calofmijuck/blog
1
0
Fork 0
mirror of https://github.com/calofmijuck/blog.git synced 2025-12-06 22:53:51 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: fixed internal, external links

Browse Source
This commit is contained in:
Sungchan Yi
2023-10-30 20:31:40 +09:00
parent 30a1a142d4
commit a8457d15c8
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
_posts/Lecture Notes/Internet Security/2023-10-18-tls.md
View File

@@ -61,13 +61,13 @@ You can check if TLS is used on your browser. The address should begin with `htt
## CBC Padding Oracle Attack
Recall [CBC Mode (Internet Security)](2023-09-18-symmetric-key-cryptography-2.md#cipher-block-chaining-mode-cbc) .
Recall [CBC Mode (Internet Security)](../2023-09-18-symmetric-key-cryptography-2#cipher-block-chaining-mode-cbc) .
Suppose that each block has $8$ bytes. If the message size is not a multiple of the block size, we pad the message. If we need to pad $b$ bytes, we pad $b$ bytes with $b$, encoded in binary.
If the padding is not valid, the decryption algorithm outputs a *padding error* during the decryption process. The attacker can observe if a padding error has occurred, and use this information to recover the plaintext.
To defend this attack, we can use [encrypt-then-MAC (Modern Cryptography)](2023-09-26-cca-security-authenticated-encryption.md#encrypt-then-mac-etm), or hide the padding error.
To defend this attack, we can use [encrypt-then-MAC (Modern Cryptography)](../../modern-cryptography/2023-09-26-cca-security-authenticated-encryption#encrypt-then-mac-etm), or hide the padding error.
### Attack in Detail
@@ -113,7 +113,7 @@ $$
## Hashed MAC (HMAC)
Let $H$ be a has function. We defined MAC as $H(k \parallel m)$ where $k$ is a key and $m$ is a message. This MAC is insecure if $H$ has [Merkle-Damgård construction](2023-09-28-hash-functions.md#merkle-damgard-transform), since it is vulnerable to length extension attacks. See [prepending the key in MAC is insecure (Modern Cryptography)](2023-09-28-hash-functions.md#prepending-the-key).
Let $H$ be a has function. We defined MAC as $H(k \parallel m)$ where $k$ is a key and $m$ is a message. This MAC is insecure if $H$ has [Merkle-Damgård construction](../../modern-cryptography/2023-09-28-hash-functions#merkle-damg%C3%A5rd-transform), since it is vulnerable to length extension attacks. See [prepending the key in MAC is insecure (Modern Cryptography)](../../modern-cryptography/2023-09-28-hash-functions#prepending-the-key).
Choose a key $k \leftarrow \mathcal{K}$, and set