.: The order of encryption and authentication for protecting communications (or: How secure is SSL?). In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 310–331. Springer, Heidelberg (2001)
Mitchell, C.J.: Error oracle attacks on CBC mode: Is there a future for CBC mode encryption? In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 244–258. Springer, Heidelberg (2005)
Paterson, K.G., Watson, G.J.: Immunising CBC mode against padding oracle attacks: A formal security treatment. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 340–357. Springer, Heidelberg (2008)
Paterson, K.G., Watson, G.J.: Plaintext-dependent decryption: A formal security treatment of SSH-CTR. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 345–361. Springer, Heidelberg (2010)
Paterson, K.G., Yau, A.K.L.: Padding oracle attacks on the ISO CBC mode encryption standard. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 305–323. Springer, Heidelberg (2004)
Vaudenay, S.: Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS.... In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–546. Springer, Heidelberg (2002)
Watson, G.: Provable Security in Practice: Analysis of SSH and CBC mode with Padding. Ph.D. thesis, University of London (2010), http://www.ma.rhul.ac.uk/static/techrep/2011/RHUL-MA-2011-02.pdf
Yau, A.K.L., Paterson, K.G., Mitchell, C.J.: Padding oracle attacks on CBC-mode encryption with secret and random IVs. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 299–319. Springer, Heidelberg (2005)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this chapter
Cite this chapter
Paterson, K.G., Watson, G.J. (2012). Authenticated-Encryption with Padding: A Formal Security Treatment. In: Naccache, D. (eds) Cryptography and Security: From Theory to Applications. Lecture Notes in Computer Science, vol 6805. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-28368-0_9
Download citation
DOI: https://doi.org/10.1007/978-3-642-28368-0_9
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-28367-3
Online ISBN: 978-3-642-28368-0
eBook Packages: Computer ScienceComputer Science (R0)