Implementing CBC
Petr Ročkai
Implemen ng CBC 1/12 October 19, 2017
Overview
• we will use the AES block encryption function
• to implement the CBC mode
• this is just an exercise
• to understand how CBC works
• you should not do this in real projects
Implemen ng CBC 2/12 October 19, 2017
Cipher Modes
• a block cipher can only encrypt one block at a time
• typically same size as the key
• plaintext length must be divisible by block length → padding
ECB
• split the message into block-sized chunks
• encrypt each block separately
• insecure
Implemen ng CBC 3/12 October 19, 2017
Can we do better? CBC
• XOR previous ciphertext into current plaintext
Implemen ng CBC 4/12 October 19, 2017
CBC Properties
• error-resistant (self-synchronising)
• parallel decryption is possible
• can’t encrypt in parallel
How to Pad
• let 𝑛 be the number of missing bytes
• clearly 0 < 𝑛 < 255, so it its in a byte
• PKCS7: each padding byte just repeats 𝑛
• example: ???? ???? ??? → ???? ???? ???5 5555
Implemen ng CBC 5/12 October 19, 2017
Padding Oracles
• possible if a server indicates a padding error
• an apparently minor info leak compromises the cipher
• CBC with PKCS7 padding is vulnerable
Implemen ng CBC 6/12 October 19, 2017
CBC Decryption
Implemen ng CBC 7/12 October 19, 2017
A Padding Oracle
• assume 128b AES: 1 block = 16 bytes
• consider a ciphertext (IV, C₁, C₂) that decrypts to (P₁, P₂)
• consider (hex) P₂ = ???? ???? ???? ??01 → OK
• what about P₂ = ???? ???? ???? ??12 → ERROR
Recovering the Last Byte
• set C₁’[15] = C₁[15] ⊕ X ⊕ 0x01
• send (IV, C₁’, C₂) to the oracle
• if we get OK, it’s likely that P₂[15] = X
Implemen ng CBC 8/12 October 19, 2017
Correctness
• (I₁, I₂) are the intermediate results from AES block decrypt
• C₁[15] ⊕ X ⊕ 0x01 ⊕ I₂[15] = 0x01 / ⊕ I₂[15]
• C₁[15] ⊕ X ⊕ 0x01 = 0x01 ⊕ I₂[15] / ⊕ 0x01
• C₁[15] ⊕ X = I₂[15] / ⊕ X ⊕ I₂[15]
• C₁[15] ⊕ I₂[15] = X
Implemen ng CBC 9/12 October 19, 2017
Getting More Bytes
• if we already know X = P₂[15]
• we can set C₁’[15] to C₁[15] ⊕ X ⊕ 0x02
• and C₁’[14] to C₁[14] ⊕ Y ⊕ 0x02
• and guess again until we hit the right Y
Implemen ng CBC 10/12 October 19, 2017
This Lab
• download and compile the skeleton from study materials
• implement my_encrypt_cbc only using aes_crypt_ecb
• create a new ile, eg. cbc.c with a new main() function
• start working on your assignment (next slide)
Implemen ng CBC 11/12 October 19, 2017
Assignment 3
• implement the padding oracle attack
− recovery of the last byte (1pt)
− recovery of an entire block (1pt)
• is a speci ic error code/message required?
− what other info could the attacker use? explain (1pt)
• what could you do to defend against the attack? (1pt)
− take previous into account
− describe at least 2 modes of defence
• implement the better of those 2 defences (1pt)
Implemen ng CBC 12/12 October 19, 2017
Assignment 3 (cont’d)
• pick any block you like for your attack
• the function performServerDecrypt is your oracle
• do not modify this function
• make a copy for implementing your defence
• mention your sources
• the deadline is Thu 26th at midnight