The Chosen-boundary attack

This is a simple demo of the chosen-boundary attack against CBC based encryption with a predictable IV, used as a part of the BEAST by Thai Duong and Juliano Rizzo.

A good explanation of the problem can be found here: Security impact of the Rizzo/Duong CBC "BEAST" attack.

An attempt to explain it. We are trying to uncover an encrypted secret. We cannot decrypt it directly, but we can however control the data with which it is encrypted. So we ask the system to encrypt some data, but we fill inn some predefined data (P) up front, so that we can make sure the first byte of the secret is the last part of a block we know the contents of. We record the cipher text (C) and IV (IV0) for that block. Next we try to guess the contents of the last byte. We do that by taking the predefined value (P) + the guess byte, and XOR-ing that with the current IV and IV0. The effect of both XOR-ing with IV0 and the current IV, is that the plaintext we send in will have the same conditions as the data that was encrypted to become C. This is because because the encryption function will first XOR with the current IV (thus undoing what we just did), leaving us with the plaintext guess XORed with the same IV as the block we are trying to decrypt. Thus if we guess right, the cipher text resulting from encrypting our guess, should be the same equal to C (encrypting the same value with the same IV and the same key gives you the same cipher text). If it is not, our guess was wrong.

In this javascript demo, we encrypt the data, take out the IV, and then run a chosen-boundary attack on the encryption. We are guessing by cycling through all possible byte values from 0-255. A much faster approach would be to do guesswork regarding the values. As an example, if you know the value you are attacking is base64, you could try only the characters appearing in base64, thus reducing the amount of guesswork.