Encryption oracle attack

[trackpick]

It would help if you gave an example of S in the real world and a system that functions like the oracle. The explanation completely makes sense to me but is a little unsatisfying because as it is it feels like a contrived example.

[lvh]

What would that look like in terms of detail? Just like, "AES-CBC encrypted session cookie"? (That's the prototypical example.)

[lvh]

(Also are talking about CBC padding attacks?)

[trackpick]

I was just talking about the section on attacks on ECB - I didn't get to CBC padding attacks yet though I did read the section on CBC bit flipping attacks.

Unfortunately, I couldn't give you the name of a real attack to quote that I would find satisfying, because as a non-expert in this area I don't know them :-) The thing that was unsatisfying to me was the part where the attack depended on a concatenation of attacker data and a secret that is "specific to this system". First of all, I'm not sure what the latter means (e.g. is this secret is system-wide? - but from the details of the attack it doesn't seem like it needs to be). And secondly, this is a very specific requirement - I don't know how common it is for attacker data to appear in a protocol suffixed by such a secret. So it would be nice to sketch the pertinent parts of a real protocol that is vulnerable to this attack.

Just skimming, the description later on for the attack on CBC that inserts an ";admin=1;" string is an example that worked well for me. It connects the theory with something that I could believe would work in practice.

HTH

[EdOverflow]

Unfortunately, I couldn't give you the name of a real attack to quote that I would find satisfying, because as a non-expert in this area I don't know them :-)

As @lvh pointed out, the classic "coursebook" example is a padding oracle attack against unauthenticated AES-CBC encrypted session cookies. If you need a quick example of a bit flipping attack on cookies, please refer to Scott Arciszewski's post: https://paragonie.com/blog/2015/05/using-encryption-and-authentication-correctly.

[trackpick]

@EdOverflow Thanks. However, my comment was about the attack on ECB, not CBC.

[lvh]

@trackpick OK, cool. I thought ECB had something like that:

This oracle might seem artificial, but is quite common in practice. A simple example would be a cookie encrypted with ECB, where the prefix $A$ is a name or an e-mail address field, controlled by the attacker.

... which is what I thought addressed that issue. How can I help make that clearer?

[trackpick]

Ah yeah I confess I forgot that was there. I remember reading it now and not quite getting how that would work so I forgot about it.

So then let me ask you how that would work. A cookie is usually a thing that's specific to a session (and therefore not shared across different usernames, which each have their distinct sessions), so I wasn't sure how that oracle could be make to work. I can see it work if S is a secret that is used across all sessions for all users but I can't think of any protocol where a cookie has that property.

I hope you see why I'm confused. It might just be a terminology thing. But it might be helpful to cite a specific protocol and attack so that people can look it up.

[lvh]

Sometimes sessions are implemented by just encrypting a value instead of, say, a random token (which is unambiguously the right thing to do). However, this attack also works fine as long as the attacker controls part of the message and that comes before something exciting they'd like to decrypt.

That's not the most sophisticated attack, but it is something that I can (apparently successfully) convince people actually works at this point in the book -- even if I haven't convinced them it's pretty realistic. (FWIW: yes, this actually happens in real session strategies in real apps.)

[trackpick]

Cool, thanks.