Friday, October 22, 2010


In symmetric encryption sometimes it's hard to decide which mode to use. Especially between AES CBC mode and AES CTR (Counter) mode.

Here are some pro and cons of these two modes:

Padding: CBC requires message padding, CTR does not

Speed: Both modes require the same amount of computation, but CTR allows you to parallelize the computations arbitrarily, therefore allowing implementations to reach higher speed

Implementation: CTR only requires the block cipher encryption function; CBC requires both the encryption and decryption function to be implemented

Robustness: If you ever reuse the same nonce, CBC might leak some information about the initial plaintext block. CTR will leak information about the entire message.

Here is the tie break between AES CBC and AES CTR mode: padding oracle (see my blog: AES CBC Padding Oracle Attack).

AES CBC uses padding, thus it's susceptible to the Padding Oracle attack.

From now on I think we should all switch to AES CTR mode for symmetric key encryption.

The only exception I can think of is the case where the plaintext is exact on the block size (for AES128 it means the plaintext is on 16 bytes boundary). AES CBC could be used in this particular case. For me I will now only use AES CBC when I need to encrypt another symmetric key with current key (key wrapping).

Thursday, October 21, 2010

AES CBC Padding Oracle Attack

What’s Padding Oracle

AES-CBC with PKCS5 padding is the most pervasive cryptographic primitive in symmetric key encryption. Most of the implementation of AES-CBC will return an error if someone modified the cipher text and results in padding error after decryption. This error return will actually become the padding oracle. In pseudo code it looks like this

bool PaddingOracle(ciphertext) // given any ciphertext return boolean indicating whether decryption will be successful (or padding is correct or not)

Hacker can base on the above information and construct a decryption oracle like this:

char * DecryptionOracle(ciphertext) // given any ciphertext return plaintext

Worse yet, due to the way AES-CBC works hacker can create an encryption oracle based on the decryption oracle that looks like this:

char *EncryptionOracle(plaintext) // give any plaintext return ciphertext

Basically by leaking the side channel information of whether padding is correct or not will allow hacker to encrypt and decryption any messages without knowing the key itself.