来源:蜘蛛抓取(WebSpider)
时间:2014-10-14 04:09
标签:
产品简要描述及优势
热门排序 |
来自子话题:
来自子话题:
来自子话题:
来自子话题:
来自子话题:
来自子话题:
来自子话题:
《编码:隐匿在计算机软硬件背后的语言》一书中有说,就是因为有10个手指
《编码:隐匿在计算机软硬件背后的语言》一书中有说,就是因为有10个手指
人类只有10个手指。
人类只有10个手指。
一星期七天,我猜是因为圣经,上帝七天创造世界。星期天要休息,也是因为上帝在忙了六天后,第七天休息。
一星期七天,我猜是因为圣经,上帝七天创造世界。星期天要休息,也是因为上帝在忙了六天后,第七天休息。
来自子话题:
看到 &a data-title=&@玄星& data-editable=&true& class=&member_mention& href=&/people/9cec268fa4cf03f8cc3d8& data-hash=&9cec268fa4cf03f8cc3d8& data-tip=&p$b$9cec268fa4cf03f8cc3d8&&@玄星&/a& 同学回答了这么一个密码学中的经典问题,我自己也兴奋了起来,准备补充一下玄星同学的答案。这也算是不请自来吧~&br&本回答的代码来自我自己的博客&a href=&.cn/s/blog_6ezz.html& class=& external& target=&_blank& rel=&nofollow noreferrer&&&span class=&invisible&&http://&/span&&span class=&visible&&.cn/s/blog&/span&&span class=&invisible&&_6ezz.html&/span&&span class=&ellipsis&&&/span&&i class=&icon-external&&&/i&&/a&。本回答的题目来自Dan Boneh在Coursera上的公开课“Cryptology”。&br&&br&==============================分割线==================================&br&0. CBC模式的安全性问题总述&br&
玄星同学的回答是正确的,CBC模式提供了使用Padding Oracle Attack攻击。这个Padding技术本身其实是一个分组加密技术的一个补充。但是,这个技术如果结合了CBC模式的加密,就出现了潜在的漏洞。攻击者有可能通过这个漏洞,在不知道密钥的前提下,完全解密用CBC模式加密的信息。&br&
我想补充的是,Padding Oracle Attack本身是密码学系统中Chosen Ciphertext Attack(CCA)的一种典型攻击。理论界一直在强调CCA安全,但是不具有CCA安全的加密系统真的不安全吗?Padding Oracle Attack回复了这个问题,并且呼吁在实际中使用具有CCA安全的加密系统。&br&
下面,我分几个部分详细解释一下CBC模式,Padding技术,以及Padding Oracle Attack,并且通过Dan Boneh在Coursera中“Cryptology I”上的一个习题,来实际演示一下Padding Oracle Attack到底如何进行。&br&&br&==============================分割线==================================&br&1. Padding技术介绍&br&
我们知道,DES,AES等加密方案是分组加密(Block Cipher),而流加密(Stream Cipher)不是分组加密。分组加密的基本原理是,对消息进行分组,比如每128bit分成一份,然后对每一份进行加密,并在最后组合成密文。对于DES来说,消息的分组长度是64bit,对于AES来说,消息的分组长度是128bit。值得注意的是,AES刚开始的时候分组长度是可以选择为128bit,192bit和256bit的,但是在最后确定为AES标准后,固定了分组长度为128bit。&br&
那么就有个问题了,并不是所有的消息长度都是固定为128的整数倍的。因此,如果对消息进行分组,分组多出来不够128bit的部分怎么办呢?一种行之有效的方法就是对不够的地方进行填充,这就是Padding技术。&br&
Padding技术的原理是,对于消息进行分组后,最后一组后面缺了多少位,那么就在后面补上多少个缺的位数的数字。这听起来比较绕口,我们来举个例子:比如分组长度为4byte,也就是32bit。数据分组后,最后一组就剩下了1byte(比如为8A),那么就在后面填充三个03,变为8A030303。这样就补够了4byte。如果数据本身有2byte(比如为4FFF),那么就在后面填充两个02,变为4FFF0202。如果数据正好为4byte(4F3E2D1C),那么就在后面再多加上4byte的04,即为4F3E2D1C
