current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Information Security Stack Exchange is a question and answer site for information security professionals. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 13 down vote favorite
3

I was watching this video about TLS 1.3: "Deploying TLS 1.3: the great, the good and the bad (33c3)" and was somewhat surprised to see that in their effort to provide

"fewer, better choices"

they dropped AES-CBC as a supported block cipher mode.

The video lists a number of attacks (Lucky13, POODLE and others), that to my untrained eye seem to be implementation issues. I understand that it is better to have a mode that doesn't encourage such implementation issues, but was that all it took to deprecate this entire cipher mode?

While this book is somewhat dated (2010), Cryptography Engineering it recommends AES-CBC using a randomly generated IV as the best option.

share|improve this question
4  
Crypto that is difficult to implement in practice is crypto that is broken in practice. – Stephen Touset 13 hours ago
    
@StephenTouset All crypto is difficult to implement correctly. If we had to give up on every cryptographic construction which had been implemented correctly a few times I don't think there would be any secure algorithms left to choose from. – kasperd 12 hours ago
2  
Some crypto is more difficult to implement than others. Much of the focus in the past decade of cipher design has been on the development of ciphers and constructs that are misuse-resistant, both from the perspective of end-users and from implementors. Your statement totally glosses over the huge strides we've made through replacing RSA with elliptic curves, ECDSA with EdDSA, unauthenticated ciphers with authenticated ones, S-box ciphers with ARX ciphers, and so on. – Stephen Touset 12 hours ago
up vote 10 down vote

The problem here is not so much with CBC, but with alternatives that are easier to implement safely, without losing mathematical security.In fact, AES-CBC turned out to be notoriously difficult to implement correctly. I recall that older implementations of transport layer security don't have cryptographically secure initialization vectors, which are a must-have for CBC mode

My view is this decision was made because a lot of recent attacks are a version of the Bleichenbacher attack, that depends on the first four bytes of the PKCS padding used in CBC mode. Especially old modes kept for support. POODLE is a downgrade vulnerability. LOGJAM is downgrading TLS to old, export-grade (read NSA-sabotaged) crypto suites.

Bleichenbachers attack depends on the server explicitly saying "invalid padding", thereby leaking 1 bit of information on each transaction. Error messages were removed, but the problem of timing remained. The server still used more time before responding if the padding was valid, but the rest was wrong.

In response they were forced to come up with the peculiar workaround of generating a dummy key, and using that for decryption so it would fail in another part of the implementation. In every implementation. So they decided to no longer force that on developers by supporting it in the specs.

Cryptography is a very broad field, and a specialty on its own. History had learned through uncomfortable experience, that doing it correctly is impossible to do perfectly, even for the best in the field. For example MD5, created by Ron Rivest, co-inventor (and part-namesake) of RSA was widely used, then broken in 2013 . Its collision resistance was circumvented in 2^18 time, less than a second on a desktop computer for 128 bit hashes.

share|improve this answer
    
MAC-then-authenticate? I don't think that is what you meant to say. – kasperd 12 hours ago
    
No you're right i mixed that up :) Thanks! – J.A.K. 11 hours ago
    
I don't watch youtube but the only relevant Bleichenbacher attacks I know are on the PKCS1 padding used for RSA encryption and signing, which are used in SSL/TLS only during key-exchange which can apply to all data ciphers, and also can be avoided for all data ciphers by using e.g. ECDHE-ECDSA instead. The padding used for (data) CBC in TLS is not in any PKCS, although it is similar to that in PKCS7. – dave_thompson_085 59 mins ago
up vote 6 down vote

CBC is a good mode for encryption if implemented correctly. In one short sentence, I've pointed out two defects of CBC.

  • CBC is an encryption mode only: it provides confidentiality, but not authenticity or integrity. You need to authenticate the data separately. It can be done, of course, and that was the only way to do it before TLS 1.2. But it's hard to get right, which is why authenticated encryption modes are recommended. TLS 1.3 pushes GCM instead of CBC + HMAC.
  • CBC is hard to implement correctly. There's the issue of how to combine it with a MAC that I already mentioned. Another issue is to not leak information through padding errors. The IV really must be random; an IV that is influenced by an adversary is insecure and is at least a BEAST.

If it's so hard to implement correctly, it's best not allowed by the protocol. Cryptography design is slowly moving towards from having a few well-studied, flexible primitives to having a few well-studied, robust primitives, because in practice the problem is less that people can't do what they want, but more that they do things that work in the nominal case but fall down to attacks.

share|improve this answer
    
The IV must of course not be influenced by the adversary. But I don't know of any usage of CBC that failed because of that. What is subtle and easy to miss is that the even though the IV doesn't have to remain secret, it is important that the adversary does not learn it ahead of time. If you use CBC for streaming data the IV will become known to the adversary before you have encrypted the last block of the stream. – kasperd 12 hours ago
    
Isn't GCM also hard to get right, especially for things like timing attacks? – grawity 4 hours ago
    
@grawity Timing attacks have a tendency to not work very well over a network, because the timing information you are interested in (generally, that related to the cryption process) tends to be completely dwarfed by timings that you have no real control over or exact knowledge of and which can show significant jitter (often, that related to the network transmission itself). Timing attacks are sometimes a valid threat for a local attacker, but really, how often is that the threat model for TLS? Not very often, I'd think. – Michael Kjörling 1 hour ago
up vote 2 down vote

"Why" is always hard to answer without speculation. In the case of cryptography, our best guides to the future are attacks of the past. In this particular case, simply having the flawed CBC implementation present contributed to the POODLE attack. POODLE was then followed by CRIME, BEAST, and a whole class of attacks that came to be known as padding-oracle attacks.

We may now think everyone knows they should test their padding bytes schemes, but that's only an assumption. Sadly, too many people stop testing once they get the good results they expect, without ensuring there are no side effects in their leftovers.

Now, consider the cost of implementing TLS 1.3. Writing the code is easy. But developers are then going to have to test a combinatoric nightmare of versions, algorithms, key exchanges, etc. And we know that attackers have frequently exploited protocols by combining elements in unexpected and novel ways. Anything they can throw out of the suite makes studying it and testing it orders of magnitude simpler.

Was CBC really to blame, or did it just lead down a path where an unexpected mistake created a vulnerability? The answer is if that's a path we don't need, perhaps it's best to close it entirely.

share|improve this answer
    
POODLE was CBC/(old)padding combined with Mac-then-Encrypt (which latter could have been corrected); BEAST was a protocol flaw that could have applied to another chaining mode if another had been selected; CRIME is actually impeded by CBC versus stream, though not by much. Lucky13 is similarly CBC/(new)padding plus MtE. – dave_thompson_085 1 hour ago

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.