I’m excited to announce that I will be presenting at this year’s Black Hat Asia about my research into detecting and exploiting CBC padding oracles!

Zombie POODLE and GOLDENDOODLE are the names I’ve given to the vulnerabilities I’ll be discussing. Similar to ROBOT, DROWN and many other vulnerabilities affecting HTTPS, these issues stem from continued use of cryptographic modes which should have been long ago deprecated and yet are inexplicably still supported in TLSv1.2. In this case, the troublesome feature is that TLSv1.2 supports CBC mode ciphersuites.

To understand these flaws, it’s important to have a little background on block ciphers and cipher-block chaining (CBC) mode.

A block cipher operates on discrete blocks of data as opposed to a stream cipher that would encrypt individual bits. AES is an example of a block cipher, while RC4 is a stream cipher. AES can only encrypt or decrypt 128-bit blocks of data. It is not possible to directly encrypt or decrypt more or less bits with AES without defining a mode of operation. CBC is a mode of operation for block ciphers in which ciphertexts are chained together via XOR. By doing this, repeated plaintext will not lead to repeated ciphertext, and modification of a ciphertext block will also change the plaintext in the following block.

A high-level overview of AES-CBC mode encryption in TLS is as follows:

1. Plaintext message is split into discrete 16-byte blocks of data
2. An initialization vector (IV) is randomly generated
3. First block is encrypted using the selected block cipher and key
4. Block cipher output is XORed with the initialization vector
5. Result from #4 is stored as the first block of ciphertext
6. The next block of plaintext is passed to the block cipher
7. Output from the block cipher is XORed with the previous ciphertext block
8. (Read more...)