。这样一来,就保证了对于任何长度的消息,都能够进行正确的分组,随后再进行后面的加密过程。&br&&br&==============================分割线==================================&br&2. CBC模式介绍&br&
分组以后,我们再应用AES算法对每组进行加密,看起来挺有效的,这种模式也称作单钥密码体制中的ECB模式。但是这将出现一个问题:对于相同的密钥,如果消息内容相同,那么加密的结果也相同,而这无疑会给攻击者透露消息。&br&
举个简单的例子,假设Alice和Bob进行通信之前,Alice都需要先打个招呼,比如发送给Bob一个&Hello Bob&的消息,Bob收到后返回一个&Hello Alice&,然后双方进行通信。现在为了安全,我们对Alice和Bob的通信进行加密。假设&Hello Bob&的加密结果是“!!#$%^”,&Hello Alice&的加密结果是&^%$#!&。那么,无论怎么加密,只要Alice和Bob互相之间的密钥不变,他们每次通信开始时,Alice都会发一个“!!#$%^”给Bob,Bob会回复一个&^%$#!&给Alice。这样一来,攻击者就可以窃听信道,如果收到了类似“!!#$%^”或者&^%$#!&,就知道Alice和Bob要通信了。更严重的是,攻击者也可以伪装成Alice,向Bob发送一个“!!#$%^”,这样就欺骗了Bob,让其以为要与Alice通信了。&br&
这个攻击的问题就在于,如果密钥不变,那么对于相同的消息,其加密结果一定是相同的。如何解决这个问题呢?人们提出了CBC模式。CBC模式是用于一般数据加密的一个普通的分组密码算法。在这个模式中,第一个密文分组的计算需要一个特殊的明文,习惯上称之为初始向量(IV)。IV是一个随机的分组,每次会话加密时都要使用一个新的随机IV,IV无须保密,但一定是不可预知的。由于IV的随机性,IV将使得后续的密文分组都因为IV而随机化。由于IV需要公开,且第一个分组的加密结果是IV,因此CBC模式对于m个分组的明文将输出m+1个分组的密文。模式的原理图如下(图片来源:HappyHippy的博客&a href=&/happyhippy/archive//601353.html& class=& wrap external& target=&_blank& rel=&nofollow noreferrer&&对称加密和分组加密中的四种模式(ECB、CBC、CFB、OFB)&i class=&icon-external&&&/i&&/a&):&br&&img data-rawheight=&398& data-rawwidth=&583& src=&/0d69c37dfaac_b.jpg& class=&origin_image zh-lightbox-thumb& width=&583& data-original=&/0d69c37dfaac_r.jpg&&因为IV的引入,每次加密IV的不同将导致整个密文都会产生变化,这就解决了上面所说的问题。&br&&br&==============================分割线==================================&br&3. CCA攻击&br&在讲CCA攻击前,我先大概说一下什么叫做安全的加密。具体的定义呢,大家需要去参考一下语义安全(Semantic Security),CPA安全(Chosen Plaintext Security),以及CCA安全的形式化定义。&br&我们直观上认为,一个加密是安全的,只要从密文中恢复不出明文就行了。但实际上密码学中对于安全的概念要高的多。密码学要求:密文不能泄露任意有关消息的信息。换个说法就是:密文看起来要像一个随机数。大家可以稍微想一下这里面的关系。那么,如果攻击者能够从密文中获取到对应明文哪怕一点点的信息,我们就认为这个加密方法是不安全的。&br&CCA攻击的意思是,攻击者在攻击算法的过程中,可以获得任意密文通过Key解密的明文。这是什么意思呢?就是说,攻击者虽然不知道私钥Key,但是可以知道除了被攻击的密文外,任意密文在Key下的解密结果。这样一来,攻击者就有了很强的能力。举个例子,假定被攻击的密文是C,攻击者可以随便变一变C,弄出一个密文来,并要求加密者解密。解密的结果当然不是C对应的明文了(因为C被改了嘛),但是解密的结果有可能会泄露一些有关C对应明文的信息。这样一来,攻击者就更有可能成功对密文C进行攻击,从密文中获取有用的信息了。&br&&br&==============================分割线==================================&br&4. Padding Oracle Attack&br&如果我们用公式写出CBC模式的话,我们会发现有如下规律。假设有数据有4个分组,第一个分组当然是初始化向量IV了,第二个分组就是密文c[0],后面依次为c[1],
