Gildas Avoine and Loïc Ferreira 153
many null bytes as necessary (possibly none) are added in order to get a string which
length is a multiple of a DES block [ISO17].
The 8-byte
MAC
tag is computed on the command header, the plaintext, and a padding
data.
9
The ISO 9797-1 MAC algorithm 3, also known as “retail
MAC
”, is used [
ISO11
]. In
addition, an IV is involved in the
MAC
computation. The value of the first IV is usually
00
8
. The IV used for the next command is equal to the
MAC
tag computed on the previous
command. The ciphertext and the
MAC
tag become then the data field of the server’s
command.
Figure 1 depicts the data encryption and MAC computation of a command.
4 Description of the regular padding oracle attack
The padding oracle attack is based on the fact that a device behaves differently depending
on the correctness of the (encryption) padding data. From that differentiated behaviour,
the attacker tries to get some information (e.g., some bits or bytes of plaintext). That
difference may be based on the nature of the response (presence or absence of the response,
type: e.g., “regular” or error message, value, etc.) or on the duration of the operations
performed (or not) by the device. Regarding the symmetric-key encryption case, the
whole decryption procedure usually includes (among other possible operations) the
MAC
verification, and the padding extraction and verification. It is commonly recommended to
provide data authenticity and confidentiality by applying the so-called Encrypt-then-MAC
(EtM) paradigm [
Kra01
,
BN08
].
10
Nonetheless some cryptographic mechanisms apply
other methods (e.g., MAC-then-Encrypt in TLS 1.2 [
DR08
], Encrypt-and-MAC (E&M) in
SSH [YL06c, YL06a, YL06d, YL06b]).
Therefore, if a padding data is used during the encryption process, and the padding
data must be, during the decryption procedure, verified prior to the
MAC
computation,
then it may be possible to perform an attack aiming at retrieving sensitive data. If one
follows the MtE or the E&M method (as in SCP02), the whole decryption procedure
involves (usually) three main steps:
1. the evaluation of the decryption function on the encrypted data,
2. the extraction and verification of the padding data,
3. the computation of the MAC tag on the remaining decrypted data.
Once the ciphertext is decrypted, either the padding data is valid and can be removed,
and the
MAC
computation can be done, or the padding data is invalid and the
MAC
tag
cannot be computed (at least on the genuine data).
Let us illustrate the attack with an example. For the sake of clarity, we use the specifics
of SCP02, namely the encryption function (and the corresponding block size), and the
padding scheme. Let
C
be the last encrypted block carried in a protected command,
and let
V
be the block used as IV during the encryption operation that yields
C
(
V
denotes either the null IV if the command carries one encrypted block only, or the previous
encrypted block if the command carries two or more encrypted blocks). Let
b
0
| · · · |b
5
be
the plaintext data corresponding to
C
. In SCP02, the encryption is done with
3DES
in
CBC
mode. Since the plaintext length is less than 8 bytes a padding data is appended,
and this yields B = b
0
| · · · |b
5
|80|00. The encryption process outputs
C = ENC(V ⊕ B)
= ENC((v
0
⊕ b
0
)| · · · |(v
5
⊕ b
5
)|(v
6
⊕ 80)|(v
7
⊕ 00))
9
The genuine header HDR can be retrieved from the header HDR’ of the encrypted command.
10
Note that some encryption modes (e.g., [
Dwo04
]), coupled with a security proof [
Jon03
], correspond
to the MAC-then-Encrypt (MtE) paradigm.