Broken or Risky Cryptographic Algorithm

[s-b-repo]

rv = Cipher.getInstance("AES/CBC/NoPadding");

The CBC mode used in javax.crypto.Cipher.getInstance does not provide integrity. Consided using Galois/Counter Mode

line 272
core/java/src/net/i2p/crypto/CryptixAESEngine.java

[s-b-repo]

a Proof of Concept (PoC) on how using AES/CBC without integrity checks could be exploited, we can simulate a Padding Oracle Attack. In a Padding Oracle Attack, an attacker can manipulate the ciphertext and leverage error messages from a decryption oracle to gradually reveal the plaintext.

Here's a PoC that simulates how an attacker could exploit the lack of integrity in AES/CBC mode. Note that this example is for educational purposes only.
Padding Oracle Attack PoC in Java

java

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.IvParameterSpec;
import java.util.Arrays;
import java.util.Base64;

public class PaddingOracleExample {

public static void main(String[] args) throws Exception {
    // Setup AES/CBC with NoPadding
    KeyGenerator keyGen = KeyGenerator.getInstance("AES");
    keyGen.init(128);
    SecretKey secretKey = keyGen.generateKey();

    // Original message
    String plaintext = "Sensitive data";

    // Encrypt the plaintext
    byte[] iv = new byte[16];
    IvParameterSpec ivSpec = new IvParameterSpec(iv);
    byte[] ciphertext = encrypt(plaintext.getBytes(), secretKey, ivSpec);
    System.out.println("Original Ciphertext: " + Base64.getEncoder().encodeToString(ciphertext));

    // Simulate attack by flipping bits in ciphertext (last byte)
    byte[] tamperedCiphertext = Arrays.copyOf(ciphertext, ciphertext.length);
    tamperedCiphertext[ciphertext.length - 1] ^= 1; // Flip the last bit

    // Attempt decryption to see if padding error occurs
    try {
        decrypt(tamperedCiphertext, secretKey, ivSpec);
        System.out.println("Tampered Ciphertext Decrypted Successfully (unexpected)");
    } catch (Exception e) {
        System.out.println("Decryption failed due to padding error: " + e.getMessage());
        System.out.println("Padding Oracle revealed padding error. Attack possible.");
    }
}

public static byte[] encrypt(byte[] plaintext, SecretKey key, IvParameterSpec iv) throws Exception {
    Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
    cipher.init(Cipher.ENCRYPT_MODE, key, iv);
    return cipher.doFinal(plaintext);
}

public static byte[] decrypt(byte[] ciphertext, SecretKey key, IvParameterSpec iv) throws Exception {
    Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");
    cipher.init(Cipher.DECRYPT_MODE, key, iv);
    return cipher.doFinal(ciphertext);
}

}

Explanation of the PoC

Initialization: AES is used with CBC mode and NoPadding.
Encryption: A sample plaintext is encrypted with an IV.
Bit Flipping: We simulate an attacker by flipping a bit in the last byte of the ciphertext.
Decryption Attempt: The code tries to decrypt the tampered ciphertext.
Padding Oracle: Since no integrity checks are applied, a padding error is likely, which the attacker can observe.

How the Exploit Works

No Integrity Check: CBC mode alone does not verify data integrity. An attacker can tamper with the ciphertext.
Padding Error Feedback: Padding errors provide feedback to the attacker, which they can use to gain information about the plaintext through successive tampering attempts.
Practical Attack: In a real-world scenario, an attacker could make multiple small modifications and observe the system's responses to derive information about the plaintext.

Preventing This Vulnerability

Switch to AES/GCM mode, as discussed earlier, which provides both confidentiality and integrity, thus preventing padding oracle attacks and other integrity-based exploit