c[2], c[3]。这时:&br&&img src=&/equation?tex=c%5B0%5D+%3D++Enc%28k%2C+IV++%5Coplus+m%5B0%5D%29& alt=&c[0] =
\oplus m[0])& eeimg=&1&&&br&&img src=&/equation?tex=c%5B1%5D+%3D++Enc%28k%2C+c%5B0%5D++%5Coplus+m%5B1%5D%29& alt=&c[1] =
Enc(k, c[0]
\oplus m[1])& eeimg=&1&&&br&&img src=&/equation?tex=c%5B2%5D+%3D++Enc%28k%2C+c%5B1%5D++%5Coplus+m%5B2%5D%29& alt=&c[2] =
Enc(k, c[1]
\oplus m[2])& eeimg=&1&&&br&&img src=&/equation?tex=c%5B3%5D+%3D++Enc%28k%2C+c%5B2%5D++%5Coplus+m%5B3%5D%29& alt=&c[3] =
Enc(k, c[2]
\oplus m[3])& eeimg=&1&&&br&其中Enc是分组加密中的加密算法。解密过程是反过来的,即:&br&&img src=&/equation?tex=m%5B0%5D+%3D++IV%5Coplus+Dec%28k%2C+c%5B0%5D%29& alt=&m[0] =
IV\oplus Dec(k, c[0])& eeimg=&1&&&br&&img src=&/equation?tex=m%5B1%5D+%3D+c%5B0%5D+%5Coplus+Dec%28k%2C+c%5B1%5D%29& alt=&m[1] = c[0] \oplus Dec(k, c[1])& eeimg=&1&&&br&&img src=&/equation?tex=m%5B2%5D+%3D+c%5B1%5D+%5Coplus+Dec%28k%2C+c%5B2%5D%29& alt=&m[2] = c[1] \oplus Dec(k, c[2])& eeimg=&1&&&br&&img src=&/equation?tex=m%5B3%5D+%3D+c%5B2%5D+%5Coplus+Dec%28k%2C+c%5B3%5D%29& alt=&m[3] = c[2] \oplus Dec(k, c[3])& eeimg=&1&&&br&现在,我们通过上面说的CCA攻击来攻击这个方案。攻击者拿到攻击密文c后,其构造如下的密文,其初始化向量IV'为&br&&img src=&/equation?tex=IV%27%3DIV+%5Coplus+g+%5Coplus+0000...0001& alt=&IV'=IV \oplus g \oplus 0000...0001& eeimg=&1&&&br&后面c'[0] = c[0],以此类推后面不变。其中IV'的长度就是分组长度,且g取便00到FF。这时,解密会出现两种情况:&br&(1)Padding有问题。也就是说,本来后面应该补多少个缺的位数的数字,但是解密完成以后发现解密结果中补的数不对。&br&(2)Padding没问题。也就是说,解密结果中补的数就是多少个缺的位数的数字。&br&注意到,如果Padding没问题的话,那么m[0]的最后一位必然是g,因为:&br&&img src=&/equation?tex=m%5B0%5D+%3D+IV%27+%5Coplus+Dec%28k%2C+c%5B0%5D%29%3Dg+%5Coplus+0000...0001+%5Coplus+Dec%28k%2C+c%5B0%5D%29%3D+%3F%3F%3F%3F...01& alt=&m[0] = IV' \oplus Dec(k, c[0])=g \oplus 0000...0001 \oplus Dec(k, c[0])= ????...01& eeimg=&1&&&br&这样我们就猜测出了m[0]的最后一位;然后,我们猜测m[0]的第二位为g,即构造密文&br&&img src=&/equation?tex=IV%27%3DIV+%5Coplus+g+%5Coplus+0000...Cc%5B0%5D%27%3Dc%5B0%5D++%5Ccdots& alt=&IV'=IV \oplus g \oplus 0000...000202,c[0]'=c[0]
