Format oracles on openPGP

Florian Maury; Jean René Reinhard; Olivier Levillain; Henri Gilbert

doi:10.1007/978-3-319-16715-2_12

Format oracles on openPGP

Florian Maury, Jean René Reinhard, Olivier Levillain, Henri Gilbert

ANSSI

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

The principle of padding oracle attacks has been known in the cryptography research community since 1998. It has been generalized to exploit any property of decrypted ciphertexts, either stemming from the encryption scheme, or the application data format. However, this attack principle is being leveraged time and again against proposed standards and real-world applications. This may be attributed to several factors, e.g., the backward compatibility with standards selecting oracle-prone mechanisms, the difficulty of safely implementing decryption operations, and the misuse of libraries by non cryptography-savvy developers. In this article, we present several format oracles discovered in applications and libraries implementing the OpenPGP message format, among which the popular GnuPG application. We show that, if the oracles they implement are made available to an adversary, e.g., by a frontend application, he can, by querying repeatedly these oracles, decrypt all OpenPGP symmetrically encrypted packets. The corresponding asymptotic query complexities range from 2 to 28 oracle requests per plaintext byte to recover.

Original language	English
Title of host publication	Topics in Cryptology - CT-RSA 2015 - The Cryptographers’ Track at the RSA Conference 2015, Proceedings
Editors	Kaisa Nyberg
Publisher	Springer Verlag
Pages	220-236
Number of pages	17
ISBN (Electronic)	9783319167145
DOIs	https://doi.org/10.1007/978-3-319-16715-2_12
Publication status	Published - 1 Jan 2015
Externally published	Yes
Event	2015 Conference on Cryptographer's Track at the RSA, CT-RSA 2015 - San Francisco, United States Duration: 21 Apr 2015 → 24 Apr 2015

Publication series

Name	Lecture Notes in Computer Science
Volume	9048
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	2015 Conference on Cryptographer's Track at the RSA, CT-RSA 2015
Country/Territory	United States
City	San Francisco
Period	21/04/15 → 24/04/15

Keywords

Authenticated encryption
Chosen ciphertext attacks
Format oracle
GnuPG
Implementation
Padding oracle

Access to Document

10.1007/978-3-319-16715-2_12

Cite this

@inproceedings{38ed1b874ece42a89342da182a46dfc3,

title = "Format oracles on openPGP",

abstract = "The principle of padding oracle attacks has been known in the cryptography research community since 1998. It has been generalized to exploit any property of decrypted ciphertexts, either stemming from the encryption scheme, or the application data format. However, this attack principle is being leveraged time and again against proposed standards and real-world applications. This may be attributed to several factors, e.g., the backward compatibility with standards selecting oracle-prone mechanisms, the difficulty of safely implementing decryption operations, and the misuse of libraries by non cryptography-savvy developers. In this article, we present several format oracles discovered in applications and libraries implementing the OpenPGP message format, among which the popular GnuPG application. We show that, if the oracles they implement are made available to an adversary, e.g., by a frontend application, he can, by querying repeatedly these oracles, decrypt all OpenPGP symmetrically encrypted packets. The corresponding asymptotic query complexities range from 2 to 28 oracle requests per plaintext byte to recover.",

keywords = "Authenticated encryption, Chosen ciphertext attacks, Format oracle, GnuPG, Implementation, Padding oracle",

author = "Florian Maury and Reinhard, \{Jean Ren{\'e}\} and Olivier Levillain and Henri Gilbert",

note = "Publisher Copyright: {\textcopyright} Springer International Publishing Switzerland 2015.; 2015 Conference on Cryptographer's Track at the RSA, CT-RSA 2015 ; Conference date: 21-04-2015 Through 24-04-2015",

year = "2015",

month = jan,

day = "1",

doi = "10.1007/978-3-319-16715-2\_12",

language = "English",

series = "Lecture Notes in Computer Science",

publisher = "Springer Verlag",

pages = "220--236",

editor = "Kaisa Nyberg",

booktitle = "Topics in Cryptology - CT-RSA 2015 - The Cryptographers{\textquoteright} Track at the RSA Conference 2015, Proceedings",

