Jon Passki came to me a couple months ago with an idea for a new adaptive ciphertext attack on block cipher modes - similar to the Padding Oracle or Manger's Oracle attacks. I found some ways to extend it, and we wound up collaborating on it - and we're finally able to publish it today.
Certain block cipher confidentiality modes, including CBC, CTR, CFB, and OFB, perform decryption with a final step that performs an XOR with ciphertext - often attacker-controlled. When an application decrypts altered ciphertext and attempts to process the manipulated plaintext, it may disclose information about intermediate values resulting in an oracle. The information disclosed may vary - it could be improper ASN decoding, an invalid timestamp, or what we focus on - invalid delimited values.
We use the common application pattern of encrypting delimited values, such as "username|timestamp|userlevel", and the common practice of raising an exception if the number of delimited values is not accurate. Application code could look like:
ciphertext = read_from_cookie("sessionid") plaintext = decrypt(ciphertext) values = plaintext.split("|") if len(values) != 3: raise Exception("Incorrectly structured values") # Continue on processing data
By detecting this exception, which we call a SeparatorException, we are able to mount an adaptive ciphertext attack that allows us to decrypt the ciphertext. Additionally, after learning the plaintext, we can control the decryption to result in an arbitrary plaintext of our choosing. The solution of course is to verify the integrity of the ciphertext using either a Message Authentication Code (MAC) or an Authenticated Encryption Mode. Matt Green has a good blog post about how to choose an Authenticated Encryption mode.
The paper was updated June 3rd. Thanks to Juraj Somorovsky for pointing out some additional work on the subject.