I’m excited to announce that I will be presenting at this year’s Black Hat Asia about my research into detecting and exploiting CBC padding oracles!
Zombie POODLE and GOLDENDOODLE are the names I’ve given to the vulnerabilities I’ll be discussing. Similar to ROBOT, DROWN and many other vulnerabilities affecting HTTPS, these issues stem from continued use of cryptographic modes which should have been long ago deprecated and yet are inexplicably still supported in TLSv1.2. In this case, the troublesome feature is that TLSv1.2 supports CBC mode ciphersuites.
To understand these flaws, it’s important to have a little background on block ciphers and cipher-block chaining (CBC) mode.
A block cipher operates on discrete blocks of data as opposed to a stream cipher that would encrypt individual bits. AES is an example of a block cipher, while RC4 is a stream cipher. AES can only encrypt or decrypt 128-bit blocks of data. It is not possible to directly encrypt or decrypt more or less bits with AES without defining a mode of operation. CBC is a mode of operation for block ciphers in which ciphertexts are chained together via XOR. By doing this, repeated plaintext will not lead to repeated ciphertext, and modification of a ciphertext block will also change the plaintext in the following block.