密文填塞攻击：修订间差异

在加密学中，'''密文填塞攻击'''（{{lang|en|Padding Oracle attack}}，字面译为填充神谕攻击）是指使用密文的[[填充 (密码学)|填充验证信息]]来进行解密的攻击方法。密码学中，可变长度的明文信息通常需要经填充后才能兼容基础的{{tsl|en|cryptographic primitive|密码原语|密码原语}}。此攻击方式依赖对密文是否被正确填充的反馈信息。密文填塞攻击常常与[[分组密码]]内的[[分组密码工作模式|密码块链接解密模式]]有关。非对称加密算法，如[[最优非对称加密填充|最优非对称加密填充算法]]，也可能易受到密文填充攻击。<ref>{{cite web|last=Manger|first=James|title=A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0|url=http://archiv.infsec.ethz.ch/education/fs08/secsem/Manger01.pdf|publisher=Telstra Research Laboratories|accessdate=2019-07-08|||}}</ref>

在最不理想的情况下，攻击者需要进行256次尝试（即尝试每个字节）来寻找<math>P_2</math>的最后一个字节。若解密的明文块内包含填充信息或用于填充的字节，攻击者则还需要进行额外的尝试来排除不同的可能性。<ref>{{citation|title=Is the padding oracle attack deterministic|url=http://crypto.stackexchange.com/questions/40800/is-the-padding-oracle-attack-deterministic|accessdate=2019-07-08|||}}</ref>

使用密文填塞的攻击方法起初由{{tsl|en|Serge Vaudenay|塞尔日·瓦德奈|塞尔日·瓦德奈}}于2002年发布。<ref>{{cite conference |author=Serge Vaudenay |date=2002 |title=Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... |publisher=EUROCRYPT 2002 |url=https://www.iacr.org/cryptodb/archive/2002/EUROCRYPT/2850/2850.pdf |access-date=2019-07-08 |||}}</ref>攻击者随后利用此方法投入实际，用于应对SSL<ref>{{citation |author1=Brice Canvel |author2=Alain Hiltgen |author3=Serge Vaudenay |author4=Martin Vuagnoux |date=2003 |title=Password Interception in a SSL/TLS Channel |url=https://www.iacr.org/cryptodb/archive/2003/CRYPTO/1069/1069.pdf |accessdate=2019-07-08 |||}}.</ref>和IPSec<ref>{{citation |author1=Jean Paul Degabriele |author2=Kenneth G. Paterson |date=2007 |title=Attacking the IPsec Standards in Encryption-only Configurations |url=https://eprint.iacr.org/2007/125.pdf/ |access-date=2019-07-08 |||}}.</ref><ref>{{citation |author1=Jean Paul Degabriele |author2=Kenneth G. Paterson |date=2010 |title=On the (In)Security of IPsec in MAC-then-Encrypt Configurations |url=http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.185.1534&rep=rep1&type=pdf |accessdate=2019-07-08 |||}}.</ref>。除此之外，此攻击方法也用于多个[[Web应用框架|网页框架]]上，如[[JavaServer Faces]]、[[Ruby on Rails]]<ref>{{cite conference |author1=Juliano Rizzo |author2=Thai Duong |date=2010-05-25 |title=Practical Padding Oracle Attacks |publisher=USENIX WOOT 2010 |url=http://www.usenix.org/event/woot10/tech/full_papers/Rizzo.pdf |access-date=2019-07-08 |||}}</ref>、[[ASP.NET]]<ref>{{cite conference |author1=Thai Duong |author2=Juliano Rizzo |date=2011 |title=Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET |publisher=IEEE Symposium on Security and Privacy 2011 |url=http://www.cs.umd.edu/~jkatz/security/downloads/ASP-NET.pdf |access-date=2019-07-08 |||}}</ref><ref>{{cite news |author=Dennis Fisher |date=2010-09-13 |title='Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps |publisher=Threat Post |url=http://threatpost.com/en_us/blogs/new-crypto-attack-affects-millions-aspnet-apps-091310 ||||accessdate=2019-07-08 }}</ref><ref>{{cite web |author=Vlad Azarkhin |date=2010-09-19 |title="Padding Oracle" ASP.NET Vulnerability Explanation |url=http://blogs.microsoft.co.il/blogs/linqed/archive/2010/09/19/padding-oracle-asp-net-vulnerability-explanation.aspx |access-date=2019-07-08 |||}}</ref>和[[Steam]]游戏客户端。<ref>{{Cite web|url=https://steamdb.info/blog/breaking-steam-client-cryptography/|title=Breaking Steam Client Cryptography|website=Steam Database|access-date=2016-05-01|||}}</ref>2012年，此方法被证明为应对加固安全设备的有效方式。<ref>{{citation |author1=Romain Bardou |author2=Riccardo Focardi |author3=Yusuke Kawamoto |author4=Lorenzo Simionato |author5=Graham Steel |author6=Joe-Kai Tsay |date=2012 |title=Efficient Padding Oracle Attacks on Cryptographic Hardware |url=http://hal.inria.fr/docs/00/70/47/90/PDF/RR-7944.pdf |accessdate=2019-07-08 |||}}</ref>

