查看“︁密文填塞攻击”︁的源代码

{{NoteTA|G1=IT}}
在加密学中，'''密文填塞攻击'''（{{lang|en|Padding Oracle attack}}，字面译为填充神谕攻击）是指使用密文的[[填充 (密码学)|填充验证信息]]来进行解密的攻击方法。密码学中，可变长度的明文信息通常需要经填充后才能兼容基础的{{tsl|en|cryptographic primitive|密码原语|密码原语}}。此攻击方式依赖对密文是否被正确填充的反馈信息。密文填塞攻击常常与[[分组密码]]内的[[分组密码工作模式|密码块链接解密模式]]有关。非对称加密算法，如[[最优非对称加密填充|最优非对称加密填充算法]]，也可能易受到密文填充攻击。<ref>{{cite web|last=Manger|first=James|title=A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0|url=http://archiv.infsec.ethz.ch/education/fs08/secsem/Manger01.pdf|publisher=Telstra Research Laboratories|accessdate=2019-07-08|archive-date=2013-01-14|archive-url=https://web.archive.org/web/20130114042345/http://archiv.infsec.ethz.ch/education/fs08/secsem/Manger01.pdf|dead-url=yes}}</ref>

==对称加密==
在对称加密中，填充{{tsl|en|oracle attack|神谕攻击|神谕攻击}}可应用在[[分组密码工作模式]]上，其反馈的“[[测试准则|神谕]]”（通常为服务器）信息将返回泄漏密文[[填充 (密码学)|填充]]的正确与否。攻击者可在没有加密密钥的情况下，透过此信息的神谕密钥解密（或加密）信息。

===对密码块链接进行密文填充攻击===

对密码块链接进行解密需要先解密所有密文组，再验证填充，随后移除[[公钥密码学标准|PKCS7]]填充，最后再返回解密后的明文信息。
若服务器返回“填充无效”信息而非“解密失败”错误，则攻击者可利用服务器本身进行密文填塞来解密（或加密）信息。

[[File:CBC_decryption_(zh-CN).svg|center]]

进行密码块链接解密的数学公式为
:<math>P_i = D_K(C_i) \oplus C_{i-1},</math>
:<math>C_0 = IV.</math>

如上文所述，进行密码块链接解密时会将每个明文块与先前的密文块进行异或比较。
因此，若块<math>C_1</math>更改了一个字节，则块<math>P_2</math>中的对应字节也会被修改。

假设攻击者拥有密文块<math>C_1, C_2</math>，且欲解密第二个密文块来获得明文<math>P_2</math>。
攻击者可以更改<math>C_1</math>的最后一个字节（即<math>C_1'</math>），并发送<math>(IV,C_1',C_2)</math>至服务器。
服务器随后将返回最后一个解密块（<math>P_2'</math>）的填充是否正确（是否等于0x01）。
若填充正确，攻击者则能确定<math>D_K(C_2) \oplus C_1'</math>的最后一个字节是<math>\mathrm{0x01}</math>，即<math>D_K(C_2) = C_1' \oplus \mathrm{0x01}</math>。
若填充不正确，攻击者则可以将<math>C_1'</math>的最后一个字节更改为下一个可能的值。
在最不理想的情况下，攻击者需要进行256次尝试（即尝试每个字节）来寻找<math>P_2</math>的最后一个字节。若解密的明文块内包含填充信息或用于填充的字节，攻击者则还需要进行额外的尝试来排除不同的可能性。<ref>{{citation|title=Is the padding oracle attack deterministic|url=http://crypto.stackexchange.com/questions/40800/is-the-padding-oracle-attack-deterministic|accessdate=2019-07-08|archive-date=2019-07-08|archive-url=https://web.archive.org/web/20190708063931/https://crypto.stackexchange.com/questions/40800/is-the-padding-oracle-attack-deterministic|dead-url=no}}</ref>

在确定<math>P_2</math>的最后一个字节后，攻击者可以使用相同的手段来获取<math>P_2</math>的倒数第二个字节。
攻击者可将<math>C_1</math>的最后一个字节设置为<math>D_K(C_2) \oplus \mathrm{0x02}</math>，进而可将<math>P_2</math>的相应字节设置为<math>\mathrm{0x02}</math>。
利用上述的相同方式，攻击者可继续更改倒数第二个字节，直到填充正确为止（0x02, 0x02）。

若一个密文块包含了128比特（或16字节）的信息（如[[高级加密标准|AES]]），攻击者可在255x16=4080次尝试中获取到明文的<math>P_2</math>信息。这比使用暴力破解所需的<math>2^{128}</math>次尝试要快得多。