\cdots& eeimg=&1&&&br&进行循环猜测,最终把明文全部猜测出来。这个攻击的算法复杂度为&br&&img src=&/equation?tex=16+%5Ctimes+16+%5Ctimes+block+%3D+256+%5Ctimes+block& alt=&16 \times 16 \times block = 256 \times block& eeimg=&1&&&br&远远小于猜测密钥的复杂度,攻击有效。&br&&br&==============================分割线==================================&br&5. Padding Oracle Attack在实际中的应用&br&这种攻击在实际中有没有用呢?毕竟我们在实际中根本可以不允许攻击者进行解密问询,即让其获得任意密文所对应的明文。然而,实际中确实有这种攻击方法。在旧版本的TLS协议中,有如下问题:对于Padding有问题的密文,其返回padding错误(浏览器上显示error 403);对于Padding正确但是解密消息不对,其返回失败错误(浏览器上显示error 404)。这样一来,攻击者可以像服务器提交密文,看其返回的错误是403还是404,来进行这样的攻击了。&br&&br&==============================分割线==================================&br&6. 一种实际的攻击&br&我们在此引用Dan Boneh在公开课的一道习题,来演示Padding Oracle Attack。我们来看一下题目。&br&&p&Problem Set:Padding oracles attack&/p&&br&
A web site administrator found
&a class=& wrap external& href=&http://spark-university./stanford-crypto/projects/proj4-log.txt& target=&_blank& rel=&nofollow noreferrer&&these log entries&i class=&icon-external&&&/i&&/a& in a web server log. After some digging, the
admin realized that the first log entry is an AES CBC encryption
with random IV of some secret data (the ciphertext is hex encoded
and appears right after the &GET /&). The secret data contains
private user data that should only be known to the web
site. &br&
After more digging the admin realized that the
web site is vulnerable to a CBC padding oracle attack. In
particular, when a decrypted CBC ciphertext ends in an invalid pad
the web server returns a 403 error code (forbidden request). When
the CBC padding is valid, but the message is malformed the web
server returns a 404 error code (URL not found). To her horror, the
admin realized that the log entries following the first entry are a
result of a remote CBC padding oracle attack on the ciphertext in
the first log entry.&br&
See if you can use the given log entries to
recover the decryption of the ciphertext in the first log entry.
