Can We Securely Use CBC Mode in TLS1.0?

. Currently, TLS1.0 is one of the most widely deployed protocol versions for SSL/TLS. In TLS1.0, there are only two choices for the bulk encryption, i


CBC Mode in TLS1.0
The SSL/TLS is one of the most widely deployed cryptographic protocols used in the network. In fact, SSL/TLS is employed in almost all the popular services for online shopping and online banking. At the same time, many cryptographic attacks against SSL/TLS have been found, e.g., CRIME, Lucky Thirteen [2], BEAST [5], POODLE [7] and RC4 bias attacks [1,6]. 1 In SSL/TLS, many cryptographic primitives have been employed, e.g., RSA, DH(E), AES, RC4, CBC mode, and HMAC. Among them, we are going to focus on the CBC mode in TLS 1.0, which is one of the most problematic cryptographic primitives in SSL/TLS. To see this, let us introduce how the CBC mode is used in SSL/TLS. In SSL/TLS, a plaintext is "tagged" before the encryption. That is, to encrypt a plaintext M , the tag t is firstly generated and then the message is encrypted by the CBC mode. Then, the ciphertext of the (tagged) message where F K : {0, 1} λ → {0, 1} λ is a block cipher modeled as the pseudorandom permutation, λ is the block length, IV is an initial vector, PAD is a padding, The CBC mode in TLS1.0 has two potential weaknesses: one is in the padding and the other is in the choice of the initial vector IV [13].
Padding: In the encryption of the form Eq.(1), which is known as Mac-then-Enc, the message authentication code is not applied to the padding. That is, the padding is appended after the generation of the tag. Accordingly, we can consider two errors: the error of the padding and that of the message authentication code. If the adversary can distinguish these two errors, an attack known as the padding oracle attack [10] works. For a concrete example, there exists a timing analysis [4] which enables the adversary to distinguish these two errors. However, this problem has been repaired in some implementations of SSL/TLS, e.g., OpenSSL 0.9.6c, 0.9.6i, and 0.9.7a. There is a possibility that other side channel information can be used to attack the CBC mode. In fact, for SSL3.0, the Möller et al. [7] showed a practical attack against the CBC mode in SSL3.0, named the POODLE attack. However, this attack cannot be applied directly to the CBC mode in TLS1.0 since a different padding scheme is employed.
Choice of IV: In TLS1.0, the initial vector IV is chosen from the last block of the ciphertext, therefore the adversary who can eavesdrop the ciphertexts knows the IV before the next plaintext is encrypted [8]. Since this means that IV is predictable from the adversary's viewpoint, the CBC mode in TLS1.0 does not satisfy indistinguishability.
However, this does not immediately imply that the adversary can recover the whole plaintext and moreover it was expected that the time complexity of the recovering the plaintext would be O(2 λ ) for one block of ciphertexts. Unfortunately, such an idea was not true. Duong and Rizzo demonstrated the BEAST attack [5] whose time complexity is O(λ).

On BEAST Attack
To launch the BEAST attack, two underlying conditions must be satisfied. One is that there exists a software bug on Same Origin Policy (SOP) in the browser and the other is the predictability of IV, which is the case of the CBC mode in TLS1.0. The attack has huge impact since Duang and Rizzo found the software bug on SOP in Java. At present, a software patch for Java is released but there is a possibility that there are many software bugs. Hence, browser vendors such as Microsoft, and Mozilla released a software patch for the CBC mode in addition to the patch for Java [9].

Contributions
According to [14], currently, TLS1.0 is the most widely deployed protocol version in SSL/TLS, and the CBC mode is used in many ciphersuites. Although the software patch is released for the CBC mode, there has been a problem remained. That is, it is not clarified whether or not the patched CBC mode is secure against BEAST type of attacks. In this paper, we show that the patched CBC mode satisfies the indistinguishability, which implies that the CBC mode is secure against BEAST type of attacks. As far as we know, this is the first time to show that the current version of the CBC mode in the TLS1.0 satisfies the indistinguishability despite the fact that TLS1.0 is widely used in practice.

Definition
Let λ, τ denote security parameters, where each of them represents the length in byte. The length is often considered in byte, and hence λ, τ are multiple of eight. The negligible function is denoted by ϵ(λ), or simply by ϵ.
Pseudorandom Function and Permutation: A pseudorandom function (PRF) P consists of a pair of algorithms (K, F): -The key generation algorithm K is a ppt (probabilistic polynomial time) algorithm and generates a key K. -The evaluation algorithm F is a deterministic polynomial time algorithm. It generates F(K, x) given the key K and a point x.

