Automating the Development of Chosen Ciphertext Attacks Gabrielle Beck∗ Maximilian Zinkus∗ Matthew Green Johns Hopkins University Johns Hopkins University Johns Hopkins University [email protected] [email protected] [email protected] Abstract In this work we consider a specific class of vulner- ability: the continued use of unauthenticated symmet- In this work we investigate the problem of automating the ric encryption in many cryptographic systems. While development of adaptive chosen ciphertext attacks on sys- the research community has long noted the threat of tems that contain vulnerable format oracles. Unlike pre- adaptive-chosen ciphertext attacks on malleable en- vious attempts, which simply automate the execution of cryption schemes [17, 18, 56], these concerns gained known attacks, we consider a more challenging problem: practical salience with the discovery of padding ora- to programmatically derive a novel attack strategy, given cle attacks on a number of standard encryption pro- only a machine-readable description of the plaintext veri- tocols [6,7, 13, 22, 30, 40, 51, 52, 73]. Despite repeated fication function and the malleability characteristics of warnings to industry, variants of these attacks continue to the encryption scheme. We present a new set of algo- plague modern systems, including TLS 1.2’s CBC-mode rithms that use SAT and SMT solvers to reason deeply ciphersuite [5,7, 48] and hardware key management to- over the design of the system, producing an automated kens [10, 13]. A generalized variant, the format oracle attack strategy that can entirely decrypt protected mes- attack can be constructed when a decryption oracle leaks sages. Developing our algorithms required us to adapt the result of applying some (arbitrarily complex) format- techniques from a diverse range of research fields, as well checking predicate F to a decrypted plaintext. Format as to explore and develop new ones. We implement our oracles appear even in recent standards such as XML algorithms using existing theory solvers. The result is a encryption [42, 45], Apple’s iMessage [36] and modern practical tool called Delphinium that succeeds against OpenPGP implementations [47, 59]. These attacks likely real-world and contrived format oracles. To our knowl- represent the “tip of the iceberg”: many vulnerable sys- edge, this is the first work to automatically derive such tems may remain undetected, due to the difficulty of complex chosen ciphertext attacks. exploiting non-standard format oracles. 1 Introduction From a constructive viewpoint, format oracle vulnera- bilities seem easy to mitigate: simply mandate that pro- The past decades have seen enormous improvement in tocols use authenticated encryption. Unfortunately, even our understanding of cryptographic protocol design. De- this advice may be insufficient: common authenticated spite these advances, vulnerable protocols remain widely encryption schemes can become insecure due to imple- deployed. In many cases this is a result of continued mentation flaws such as nonce re-use [21, 43, 46]. Setting support for legacy protocols and ciphersuites, such as aside implementation failures, the continued deployment TLS’s CBC-mode ciphers [7, 64], export-grade encryp- of unauthenticated encryption raises an obvious ques- tion [4,9, 19], and legacy email encryption [59]. How- tion: why do these vulnerabilities continue to appear ever, support for legacy protocols does not account for in modern protocols? The answer highlights a discon- the presence of vulnerabilities in more recent protocols nect between the theory and the practice of applied cryp- and systems [36, 42, 47, 72, 74]. tography. In many cases, a vulnerable protocol is not obviously an exploitable protocol. This is particularly ∗These authors contributed equally to the work. true for non-standard format oracles which require en- properties, can we programatically derive a chosen-ciphertext attack that allows us to effi- ciently decrypt arbitrary ciphertexts? Our primary requirement is that the software responsi- ble for developing this attack should require no further assistance from human beings. Moreover, the developed attack must be efficient: ideally it should not require sub- stantially more work (as measured by number of oracle queries and wall-clock execution time) than the equiva- lent attack developed through manual human optimiza- tion. To our knowledge, this work represents the first at- tempt to automate the discovery of novel adaptive cho- sen ciphertext attacks against symmetric format oracles. While our techniques are designed to be general, in prac- Figure 1: Output of a format oracle attack that our algo- tice they are unlikely to succeed against every possible rithms developed against a bitwise padding check