Keep in mind that the first ciphertext block is the random IV. The
decrypted message is ASCII encoded. &br&
We discussed CBC padding oracle attacks in
&a class=& wrap external& href=&https://class.coursera.org/crypto/lecture/view?lecture_id=38& target=&_blank& rel=&nofollow noreferrer&&Lecture
7.6&i class=&icon-external&&&/i&&/a&, but if you want to read more about them, please see
&a class=& wrap external& href=&http://www.iacr.org/archive/eurocrypt0/cbc02_e02d.pdf& target=&_blank& rel=&nofollow noreferrer&&
Vaudenay's paper&i class=&icon-external&&&/i&&/a&.&br&这个题目中也给出了Padding Oracle Attack的出处(Vaudenay's Paper),有兴趣的朋友们可以看看。我们来使用Java,通过Padding Oracle Attack来恢复明文。&br&根据题目所给的log,我们先读取到程序中:&br&&div class=&highlight&&&pre&&code class=&language-java&&&span class=&kd&&public&/span& &span class=&kd&&static&/span& &span class=&n&&ArrayList&/span&&span class=&o&&&&/span&&span class=&n&&String&/span&&span class=&o&&&&/span& &span class=&n&&ReadFile&/span&&span class=&o&&(){&/span&
&span class=&n&&File&/span& &span class=&n&&file&/span& &span class=&o&&=&/span& &span class=&k&&new&/span& &span class=&n&&File&/span&&span class=&o&&(&/span&&span class=&n&&FileDir&/span&&span class=&o&&);&/span&
&span class=&k&&try&/span& &span class=&o&&{&/span&
&span class=&n&&ArrayList&/span&&span class=&o&&&&/span&&span class=&n&&String&/span&&span class=&o&&&&/span& &span class=&n&&result&/span& &span class=&o&&=&/span& &span class=&k&&new&/span& &span class=&n&&ArrayList&/span&&span class=&o&&&&/span&&span class=&n&&String&/span&&span class=&o&&&();&/span&
&span class=&n&&FileInputStream&/span& &span class=&n&&fis&/span& &span class=&o&&=&/span& &span class=&k&&new&/span& &span class=&n&&FileInputStream&/span&&span class=&o&&(&/span&&span class=&n&&file&/span&&span class=&o&&);&/span&
&span class=&n&&BufferedReader&/span& &span class=&n&&br&/span& &span class=&o&&=&/span& &span class=&k&&new&/span& &span class=&n&&BufferedReader&/span&&span class=&o&&(&/span&&span class=&k&&new&/span& &span class=&n&&InputStreamReader&/span&&span class=&o&&(&/span&&span class=&n&&fis&/span&&span class=&o&&));&/span&
&span class=&n&&String&/span& &span class=&n&&line&/span&&span class=&o&&;&/span&
&span class=&k&&while&/span&&span class=&o&&((&/span&&span class=&n&&line&/span& &span class=&o&&=&/span& &span class=&n&&br&/span&&span class=&o&&.&/span&&span class=&na&&readLine&/span&&span class=&o&&())&/span& &span class=&o&&!=&/span& &span class=&kc&&null&/span&&span class=&o&&){&/span&
&span class=&n&&result&/span&&span class=&o&&.&/span&&span class=&na&&add&/span&&span class=&o&&(&/span&&span class=&n&&line&/span&&span class=&o&&);&/span&
&span class=&o&&}&/span&
&span class=&n&&br&/span&&span class=&o&&.&/span&&span class=&na&&close&/span&&span class=&o&&();&/span&
&span class=&n&&fis&/span&&span class=&o&&.&/span&&span class=&na&&close&/span&&span class=&o&&();&/span&
&span class=&n&&result&/span&&span class=&o&&.&/span&&span class=&na&&remove&/span&&span class=&o&&(&/span&&span class=&mi&&0&/span&&span class=&o&&);&/span&
