Skip to content

CBC

Cipher Block Chaining (CBC) Mode

Plain-text blocks are XORed with the previous cipher-text block.

The first block is an Initialization Vector (IV). This is a random number that that is used to be in input of the first block since it does not have a preceding cipher-text block. This IV does not have to be secret but does have to be cryptographically random.

Has the property that if one block is changed the blocks after it also change.

Security

BEAST Attack

TLS 1.0 used a broken form of CBC and was vulnerable to the BEAST attack. THe beast attack instead of using a cryptographically random IV instead uses the cipher-text of the previous message. Since the IV is semi-usercontolable this was able to be exploited to attack.

Secret Key as the IV Attack

https://crypto.stackexchange.com/questions/31583/aes-key-equal-to-iv-cbc-mode
If Alice uses the secret key as the IV and the encryption key and does not sent the IV to the recipient it is still broken.

Plaintext_alice  = P = P1 || P2 || P3


ciphertext_alice = Enc(Key, P) (xor) Key
                 = C = C1 || C2 || C3

When it is intercepted and changed before it gets to the recipient it is possible to recover the key.

C_origional = C1 || C2 || C3 
C_modified  = C1 || all_zero_block || C1 

P1_modified = Dec(Key, C1) (xor) IV
            = Dec(Key, C1) (xor) Key
            = P1

P2_modified = Dec(Key, C2) (xor) C1
            = Dec(Key, all_zero_block) (xor) C1
            = Random Numbers

P2_modified = Dec(Key, C1) (xor) all_zero_block
            = P1 (xor) IV
            = P1 (xor) Key

Attacks

Key Reuse attack

If Alice's Data and Malory data are encrypted using the same key and the IV is not random then it is possible for Malory to use the server as an oracle to decode Alice's data.

ciphertext_alice = Enc(Key, IV_alice (xor) Plaintext_alice)

If Malory inputs the plain-text as the XOR of Alice's IV, Malory IV and the guess that Malory thinks Alice's plain-text is the output will be the same.

ciphertext_malory = Enc(Key, IV_malory (xor) Plaintext_malory)
                  = Enc(Key, IV_malory (xor) (IV_alice (xor) IV_malory (xor) Guess))
                  = Enc(Key, (IV_alice (xor) Guess))

Predictable/Repeated IVs

\[ \]

Bit Flipping Attacks

With Bit flipping attack you corrupt the previous block but in doing so you are able to directly modify the next block.

Padding Oracle Attack

https://pbs.twimg.com/media/DxkSb7yXQAEoF2h.jpg:large