Definition 1 (Pseudorandom Function, PRF).
We say that P = (K, F) is PRF if for any ppt algorithm A, where R is a set of all functions such that both the domain and the range are the same as F(K, ·), respectively.
If the function F K (·) := F(K, ·) is a permutation, then we say that P is a pseudorandom permutation (PRP). In this case, we denote the negligible function by ϵ PRP .
Symmetric Key Encryption: The symmetric key encryption (SKE) scheme SE consists of a triple of algorithms (K, E, D): -The key generation algorithm K is a ppt algorithm which generates a key K. -The ppt encryption algorithm E takes a key K and a plaintext M as input, and outputs a ciphertext C. If we consider a stateful SKE, then E has additional input st as a state, and outputs a new state st ′ as well. -The decryption algorithm D is a deterministic polynomial time algorithm.
This algorithm takes a ciphertext C and a key K as input and outputs a plaintext M or ⊥ representing an invalid ciphertext. If we consider a stateful SKE then D is given a state st and outputs a new state st ′ in addition.
The SKE scheme must be "decryptable." That is for any key K and any plaintext M , D(K, E(K, M )) = M must be satisfied.
To define the security, we consider the function where q is the number of queries to LR oracle.

Message Authentication Code (MAC):
The message authentication code (MAC) scheme MA consists of a triple of algorithms (K, T , V).
-The key generation algorithm K is a ppt algorithm and outputs a key K.
-The tag generation algorithm T is a deterministic polynomial-time algorithm. This algorithm takes a key K and a plaintext M as input and outputs a tag t of length τ . -The verification algorithm V is a deterministic polynomial-time algorithm.
This algorithm takes a key K, a message M , and a tag t as input, and outputs 0 or 1.
We say that MA satisfies the completeness if V(K, M, t) = 1 is equivalent to t = T (K, M ). We assume that, for a randomly chosen key K, T (K, ·) is a pseudorandom function. The negligible function will be denoted as ϵ PRF .

The Format in SSL/TLS
In the CBC mode of SSL/TLS, to encrypt the plaintext CONTENT, some additional information for maintaining the SSL/TLS session is appended. That is,

CONTENT, MAC, PAD, PAD LEN
are encrypted, simultaneously. Here PAD is a padding, PAD LEN is the length of the padding, and MAC is a tag of SEQ NUM, CONTENT TYPE, LEN, CONTENT generated by the message authentication code HMAC. A sequence number SEQ NUM is a binary sequence of length 64 in bit. This is a counter starting from 0, and the length of the message CONTENT is incremented for every encryption. This is originally for preventing the replay attack, but we show later that this counter makes the "patched" CBC mode in TLS1.0 indistinguishable.
There is other information such as CONTENT TYPE, but these are not related to our security analysis.

The Effect of the Patch
Let λ be a block length of the underlying block cipher (in byte), and let ∥ be concatenation. Then, for a binary sequence X, we define X[i] as

Weak CBC Mode in TLS1.0
Let P = (K PRP , F PRP ) be a PRP. The CBC mode in TLS1.0 is implemented as Table 1, where we assume that the length of the message M is multiple of λ, and the initial vector IV is chosen random at the beginning. The decryption algorithm D WeakCBC is not described since it is trivial.
We call this version of the CBC mode as the WeakCBC mode. Clearly, in the WeakCBC mode, since the adversary knows IV(= C[n − 1]) in advance, it does not satisfy the IND-CPA security. This is the reason why the original CBC mode (WeakCBC) is vulnerable to the BEAST attack.

Unpatched CBC
In TLS1.0, the encryption is done by Mac-then-Enc. Hence, the tag is generated before the message is encrypted in the CBC mode. (See Table 2.) In Table 2, c plays the role of the counter which starts from 0. The counter represents the sequence number SEQ NUM in Sec.2.2. Other information such as TYPE is not related in our security analysis, and hence we remove from this algorithm.
The algorithm Pad is the padding algorithm which is defined as Eq.(1), and Pad −1 is the algorithm which removes the padding. Note that MA = (K MA , T , V) is the message authentication code. We say that the authenticated encryption of Table 2 as WeakTLS1.0.
Since IV is predictable, WeakTLS1.0 does not satisfy the IND-CPA property as well.

Patched CBC
By the BEAST attack, some software patches for the WeakTLS1.0 described in Sec.3.2 are released by browser vendors. Since some patches are not sufficient for the practical use due to the lack of the interconnectivity, they are no longer used. At present, the software patch named 1/n−1 Record Splitting Patch [11] is widely used, which is implemented as Table 3, and Figure 1. We call the authenticated encryption scheme described in Table 3