ora- format checking function. Instead, in this work we initi- cle F (see §5.2 for a full description). The original bitpad ate a broader investigation by exploring the limits of our ciphertext is a valid 128-bit (random) padded message approach against various real-world and contrived format encrypted using a stream cipher. Each row of the bitmap checking functions. Beyond presenting our techniques, represents a malleation string that was exclusive-ORed our practical contribution of this work is a toolset that with the ciphertext prior to making a decryption query. we name Delphinium, which produces highly-efficient attacks across several such functions. tirely new exploit strategies. As a concrete example, the Relationship to previous automated attack work. Pre- authors of [36] report that Apple did not repair a com- vious work [12, 26, 58] has looked at automatic discovery plex gzip compression format oracle in the iMessage and exploitation of side channel attacks. In this setting, a protocol when the lack of authentication was pointed out; program combines a fixed secret input with many “low” but did mitigate the flaw when a concrete exploit was inputs that are (sometimes adaptively) chosen by an at- demonstrated. Similar flaws in OpenPGP clients [36, 59] tacker, and produces a signal, e.g., modeling a timing and PDF encryption [55] were addressed only when re- result. This setting can be viewed as a special case of searchers developed proof-of-concept exploits. The un- our general model (and vice versa). Like our techniques, fortunate aspect of this strategy is that cryptographers’ several of these works employ SAT solvers and model time is limited, which leads protocol designers to dis- counting techniques. However, beyond these similarities, count the exploitability of real cryptographic flaws. there are fundamental differences that manifest in our Removing the human element. In this work we investi- results: (1) in this work we explore a new approach based gate the feasibility of automating the design and devel- on approximate model counting, and (2) as a result of this opment of adaptive chosen ciphertext attacks on symmet- approach, our results operate over much larger secret do- ric encryption schemes. We stress that our goal is not mains than the cited works. To illustrate the differences, simply to automate the execution of known attacks, as our experimental results succeed on secret (message) do- in previous works [45]. Instead, we seek to develop a mains of several hundred bits in length, with malleation methodology and a set of tools to (1) evaluate if a system strings (“low inputs”) drawn from similarly-sized do- is vulnerable to practical exploitation, and (2) program- mains. By contrast, the cited works operate over smaller matically derive a novel exploit strategy, given only a secret domains that rarely even reach a size of 224. More- description of the target. This removes the expensive over, our format functions are relatively complex. It is human element from attack development. an open question to determine whether the experimen- To emphasize the ambitious nature of our problem, we tal results in the cited works can be scaled using our summarize our motivating research question as follows: techniques. Our contributions. In this work we make the following Given a machine-readable description of a for- contributions: mat checking function F along with a descrip- tion of the encryption scheme’s malleation We propose new, and fully automated algorithms • for developing format oracle attacks on symmetric string”), and produces a new, mauled ciphertext C0. The P encryption (and hybrid encryption) schemes. Our function Maulplain(M;S) M0 computes the equivalent algorithms are designed to work with arbitrary for- malleation over some plaintext,! producing a plaintext (or, mat checking functions, using a machine-readable in some cases, a set of possible plaintexts1). The essen- description of the function and the scheme’s mal- tial property we require from these functions is that the leation features to develop the attack strategy. plaintext malleation function should “predict” the effects of encrypting a plaintext M, mauling the resulting cipher- We design and implement novel attack-development • text, then subsequently decrypting the result. For some techniques that use approximate model counting typical encryption schemes, these functions can be sim- techniques to achieve significantly greater efficiency ple: for example, a simple stream cipher can be realized than previous works. These techniques may be of by defining both functions to be bitwise exclusive-OR. independent interest. However, malleation functions may also implement fea- We show how to implement our technique prac- tures such as truncation