&span class=&k&&return&/span& &span class=&n&&result&/span&&span class=&o&&;&/span&
&span class=&o&&}&/span& &span class=&k&&catch&/span& &span class=&o&&(&/span&&span class=&n&&IOException&/span& &span class=&n&&e&/span&&span class=&o&&)&/span& &span class=&o&&{&/span&
&span class=&n&&e&/span&&span class=&o&&.&/span&&span class=&na&&printStackTrace&/span&&span class=&o&&();&/span&
&span class=&k&&return&/span& &span class=&kc&&null&/span&&span class=&o&&;&/span&
&span class=&o&&}&/span&
&span class=&o&&}&/span&
&/code&&/pre&&/div&然后,我们把后面error是404的文件挑出来:&br&&div class=&highlight&&&pre&&code class=&language-java&&&span class=&kd&&public&/span& &span class=&kd&&static&/span& &span class=&n&&ArrayList&/span&&span class=&o&&&&/span&&span class=&n&&String&/span&&span class=&o&&[]&&/span& &span class=&n&&getFileWithError404&/span&&span class=&o&&(&/span&&span class=&n&&ArrayList&/span&&span class=&o&&&&/span&&span class=&n&&String&/span&&span class=&o&&&&/span& &span class=&n&&data&/span&&span class=&o&&){&/span&
&span class=&n&&ArrayList&/span&&span class=&o&&&&/span&&span class=&n&&String&/span&&span class=&o&&[]&&/span& &span class=&n&&result&/span& &span class=&o&&=&/span& &span class=&k&&new&/span& &span class=&n&&ArrayList&/span&&span class=&o&&&&/span&&span class=&n&&String&/span&&span class=&o&&[]&();&/span&
&span class=&k&&for&/span& &span class=&o&&(&/span&&span class=&kt&&int&/span& &span class=&n&&i&/span&&span class=&o&&=&/span&&span class=&mi&&0&/span&&span class=&o&&;&/span& &span class=&n&&i&/span&&span class=&o&&&&/span&&span class=&n&&data&/span&&span class=&o&&.&/span&&span class=&na&&size&/span&&span class=&o&&();&/span& &span class=&n&&i&/span&&span class=&o&&++){&/span&
&span class=&n&&String&/span& &span class=&n&&target&/span& &span class=&o&&=&/span& &span class=&n&&data&/span&&span class=&o&&.&/span&&span class=&na&&get&/span&&span class=&o&&(&/span&&span class=&n&&i&/span&&span class=&o&&);&/span&
&span class=&k&&if&/span& &span class=&o&&(&/span&&span class=&n&&target&/span&&span class=&o&&.&/span&&span class=&na&&endsWith&/span&&span class=&o&&(&/span&&span class=&s&&&404&&/span&&span class=&o&&)){&/span&
&span class=&n&&target&/span& &span class=&o&&=&/span& &span class=&n&&target&/span&&span class=&o&&.&/span&&span class=&na&&substring&/span&&span class=&o&&(&/span&&span class=&mi&&43&/span&&span class=&o&&,&/span& &span class=&mi&&107&/span&&span class=&o&&);&/span&
&span class=&n&&result&/span&&span class=&o&&.&/span&&span class=&na&&add&/span&&span class=&o&&(&/span&&span class=&k&&new&/span& &span class=&n&&String&/span&&span class=&o&&[]{&/span&&span class=&n&&target&/span&&span class=&o&&.&/span&&span class=&na&&substring&/span&&span class=&o&&(&/span&&span class=&mi&&0&/span&&span class=&o&&,&/span&&span class=&mi&&16&/span&&span class=&o&&),&/span& &span class=&n&&target&/span&&span class=&o&&.&/span&&span class=&na&&substring&/span&&span class=&o&&(&/span&&span class=&mi&&16&/span&&span class=&o&&,&/span&&span class=&mi&&32&/span&&span class=&o&&),&/span&