==使用密文填塞进行攻击==
使用密文填塞的攻击方法起初由{{tsl|en|Serge Vaudenay|塞尔日·瓦德奈|塞尔日·瓦德奈}}于2002年发布。<ref>{{cite conference |author=Serge Vaudenay |date=2002 |title=Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... |publisher=EUROCRYPT 2002 |url=https://www.iacr.org/cryptodb/archive/2002/EUROCRYPT/2850/2850.pdf |access-date=2019-07-08 |archive-date=2019-06-05 |archive-url=https://web.archive.org/web/20190605230003/https://www.iacr.org/cryptodb/archive/2002/EUROCRYPT/2850/2850.pdf |dead-url=no }}</ref>攻击者随后利用此方法投入实际，用于应对SSL<ref>{{citation |author1=Brice Canvel |author2=Alain Hiltgen |author3=Serge Vaudenay |author4=Martin Vuagnoux |date=2003 |title=Password Interception in a SSL/TLS Channel |url=https://www.iacr.org/cryptodb/archive/2003/CRYPTO/1069/1069.pdf |accessdate=2019-07-08 |archive-date=2019-06-05 |archive-url=https://web.archive.org/web/20190605225945/https://www.iacr.org/cryptodb/archive/2003/CRYPTO/1069/1069.pdf |dead-url=no }}.</ref> 和IPSec<ref>{{citation |author1=Jean Paul Degabriele |author2=Kenneth G. Paterson |date=2007 |title=Attacking the IPsec Standards in Encryption-only Configurations |url=https://eprint.iacr.org/2007/125.pdf/ |access-date=2019-07-08 |archive-url=https://web.archive.org/web/20181219001535/https://eprint.iacr.org/2007/125.pdf |archive-date=2018-12-19 |dead-url=yes }}.</ref><ref>{{citation |author1=Jean Paul Degabriele |author2=Kenneth G. Paterson |date=2010 |title=On the (In)Security of IPsec in MAC-then-Encrypt Configurations |url=http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.185.1534&rep=rep1&type=pdf |accessdate=2019-07-08 |archive-date=2018-09-25 |archive-url=https://web.archive.org/web/20180925142238/http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.185.1534&rep=rep1&type=pdf |dead-url=no }}.</ref>。除此之外，此攻击方法也用于多个[[Web应用框架|网页框架]]上，如[[JavaServer Faces]]、[[Ruby on Rails]]<ref>{{cite conference |author1=Juliano Rizzo |author2=Thai Duong |date=2010-05-25 |title=Practical Padding Oracle Attacks |publisher=USENIX WOOT 2010 |url=http://www.usenix.org/event/woot10/tech/full_papers/Rizzo.pdf |access-date=2019-07-08 |archive-date=2011-01-03 |archive-url=https://web.archive.org/web/20110103080313/http://www.usenix.org/event/woot10/tech/full_papers/Rizzo.pdf |dead-url=no }}</ref>、[[ASP.NET]]<ref>{{cite conference |author1=Thai Duong |author2=Juliano Rizzo |date=2011 |title=Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET |publisher=IEEE Symposium on Security and Privacy 2011 |url=http://www.cs.umd.edu/~jkatz/security/downloads/ASP-NET.pdf |access-date=2019-07-08 |archive-date=2018-11-23 |archive-url=https://web.archive.org/web/20181123184458/http://www.cs.umd.edu/~jkatz/security/downloads/ASP-NET.pdf |dead-url=no }}</ref><ref>{{cite news |author=Dennis Fisher |date=2010-09-13 |title='Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps |publisher=Threat Post |url=http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310 |deadurl=yes |archiveurl=https://web.archive.org/web/20101013200734/http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310 |archivedate=2010-10-13 |accessdate=2019-07-08 }}</ref><ref>{{cite web |author=Vlad Azarkhin |date=2010-09-19 |title="Padding Oracle" ASP.NET Vulnerability Explanation |url=http://blogs.microsoft.co.il/blogs/linqed/archive/2010/09/19/padding-oracle-asp-net-vulnerability-explanation.aspx |access-date=2019-07-08 |archive-url=https://web.archive.org/web/20101023090715/http://blogs.microsoft.co.il/blogs/linqed/archive/2010/09/19/padding-oracle-asp-net-vulnerability-explanation.aspx |archive-date=2010-10-23 |dead-url=yes }}</ref>和[[Steam]]游戏客户端。<ref>{{Cite web|url=https://steamdb.info/blog/breaking-steam-client-cryptography/|title=Breaking Steam Client Cryptography|website=Steam Database|access-date=2016-05-01|archive-date=2016-04-27|archive-url=https://web.archive.org/web/20160427221126/https://steamdb.info/blog/breaking-steam-client-cryptography/|dead-url=no}}</ref>2012年，此方法被证明为应对加固安全设备的有效方式。<ref>{{citation |author1=Romain Bardou |author2=Riccardo Focardi |author3=Yusuke Kawamoto |author4=Lorenzo Simionato |author5=Graham Steel |author6=Joe-Kai Tsay |date=2012 |title=Efficient Padding Oracle Attacks on Cryptographic Hardware |url=http://hal.inria.fr/docs/00/70/47/90/PDF/RR-7944.pdf |accessdate=2019-07-08 |archive-date=2014-08-11 |archive-url=https://web.archive.org/web/20140811133950/http://hal.inria.fr/docs/00/70/47/90/PDF/RR-7944.pdf |dead-url=no }}</ref>

