Deterministic Algorithm- given a particular input, will always produce the same output
Bit flipping attack on aes cbc - ashutosh ahelleya
CBC Bit-Flipping Attack
Who am I
1. Ashutosh Ahelleya
2. 2nd Year CSE Undergrad @ Amrita University, Amritapuri Campus
3. Member of bi0s CTF Team
4. Focuses on Cryptography in CTFs
1. Cyber Security Competition
2. Exclusively for School Students below 18 years of age
3. Exciting prizes for the winners of each quarter
4. Know any student interested in Cyber Security?
1. Introduction to block ciphers
2. Discuss different block cipher modes
3. Describe CBC mode of encryption
4. Vulnerabilities in CBC mode
5. CBC Bit Flipping Attack- in depth with an example
6. Preventive measures against Bit-Flipping Attack
What is a block cipher?
1. Encrypting/Decrypting one block of data at a time deterministically
rather than each byte of plaintext
2. Symmetric key
3. Semantically much more secure than stream ciphers
4. What happens if the length of data isn’t a multiple of block size?
5. Implementation of block cipher using different modes
Block-cipher modes of operation
1. Describes how repeatedly to apply a cipher's single-block operation
2. Mostly uses an IV (Initialisation Vector)
b. Secure (randomizes the encryption)
3. A symmetric key for encryption and decryption
CBC mode of encryption
1. CBC - Cipher Block Chaining
2. The ciphertext of one block of plaintext depends on the plaintext of all the
block processed upto that point. (Block Dependent)
1.Encryption: Ci = Ek(Pi xor Ci-1) for i>=1and C0 = IV
2.Decryption: Pi = Dk(Ci) xor Ci-1 for i>=1 and C0 = IV
Vulnerabilities in CBC
1. Depends on how it is implemented at the time of encryption
2. Poor semantics in block cipher mode -> more effective and efficient attack
3. AES function has not yet been efficiently attacked by the use of a normal
4. Attacks are mostly discovered due to lack of precaution while
Examples: Bit Flipping Attack, Padding Oracle Attack
An example (Demo)
1. Such attacks have been used to bypass HTTP session tokens to gain
How it works?
● The plain text block containing “?admin?true?” to be ‘P’.
● The cipher text block next to which we have the plain text block
containing “?admin?true?” to be ‘A’.
● The cipher text block of the corresponding plain text block containing
“?admin?true?” to be ‘B’.
A = P xor BlockCipherDecryption(B)
A[n] = P[n] xor BlockCipherDecryption(B)[n]
BlockCipherDecryption(B[n]) = A[n] xor P[n] ----> Fixed
A[n] = PD xor (A[n] xor PA) (Plaintext value
desired - PD)
or A[n] = A[n] xor (PD xor PA) (Actual plaintext value -
Resources on CBC Bit Flipping Attack
How can it be prevented?
1. Do not prepend a random string before generating a cookie using
encryption function (sounds a bit absurd!)
2. Supply a function which verifies if the random string prepended before
encryption is the same after decryption of the cookie -> ensures no bit flip
and effective too!
1. Block Cipher
2. Block Cipher modes of operation
3. CBC mode of encryption semantically safer than the trivial ECB mode
4. Bit Flipping Attack
a. Change ciphertext in previous block changes plaintext of next block
b. Change session token to login as admin
5. Prevention against Bit Flipping Attack