Application Security of Block Cipher Mode of Operation

Abstract

Abstract: The block cipher mode of operation has a nearly perfect theoretical system—as long as the underlying block cipher is secure, the upper mode of operation can be proved to be secure. However, there is a huge gap between theory and reality. In reality, various application security issues have repeatedly appeared. This paper focuses on a series of problems including IV misuse, online attack, RUP problem, padding oracle attack, birthday attack, etc. IV misuse means the IV value which produced by programmers doesn't meet the random strength in cryptography. This problem can be avoided by using the noncebased schemes. The data in some mode of operations is processed online. Therefore, the operations will suffer block-wise attack, which is also called online attack. The solution is to use the authenticatd encryption mode which is secure online. The RUP problem means the operations output unverified plaintext, which doesn't satisfy data integrity. Abed and Ashur et al. have improved relevant mode of operation to solve this problem. Padding oracle attack means the enemy using error messages which are returned by the receiver to attack the operations. To avoid such attack, the authenticatd encryption mode can be used. The birthday attack takes advantage of the collision in the middle state of the block cipher mode to forge. The secure strength of the block cipher whose block length is 64 bits will be reduced to 32 bits due to this attack, which is un-secure for them. Therefore, we'd better design the mode of operations which is beyond birthday bound. In this paper, we will analyze the causes of the above problems, the research status and solutions in detail. Finally, we will give some useful suggestions.

Key words: block cipher, mode of operation, initial vector, online attack, RUP problem, padding oracle, birthday attack

摘要： 分组密码工作模式有着近乎完美的理论体系：只要底层分组密码是安全的，上层工作模式就可以被证明是安全的.但是理论与现实之间存在巨大差距，现实情况中分组密码工作模式往往会出现各种各样的应用安全问题.主要梳理了其中的IV误用、在线攻击、RUP问题、填充谕示攻击、生日攻击等一系列问题，其中IV误用是指程序员生成的IV值没有达到密码学要求的随机强度，对此可以使用基于Nonce的方案来避免；在线攻击是指一些情况下数据采用在线处理的方式而受到的逐分组攻击，解决方法是使用在线安全的认证加密模式；RUP问题是指工作模式输出未验证的明文，使得数据完整性得不到满足，对此Abed和Ashur等人对相关模式进行了改进；填充谕示攻击是指敌手利用接收方对不正确密文返回的错误提示信息进行攻击，对此可以使用认证加密模式来避免；生日攻击利用工作模式中间状态的碰撞进行伪造的攻击，在此攻击下分组长度为64b的分组密码的安全强度会降为32b，为了避免这个问题，需要设计超生日界的工作模式.详细分析了以上问题出现的原因、关于它们的研究现状及相应的解决办法，最后给出几点具体的建议.

关键词: 分组密码, 工作模式, 初始向量, 在线攻击, RUP问题, 填充谕示, 生日攻击

王鹏郭婷婷. 分组密码工作模式的应用安全问题[J]. 信息安全研究, 2019, 5(1): 23-28.