虽然早期的攻击方法均已被大多数[[傳輸層安全性協定|TLS]]实现修复，但在2013年，网络上出现了名为[[幸运十三攻击]]的新变种，它使用侧信道来重新利用软件中的缺陷。截止2014年上半年，尽管幸运十三攻击理论上对特定机器依然有效（参见[[信噪比]]），但研究学者们认为此方法在现实中已无威胁。{{As of|2015}}，对解密互联网加密协议的最活跃攻击方法为[[降级攻击]]，如Logjam<ref>{{citation |author1=Matthew Green |author2=Nadia Heninger |author2-link=Nadia Heninger |author3=Paul Zimmerman |date=2015 |title=Imperfect Forward Secrecy: How Diffie–Hellman Fails in Practice |url=https://weakdh.org/imperfect-forward-secrecy.pdf |display-authors=etal |accessdate=2019-07-08 |archive-date=2020-02-27 |archive-url=https://web.archive.org/web/20200227111819/https://weakdh.org/imperfect-forward-secrecy.pdf |dead-url=yes }}. For further information see https://www.weakdh.org {{Wayback|url=https://www.weakdh.org/ |date=20191222192500 }}.</ref>和Export RSA/FREAK<ref>{{cite web |author=Matthew Green |date=2015-03-03 |title=Attack of the week: FREAK (or 'factoring the NSA for fun and profit') |url=http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html |accessdate=2019-07-08 |archive-date=2015-06-23 |archive-url=https://web.archive.org/web/20150623163926/http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html |dead-url=yes }}; see https://www.freakattack.com {{Wayback|url=https://www.freakattack.com/ |date=20150305132911 }} for more information.</ref>攻击，此类方法会欺骗客户端使用旧版安全性相对较低的但兼容性较高的加密算法。另外，一种名为{{tsl|en|POODLE|POODLE|POODLE}}<ref>{{cite web |author=Matthew Green |date=2014-10-14 |title=Attack of the week: POODLE |url=http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html |accessdate=2019-07-08 |archive-date=2015-06-23 |archive-url=https://web.archive.org/web/20150623211827/http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html |dead-url=yes }}; for further information, see https://www.poodle.io {{Wayback|url=https://www.poodle.io/ |date=20160401043710 }}</ref>（2014年下半年出现）将降级攻击（降级至SSL 3.0）与对老版本不安全协议的密文填充攻击相结合，进而破解传输中的数据。2016年5月，研究人员发现[[OpenSSL]]在修复幸运十三时引入了另一个填充神谕，此缺陷被标记为CVE-2016-2107。<ref>{{citation|title=OpenSSL Security Advisory [3rd May 2016]|url=https://www.openssl.org/news/secadv/20160503.txt|date=2016-05-03|accessdate=2019-07-08|archive-date=2019-07-16|archive-url=https://web.archive.org/web/20190716103713/https://www.openssl.org/news/secadv/20160503.txt|dead-url=no}}</ref><ref>{{citation|url=https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/|title=Yet Another Padding Oracle in OpenSSL CBC Ciphersuites|date=2016-05-04|publisher=Cloudflare|accessdate=2019-07-08|archive-date=2019-07-16|archive-url=https://web.archive.org/web/20190716233716/https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/|dead-url=no}}</ref>

==参考文献==
{{reflist|30em}}

{{SSL和TLS}}

[[Category:密码分析]]
[[Category:傳輸層安全協議]]