虽然早期的攻击方法均已被大多数[[傳輸層安全性協定|TLS]]实现修复，但在2013年，网络上出现了名为[[幸运十三攻击]]的新变种，它使用侧信道来重新利用软件中的缺陷。截止2014年上半年，尽管幸运十三攻击理论上对特定机器依然有效（参见[[信噪比]]），但研究学者们认为此方法在现实中已无威胁。{{As of|2015}}，对解密互联网加密协议的最活跃攻击方法为[[降级攻击]]，如Logjam<ref>{{citation |author1=Matthew Green |author2=Nadia Heninger |author2-link=Nadia Heninger |author3=Paul Zimmerman |date=2015 |title=Imperfect Forward Secrecy: How Diffie–Hellman Fails in Practice |url=https://weakdh.org/imperfect-forward-secrecy.pdf |display-authors=etal |accessdate=2019-07-08 |||}}. For further information see https://www.weakdh.org .</ref>和Export RSA/FREAK<ref>{{cite web |author=Matthew Green |date=2015-03-03 |title=Attack of the week: FREAK (or 'factoring the NSA for fun and profit') |url=http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html |accessdate=2019-07-08 |||}}; see https://www.freakattack.com for more information.</ref>攻击，此类方法会欺骗客户端使用旧版安全性相对较低的但兼容性较高的加密算法。另外，一种名为{{tsl|en|POODLE|POODLE|POODLE}}<ref>{{cite web |author=Matthew Green |date=2014-10-14 |title=Attack of the week: POODLE |url=http://blog.cryptographyengineering.com/2014/10/attack-of-week-poodle.html |accessdate=2019-07-08 |||}}; for further information, see https://www.poodle.io</ref>（2014年下半年出现）将降级攻击（降级至SSL 3.0）与对老版本不安全协议的密文填充攻击相结合，进而破解传输中的数据。2016年5月，研究人员发现[[OpenSSL]]在修复幸运十三时引入了另一个填充神谕，此缺陷被标记为CVE-2016-2107。<ref>{{citation|title=OpenSSL Security Advisory [3rd May 2016]|url=https://www.openssl.org/news/secadv/20160503.txt|date=2016-05-03|accessdate=2019-07-08|||}}</ref><ref>{{citation|url=https://blog.cloudflare.com/yet-another-padding-oracle-in-openssl-cbc-ciphersuites/|title=Yet Another Padding Oracle in OpenSSL CBC Ciphersuites|date=2016-05-04|publisher=Cloudflare|accessdate=2019-07-08|||}}</ref>

{{reflist|30em}}

[[Category:傳輸層安全協議]]