This document discusses CBC (Cipher Block Chaining) mode of encryption, explaining its vulnerabilities and the specifics of a bit-flipping attack. The bit-flipping attack is demonstrated with an example that circumvents HTTP session tokens, allowing unauthorized access. Preventive measures against such attacks include verifying that a random string prepended during encryption remains consistent after decryption.

1. CBC Bit-Flipping Attack
Team bi0s
1

2. Who am I
1. Ashutosh Ahelleya
2. 2nd Year CSE Undergrad @ Amrita University, Amritapuri Campus
3. Member of bi0s CTF Team
4. Focuses on Cryptography in CTFs
2

3. InCTFj
1. Cyber Security Competition
2. Exclusively for School Students below 18 years of age
3. Exciting prizes for the winners of each quarter
4. Know any student interested in Cyber Security?
a. https://junior.inctf.in/
3

4. Aim
1. Introduction to block ciphers
2. Discuss different block cipher modes
3. Describe CBC mode of encryption
4. Vulnerabilities in CBC mode
5. CBC Bit Flipping Attack- in depth with an example
6. Preventive measures against Bit-Flipping Attack
4

5. What is a block cipher?
1. Encrypting/Decrypting one block of data at a time deterministically
rather than each byte of plaintext
2. Symmetric key
3. Semantically much more secure than stream ciphers
4. What happens if the length of data isn’t a multiple of block size?
5. Implementation of block cipher using different modes
5

6. An example
1. Semantics
6

7. Block-cipher modes of operation
1. Describes how repeatedly to apply a cipher's single-block operation
securely
2. Mostly uses an IV (Initialisation Vector)
a. Unique
b. Secure (randomizes the encryption)
3. A symmetric key for encryption and decryption
7

8. Block-cipher modes of operation
8

9. CBC mode of encryption
1. CBC - Cipher Block Chaining
2. The ciphertext of one block of plaintext depends on the plaintext of all the
block processed upto that point. (Block Dependent)
1.Encryption: Ci = Ek(Pi xor Ci-1) for i>=1and C0 = IV
2.Decryption: Pi = Dk(Ci) xor Ci-1 for i>=1 and C0 = IV
9

10. Vulnerabilities in CBC
1. Depends on how it is implemented at the time of encryption
2. Poor semantics in block cipher mode -> more effective and efficient attack
3. AES function has not yet been efficiently attacked by the use of a normal
computer
4. Attacks are mostly discovered due to lack of precaution while
implementing it
Examples: Bit Flipping Attack, Padding Oracle Attack
10

11. Bit-Flipping Attack: in-depth
11

12. An example (Demo)
1. Such attacks have been used to bypass HTTP session tokens to gain
admin access
2. https://cryptopals.com/sets/2/challenges/16
12

13. How it works?
● The plain text block containing “?admin?true?” to be ‘P’.
● The cipher text block next to which we have the plain text block
containing “?admin?true?” to be ‘A’.
● The cipher text block of the corresponding plain text block containing
“?admin?true?” to be ‘B’.
13

14. The XORing
A = P xor BlockCipherDecryption(B)
A[n] = P[n] xor BlockCipherDecryption(B)[n]
BlockCipherDecryption(B[n]) = A[n] xor P[n] ----> Fixed
A[n] = PD xor (A[n] xor PA) (Plaintext value
desired - PD)
or A[n] = A[n] xor (PD xor PA) (Actual plaintext value -
PA)
14

15. Resources on CBC Bit Flipping Attack
1. http://swepssecurity.blogspot.nl/2014/05/bypassing-encrypted-session-
tokens.html
2. https://masterpessimistaa.wordpress.com/2017/05/03/cbc-bit-flipping-
attack/
15

16. How can it be prevented?
1. Do not prepend a random string before generating a cookie using
encryption function (sounds a bit absurd!)
2. Supply a function which verifies if the random string prepended before
encryption is the same after decryption of the cookie -> ensures no bit flip
and effective too!
16

17. Summary
1. Block Cipher
2. Block Cipher modes of operation
3. CBC mode of encryption semantically safer than the trivial ECB mode
4. Bit Flipping Attack
a. Change ciphertext in previous block changes plaintext of next block
b. Change session token to login as admin
5. Prevention against Bit Flipping Attack
17