![The XORing
A = P xor BlockCipherDecryption(B)
A[n] = P[n] xor BlockCipherDecryption(B)[n]
BlockCipherDecryption(B[n]) = A[n] xor P[n] ----> Fixed
A[n] = PD xor (A[n] xor PA) (Plaintext value
desired - PD)
or A[n] = A[n] xor (PD xor PA) (Actual plaintext value -
PA)
14](https://image.slidesharecdn.com/bitflippingattackonaes-cbc-ashutoshahelleya-170803060236/85/Bit-flipping-attack-on-aes-cbc-ashutosh-ahelleya-14-320.jpg)
Bit flipping attack on aes cbc - ashutosh ahelleya
- 1. CBC Bit-Flipping Attack Team bi0s 1
- 2. Who am I 1. Ashutosh Ahelleya 2. 2nd Year CSE Undergrad @ Amrita University, Amritapuri Campus 3. Member of bi0s CTF Team 4. Focuses on Cryptography in CTFs 2
- 3. InCTFj 1. Cyber Security Competition 2. Exclusively for School Students below 18 years of age 3. Exciting prizes for the winners of each quarter 4. Know any student interested in Cyber Security? a. https://junior.inctf.in/ 3
- 4. Aim 1. Introduction to block ciphers 2. Discuss different block cipher modes 3. Describe CBC mode of encryption 4. Vulnerabilities in CBC mode 5. CBC Bit Flipping Attack- in depth with an example 6. Preventive measures against Bit-Flipping Attack 4
- 5. What is a block cipher? 1. Encrypting/Decrypting one block of data at a time deterministically rather than each byte of plaintext 2. Symmetric key 3. Semantically much more secure than stream ciphers 4. What happens if the length of data isn’t a multiple of block size? 5. Implementation of block cipher using different modes 5
- 7. Block-cipher modes of operation 1. Describes how repeatedly to apply a cipher's single-block operation securely 2. Mostly uses an IV (Initialisation Vector) a. Unique b. Secure (randomizes the encryption) 3. A symmetric key for encryption and decryption 7
- 8. Block-cipher modes of operation 8
- 9. CBC mode of encryption 1. CBC - Cipher Block Chaining 2. The ciphertext of one block of plaintext depends on the plaintext of all the block processed upto that point. (Block Dependent) 1.Encryption: Ci = Ek(Pi xor Ci-1) for i>=1and C0 = IV 2.Decryption: Pi = Dk(Ci) xor Ci-1 for i>=1 and C0 = IV 9
- 10. Vulnerabilities in CBC 1. Depends on how it is implemented at the time of encryption 2. Poor semantics in block cipher mode -> more effective and efficient attack 3. AES function has not yet been efficiently attacked by the use of a normal computer 4. Attacks are mostly discovered due to lack of precaution while implementing it Examples: Bit Flipping Attack, Padding Oracle Attack 10
- 12. An example (Demo) 1. Such attacks have been used to bypass HTTP session tokens to gain admin access 2. https://cryptopals.com/sets/2/challenges/16 12
- 13. How it works? ● The plain text block containing “?admin?true?” to be ‘P’. ● The cipher text block next to which we have the plain text block containing “?admin?true?” to be ‘A’. ● The cipher text block of the corresponding plain text block containing “?admin?true?” to be ‘B’. 13
- 14. The XORing A = P xor BlockCipherDecryption(B) A[n] = P[n] xor BlockCipherDecryption(B)[n] BlockCipherDecryption(B[n]) = A[n] xor P[n] ----> Fixed A[n] = PD xor (A[n] xor PA) (Plaintext value desired - PD) or A[n] = A[n] xor (PD xor PA) (Actual plaintext value - PA) 14
- 15. Resources on CBC Bit Flipping Attack 1. http://swepssecurity.blogspot.nl/2014/05/bypassing-encrypted-session- tokens.html 2. https://masterpessimistaa.wordpress.com/2017/05/03/cbc-bit-flipping- attack/ 15
- 16. How can it be prevented? 1. Do not prepend a random string before generating a cookie using encryption function (sounds a bit absurd!) 2. Supply a function which verifies if the random string prepended before encryption is the same after decryption of the cookie -> ensures no bit flip and effective too! 16
- 17. Summary 1. Block Cipher 2. Block Cipher modes of operation 3. CBC mode of encryption semantically safer than the trivial ECB mode 4. Bit Flipping Attack a. Change ciphertext in previous block changes plaintext of next block b. Change session token to login as admin 5. Prevention against Bit Flipping Attack 17
Editor's Notes
- #6: Deterministic Algorithm- given a particular input, will always produce the same output