Versions of SSL/TLS before TLS1.1, use CBC encryption in the following way. They

Question

Versions of SSL/TLS before TLS1.1, use CBC encryption in the following way. They select the IV randomly only for the first message m0 in a connection; for subsequent messages, say mi , the IV is simply the last ciphertext block of the previous message. This creates a vulnerability exploited, e.g., by the BEAST attack and few earlier works [1, 2]. In this question we explore a simplified version of these attacks.

(1). Show that CBC encryption where the IV is random but known in advance is not indistinguishable, under chosen plaintext attack. Directions: assume attacker sees the ciphertext blocks c1 , c2 resulting from CBC encryption of plaintext messages m1, m2. Furthermore, attacker is now given a random value I, to be used in CBC encryption of a message X that the attacker can choose. The attacker is given the result of that encryption; e.g., if X is exactly one block long, then attacker is given the output of E(X LI). Show that this allows attacker to find if m2 is a block of all zeros or block of all 1 bits. Conclude that such CBC encryption is not CPA-IND.

(2). Extend the attack, to allow the attacker to learn the last byte of m2, assuming that all other bytes are known

Explanation / Answer

Solution :-

--> In CBC encryption mode the IV used is random. So it is not distinguishable in polynomial time. If an attacker sees the ciphertext produced by plaintext message. Furthermore atracker has given a random value I that will be used in encryption of message X. But attacker has no idea that which ciphertext block is genetated from that random value.

Suppose there are two oracles which are taking two inputs, a plaintext P and initialization vector IV. The first oracle Enc(P, IV) performs CBC encryption and outputs a ciphertext with the same length of plaintext P. The second oracle Rand(P, IV) returns a random string of bit with the same length of plaintext P.

By the security concern of CBC it is not distinguishable in polynomial time with respect to the length n of the encryption key k, that a given output is produced from Enc(P, IV) or Rand(P, IV). So this Encryption is CPA-IND encryption.

Now, suppose an adversary A has access to an oracle fulfilled either by Enc or Rand. But A is unaware of which output is genetated by Enc or which by Rand. Thus, it is observed that the scheme is most probably secure in polynomial time.

--> Now if an attacker has the ciphertext C1 and C2, encrypted from the messages M1 and M2. Furthermore attacker is given random value I which is to be used in the encryption of the plaintext X. Attacker can choose the X appropriately. If the result of the encryption of X by random value I is matched with the ciphertext seen by attacker. If ciphertext of original medsage and ciphertext of message X are same than attacker can read the original message.

So this type of CBC encryption is not CPA-IND encryption.

Related Questions

Navigate

• Browse (All)
• Browse V
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.