&span class=&n&&target&/span&&span class=&o&&.&/span&&span class=&na&&substring&/span&&span class=&o&&(&/span&&span class=&mi&&32&/span&&span class=&o&&,&/span&&span class=&mi&&48&/span&&span class=&o&&),&/span& &span class=&n&&target&/span&&span class=&o&&.&/span&&span class=&na&&substring&/span&&span class=&o&&(&/span&&span class=&mi&&48&/span&&span class=&o&&,&/span&&span class=&mi&&64&/span&&span class=&o&&)});&/span&
&span class=&o&&}&/span&
&span class=&o&&}&/span&
&span class=&k&&return&/span& &span class=&n&&result&/span&&span class=&o&&;&/span&
&span class=&o&&}&/span&
&/code&&/pre&&/div&&br&
然后,我们把已经都猜测出来的数据列出来,也就是没有2020重复的那组数据,最后我们得到:&br&dce6acb565dd951c
642b9feeebcdffc9&br&afa631b5b91c019d
d9dcd464e333b164&br&
6b44 1cccbdfdfe54684d&br&daffd5ebb46574cd
5bbec93&br&fa32afb
4645bd2dfcd230df&br&
由于这些都是猜了16轮的,也就是说他们的padding都是。根据CBC的原理,我们知道第一组数据是没有用的,那个是IV的转换,没有价值。从第二个开始我们将每一个数据xor
1010...1010。我们就得到了D(k, c[i])的值,得到的结果为:&br&BFB621A5A90C118D
C9CCC474F323A174&br&7B54
0CDCADEDEE44785D&br&CAEFC5FBA47564DD
4BAEC83&br&
EA22BFB 5655AD3DECC220CF
&br&根据公式,m[0] = IV xor D(k, c[0]), m[1]
= c[0] xor D(k,
c[1]),而且我们现在也得到了所有需要的数据,我们就根据公式依次进行计算即可,最后得到的结果为:&br&416C
7061&br&43D22
E6720&br&6F320
6E67&br&2209
这显然就是ASCII编码的英文字母加上标点符号嘛~最后有9个09作为padding位。翻译以后,我们得到明文为:&br&user=&Alice&; password=&padding
oracles are dangerous!&
同学回答了这么一个密码学中的经典问题,我自己也兴奋了起来,准备补充一下玄星同学的答案。这也算是不请自来吧~本回答的代码来自我自己的博客。本回答的题目来自Dan Boneh在Coursera上的公开课“Cryptology”。===========…
&p&因为CBC提供了使用Padding Oracle攻击的可能性。&/p&&p&&a href=&http://en.wikipedia.org/wiki/Padding_oracle_attack& class=& wrap external& target=&_blank& rel=&nofollow noreferrer&&Padding oracle attack&i class=&icon-external&&&/i&&/a&&/p&&p&wiki里面说到:&/p&&blockquote&In symmetric cryptography, the padding &a href=&http://en.wikipedia.org/wiki/Oracle_attack& class=& wrap external& target=&_blank& rel=&nofollow noreferrer&&oracle attack&i class=&icon-external&&&/i&&/a& is most commonly applied
to the &a href=&http://en.wikipedia.org/wiki/CBC_mode_of_operation& class=& wrap external& target=&_blank& rel=&nofollow noreferrer&&CBC mode of operation&i class=&icon-external&&&/i&&/a&, where the &&a href=&http://en.wikipedia.org/wiki/Oracle_(software_testing)& class=& wrap external& target=&_blank& rel=&nofollow noreferrer&&oracle&i class=&icon-external&&&/i&&/a&& (usually a server) leaks data about whether the &a href=&http://en.wikipedia.org/wiki/Padding_(cryptography)& class=& wrap external& target=&_blank& rel=&nofollow noreferrer&&padding&i class=&icon-external&&&/i&&/a& of an encrypted message is correct or not. Such data can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle's key, without knowing the encryption key.&/blockquote&&p&在CBC模式下,IV(初始化向量)的改变可以直接反映在解密后的明文上,且IV是黑客可以操纵的。如果Server对两种错误 1. Padding错误,2. 明文错误分别报错的话,就有可能被黑客利用,&u&让黑客可以在不知道密钥的情况下解密信息&/u&。&/p&
因为CBC提供了使用Padding Oracle攻击的可能性。wiki里面说到:In symmetric cryptography, the padding
is most commonly applied to the , where the "" (usually a server) leaks data a…
上面几位说的很清楚,我再来扩充下。题主可以从cbc.ecb.ofb.cfb这4种模式入手,比较出优缺点。
上面几位说的很清楚,我再来扩充下。题主可以从cbc.ecb.ofb.cfb这4种模式入手,比较出优缺点。
来自子话题:
