The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?)
CRYPTO '01 Proceedings of the 21st Annual International Cryptology Conference on Advances in Cryptology
Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS ...
EUROCRYPT '02 Proceedings of the International Conference on the Theory and Applications of Cryptographic Techniques: Advances in Cryptology
Authenticated Encryption: Relations among Notions and Analysis of the Generic Composition Paradigm
ASIACRYPT '00 Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology
Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption
Proceedings of the 11th USENIX Security Symposium
A Concrete Security Treatment of Symmetric Encryption
FOCS '97 Proceedings of the 38th Annual Symposium on Foundations of Computer Science
ACM Transactions on Information and System Security (TISSEC)
Attacking the IPsec Standards in Encryption-only Configurations
SP '07 Proceedings of the 2007 IEEE Symposium on Security and Privacy
Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment
SCN '08 Proceedings of the 6th international conference on Security and Cryptography for Networks
Plaintext Recovery Attacks against SSH
SP '09 Proceedings of the 2009 30th IEEE Symposium on Security and Privacy
On the (in)security of IPsec in MAC-then-encrypt configurations
Proceedings of the 17th ACM conference on Computer and communications security
Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET
SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
Padding oracle attacks on CBC-Mode encryption with secret and random IVs
FSE'05 Proceedings of the 12th international conference on Fast Software Encryption
Error oracle attacks on CBC mode: is there a future for CBC mode encryption?
ISC'05 Proceedings of the 8th international conference on Information Security
Plaintext-Dependent decryption: a formal security treatment of SSH-CTR
EUROCRYPT'10 Proceedings of the 29th Annual international conference on Theory and Applications of Cryptographic Techniques
| Hi-index | 0.00 |
Vaudenay's padding oracle attacks are a powerful type of side-channel attack against systems using CBC mode encryption. They have been shown to work in practice against certain implementations of important secure network protocols, including IPsec and SSL/TLS. A formal security analysis of CBC mode in the context of padding oracle attacks in the chosen-plaintext setting was previously performed by the authors. In this paper, we consider the chosen-ciphertext setting, examining the question of how CBC mode encryption, padding, and an integrity protection mechanism should be combined in order to provably defeat padding oracle attacks. We introduce new security models for the chosen-ciphertext setting which we then use to formally analyse certain authenticated-encryption schemes, namely the three compositions: Pad-then-Encrypt-then-Authenticate (as used in particular configurations of IPsec), Pad-then-Authenticate-then-Encrypt, and Authenticate-then-Pad-then-Encrypt (as used in SSL/TLS).