}

Maury, F, Reinhard, JR, Levillain, O & Gilbert, H 2015, Format oracles on openPGP. in K Nyberg (ed.), Topics in Cryptology - CT-RSA 2015 - The Cryptographers’ Track at the RSA Conference 2015, Proceedings. Lecture Notes in Computer Science, vol. 9048, Springer Verlag, pp. 220-236, 2015 Conference on Cryptographer's Track at the RSA, CT-RSA 2015, San Francisco, United States, 21/04/15. https://doi.org/10.1007/978-3-319-16715-2_12

Format oracles on openPGP. / Maury, Florian; Reinhard, Jean René; Levillain, Olivier et al.
Topics in Cryptology - CT-RSA 2015 - The Cryptographers’ Track at the RSA Conference 2015, Proceedings. ed. / Kaisa Nyberg. Springer Verlag, 2015. p. 220-236 (Lecture Notes in Computer Science; Vol. 9048).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Format oracles on openPGP

AU - Maury, Florian

AU - Reinhard, Jean René

AU - Levillain, Olivier

AU - Gilbert, Henri

N1 - Publisher Copyright: © Springer International Publishing Switzerland 2015.

PY - 2015/1/1

Y1 - 2015/1/1

N2 - The principle of padding oracle attacks has been known in the cryptography research community since 1998. It has been generalized to exploit any property of decrypted ciphertexts, either stemming from the encryption scheme, or the application data format. However, this attack principle is being leveraged time and again against proposed standards and real-world applications. This may be attributed to several factors, e.g., the backward compatibility with standards selecting oracle-prone mechanisms, the difficulty of safely implementing decryption operations, and the misuse of libraries by non cryptography-savvy developers. In this article, we present several format oracles discovered in applications and libraries implementing the OpenPGP message format, among which the popular GnuPG application. We show that, if the oracles they implement are made available to an adversary, e.g., by a frontend application, he can, by querying repeatedly these oracles, decrypt all OpenPGP symmetrically encrypted packets. The corresponding asymptotic query complexities range from 2 to 28 oracle requests per plaintext byte to recover.

AB - The principle of padding oracle attacks has been known in the cryptography research community since 1998. It has been generalized to exploit any property of decrypted ciphertexts, either stemming from the encryption scheme, or the application data format. However, this attack principle is being leveraged time and again against proposed standards and real-world applications. This may be attributed to several factors, e.g., the backward compatibility with standards selecting oracle-prone mechanisms, the difficulty of safely implementing decryption operations, and the misuse of libraries by non cryptography-savvy developers. In this article, we present several format oracles discovered in applications and libraries implementing the OpenPGP message format, among which the popular GnuPG application. We show that, if the oracles they implement are made available to an adversary, e.g., by a frontend application, he can, by querying repeatedly these oracles, decrypt all OpenPGP symmetrically encrypted packets. The corresponding asymptotic query complexities range from 2 to 28 oracle requests per plaintext byte to recover.

KW - Authenticated encryption

KW - Chosen ciphertext attacks

KW - Format oracle

KW - GnuPG

KW - Implementation

KW - Padding oracle

U2 - 10.1007/978-3-319-16715-2_12

DO - 10.1007/978-3-319-16715-2_12

M3 - Conference contribution

AN - SCOPUS:84930446620

T3 - Lecture Notes in Computer Science

SP - 220

EP - 236

BT - Topics in Cryptology - CT-RSA 2015 - The Cryptographers’ Track at the RSA Conference 2015, Proceedings

A2 - Nyberg, Kaisa

PB - Springer Verlag

T2 - 2015 Conference on Cryptographer's Track at the RSA, CT-RSA 2015

Y2 - 21 April 2015 through 24 April 2015

ER -

Format oracles on openPGP

Abstract

Publication series

Conference

Keywords

Access to Document

Fingerprint

Cite this