References

[1] Joux A, Martinet G, Valette F. Blockwise-Adaptive Attackers Revisiting the (In)Security of Some Provably Secure Encryption Modes: CBC, GEM, IACBC[M]// Advances in Cryptology - CRYPTO 2002. Springer Berlin Heidelberg, 2002:231-248 [2] Fouque P A, Martinet G, Poupard G. Practical Symmetric On-Line Encryption[J]. Lecture Notes in Computer Science, 2003, 2887:362-375 [3] Fouque P A, Joux A, Poupard G. Blockwise Adversarial Model for On-line Ciphers and Symmetric Encryption Schemes[M]// Selected Areas in Cryptography. Springer Berlin Heidelberg, 2004:212-226 [4] Boldyreva A, Taesombut N. Online Encryption Schemes: New Security Notions and Constructions[C]// Cryptographers’ Track at the RSA Conference. Springer, Berlin, Heidelberg, 2004:1-14 [5] Bard G V. A Challenging but Feasible Blockwise-Adaptive Chosen-Plaintext Attack on SSL[C]// International Conference on Secrypt. 2010:7--10 [6] Bard G V. Blockwise-Adaptive Chosen-Plaintext Attack and Online Modes of Encryption[C]// Ima International Conference on Cryptography and Coding. Springer-Verlag, 2007:129-151 [7] Sun Zhe-Lei, Wang Peng. Analysis of OFBNLF encryption mode of operation[J]. SCIENTIA SINICA: Informationis, 2016, 46(6):729 (in Chinese) (孙哲蕾, 王鹏. OFBNLF加密工作模式的分析[J]. 中国科学:信息科学, 2016, 46(6):729.) [8] Zheng Kai-Yan, Wang Peng. The concrete security of BC mode and its improvement[J]. Journal of Cyber Security, 2017, 2(3):61-78 (in Chinese) (郑凯燕, 王鹏. BC加密模式的分析及其改进[J]. 信息安全学报, 2017, 2(3):61-78.) [9] Bellare M, Boldyreva A, Knudsen L, et al. Online Ciphers and the Hash-CBC Construction[C]// International Cryptology Conference. Springer, Berlin, Heidelberg, 2001:292-309 [10] Nandi M. Two New Efficient CCA-Secure Online Ciphers: MHCBC and MCBC[M]// Progress in Cryptology - INDOCRYPT 2008. Springer Berlin Heidelberg, 2008:350--362 [11] Rogaway P, Zhang H. Online Ciphers from Tweakable Blockciphers[M]// Topics in Cryptology – CT-RSA 2011. Springer Berlin Heidelberg, 2011:237-249 [12] Bhaumik R, Nandi M. Olef: an inverse-free online cipher. an online SPRP with an optimal inverse-free construction. IACR Trans. Symmetric Cryptol., 2016, 2016(2):30–51 [13] Fleischmann E, Forler C, Lucks S. McOE: A Foolproof On-Line Authenticated Encryption Scheme[J]. Lecture Notes in Computer Science, 2011, 2011:196-215 [14] Andreeva E, Bogdanov A, Luykx A, et al. Parallelizable and Authenticated Online Ciphers[M]// Advances in Cryptology - ASIACRYPT 2013. Springer Berlin Heidelberg, 2013:424-443 [15] Hoang V T, Reyhanitabar R, Rogaway P, et al. Online Authenticated -Encryption and its Nonce-Reuse Misuse-Resistance[M]// Advances in Cryptology -- CRYPTO 2015. Springer Berlin Heidelberg, 2015:493-517 [16] Endignoux G, Vizár D. Linking online misuse-resistant authenticated encryption and blockwise attack models. IACR Trans. Symmetric Cryptol., 2016, 2016(2):125–144 [17] Andreeva E, Bogdanov A, Luykx A, et al. How to Securely Release Unverified Plaintext in Authenticated Encryption[J]. Lecture Notes in Computer Science, 2014, 8873:105-125 [18] Chakraborti A, Datta N, Nandi M. INT-RUP Analysis of Block-cipher Based Authenticated Encryption Schemes[C]// Rsa Conference on Topics in Cryptology - Ct-Rsa. Springer-Verlag New York, Inc. 2016:39-54 [19] Datta N, Luykx A, Mennink B, Nandi M. Understanding RUP integrity of COLM. IACR Trans. Symmetric Cryptol., 2017, 2017(2):143-161 [20] Abed F, Forler C, List E, et al. RIV for Robust Authenticated Encryption[M]// Fast Software Encryption. Springer Berlin Heidelberg, 2016:23-42 [21] Ashur T, Dunkelman O, Luykx A. Boosting Authenticated Encryption Robustness with Minimal Modifications[C]// International Cryptology Conference. Springer, Cham, 2017:3-33 [22] Zhang P, Wang P, Hu H, et al. INT-RUP Security of Checksum-Based Authenticated Encryption[M]// Provable Security. 2017:147-166 [23] Vaudenay S. Security flaws induced by CBC padding-applications to SSL, IPSEC, WTLS…[C]// International Conference on the Theory and Applications of Cryptographic Techniques. Springer, Berlin, Heidelberg, 2002:534-545 [24] Canvel B, Hiltgen A, Vaudenay S, et al. Password Interception in a SSL/TLS Channel[C]// International Cryptology Conference. Springer, Berlin, Heidelberg, 2003:583-599 [25] Rizzo J, Duong T. Practical padding oracle attacks[C]// Usenix Conference on Offensive Technologies. 2010:1-8 [26] Iwata T, Kurosawa K. OMAC: One-Key CBC MAC[J]. Pre-proceedings of Fast Software Encryption, FSE 2003, 2003, 20(1):129-153 [27] Yuan Z, Wang W, Jia K, et al. New Birthday Attacks on Some MACs Based on Block Ciphers[C]// Advances in Cryptology - CRYPTO 2009, International Cryptology Conference, Santa Barbara, Ca, Usa, August 16-20, 2009. Proceedings. DBLP, 2009:209-230 [28] Jia K, Wang X, Yuan Z, et al. Distinguishing and Second-Preimage Attacks on CBC-Like MACs[C]// International Conference on Cryptology and Network Security. Springer-Verlag, 2009:349-361 [29] Bhargavan K. On the Practical (In-)Security of 64-bit Block Ciphers: Collision Attacks on HTTP over TLS and OpenVPN[C]// ACM Sigsac Conference on Computer and Communications Security. ACM, 2016:456-467