Link to this headingCipher Block Chaining (CBC) Mode
Plain-text blocks are XORed with the previous cipher-text block.
The first block is an Initialization Vector (IV). This is a random number that that is used to be in input of the first block since it does not have a preceding cipher-text block. This IV does not have to be secret but does have to be cryptographically random.
Has the property that if one block is changed the blocks after it also change.
Link to this headingSecurity
Link to this headingBEAST Attack
TLS 1.0 used a broken form of CBC and was vulnerable to the BEAST attack. THe beast attack instead of using a cryptographically random IV instead uses the cipher-text of the previous message. Since the IV is semi-usercontolable this was able to be exploited to attack.
Link to this headingSecret Key as the IV Attack
https://crypto.stackexchange.com/questions/31583/aes-key-equal-to-iv-cbc-mode
If Alice uses the secret key as the IV and the encryption key and does not sent the IV to the recipient it is still broken.
Plaintext_alice = P = P1 || P2 || P3
ciphertext_alice = Enc(Key, P) (xor) Key
= C = C1 || C2 || C3
When it is intercepted and changed before it gets to the recipient it is possible to recover the key.
C_origional = C1 || C2 || C3
C_modified = C1 || all_zero_block || C1
P1_modified = Dec(Key, C1) (xor) IV
= Dec(Key, C1) (xor) Key
= P1
P2_modified = Dec(Key, C2) (xor) C1
= Dec(Key, all_zero_block) (xor) C1
= Random Numbers
P2_modified = Dec(Key, C1) (xor) all_zero_block
= P1 (xor) IV
= P1 (xor) Key
Link to this headingAttacks
Link to this headingKey Reuse attack
If Alice’s Data and Malory data are encrypted using the same key and the IV is not random then it is possible for Malory to use the server as an oracle to decode Alice’s data.
ciphertext_alice = Enc(Key, IV_alice (xor) Plaintext_alice)
If Malory inputs the plain-text as the XOR of Alice’s IV, Malory IV and the guess that Malory thinks Alice’s plain-text is the output will be the same.
ciphertext_malory = Enc(Key, IV_malory (xor) Plaintext_malory)
= Enc(Key, IV_malory (xor) (IV_alice (xor) IV_malory (xor) Guess))
= Enc(Key, (IV_alice (xor) Guess))
Link to this headingPredictable/Repeated IVs
Link to this headingBit Flipping Attacks
With Bit flipping attack you corrupt the previous block but in doing so you are able to directly modify the next block.
Link to this headingPadding Oracle Attack
