aes known-plaintext-attack ecb padding-oracle: Updated Sat, 25 Jun 2022 05:07:32 GMT

Shortcuts / practicality of brute forcing block cipher (AES) + ECB with known plaintext

I know the plaintext (26 bytes long) and cryptotext of block cipher (suspected to be AES) in ECB mode. I can generate hundreds or thousands of such samples, but the samples are not arbitrary. What are my chances of recovering the crypto key using brute force methods or using brute-force + some crypto analysis?

Is there any good guidance to pull off padding oracle?

Solution

For a key recovery attack, you'd basically need to break AES itself. There are no known practical key recovery attacks on AES (and if there were, it would not be considered safe to use), so your pretty much only hope would be to find some kind of side-channel attack on the AES implementation, or on the overall crypto framework it is part of.

Alternatively, if you suspect that the keyspace is small enough (e.g. if the key is derived from a passphrase which might not have enough entropy), you might be able to find it with a brute force attack. The chance of such an attack succeeding depends entirely on two things: the size of the keyspace you need to test, and the speed at which you can try the keys. The latter, in turn, depends on the computing hardware you have available (and, of course, your skill in utilizing it) and on the complexity of the key derivation process.

Padding oracle attacks, in any case, are specific to CBC mode, and do not allow key recovery. ECB mode, while insecure in other ways, does not suffer from them.

Comments (2)

+0 – "ECB mode[...] does not suffer from them." Are you sure? I'd expect ECB to have the same padding issues. ECB needs the same kind of padding as CBC, and transforms blocks in pretty much the same way. I see no difference between them in that regard. — Sep 19, 2012 at 14:05
+0 – @CodesInChaos: I'm not that familiar with padding oracle attacks, but AAUI, at least the original attack by Vaudenay relies on the fact that CBC decryption XORs the block cipher decryption of the last block with the previous ciphertext block. With ECB, that doesn't happen. (It does seem to me that a similar attack should be possible with padded CFB mode, just with the blocks reversed. Of course, CFB mode doesn't really need padding anyway, as the last block can simply be truncated.) — Sep 19, 2012 at 14:39

External Links

External links referenced by this document:

References

https://crypto.stackexchange.com/questions/3832