3

I've been told that oracles are always servers and that oracle attacks are always online, but I'm not convinced that's true. However, I have limited understanding of this topic since I'm still learning and the book I just read didn't discuss it at all. The definitions I've seen of the term don't specify whether oracle attacks are always online/involve servers either.

  1. Is an oracle always a server?
  2. Can padding oracle attacks happen offline (e.g. an encryption tool)?
  3. Can partitioning oracle attacks happen offline (e.g. an encryption tool)?

Please explain things in layman's terms.

kelalaka
  • 48,443
  • 11
  • 116
  • 196

4 Answers4

11

In Theory: No. How the Oracle is implemented or named is not important, only how it works.

In Practice: Everything that leaks information can be abstracted as an Oracle. So it is also possible to use the client as an oracle, or the systems processing the cryptosystems. The Server Client system is only the most common way how stuff works and communicates in the world wide web, but the important aspect is, that cryptography is used for a lot more that only "the internet".

A good example are operating systems. They are (for simplicity) offline systems, but you could also identify oracles and other mechanism in the cryptographic applications used for the OS. OS also use block ciphers, therefore it can be possible to make an offline padding oracle attack.

I hope I was able to give an adequate answer!

Titanlord
  • 2,244
  • 11
  • 31
  • That was a pretty good answer. It seems like that person was feeding me misinformation since they were mocking me for believing that oracle attacks could be performed offline. –  Mar 11 '21 at 14:17
  • 3
    In theory you just need two parties: A verifier (for e.g. the program saying the padding is correct or not) and an attacker. There is no need for those attacks to be online. But it is simpler to imagine a Server and some Clients instead of speaking about programs and operating systems. Don't let others mock you, most of the time they have far less understanding in what they are talking about than you think they have :D – Titanlord Mar 11 '21 at 14:27
  • 1
    Thanks :) That has clarified things nicely. –  Mar 11 '21 at 14:31
  • 1
    Well, by definition an Oracle provides something of a service to the attacker. So that's the (theoretical) yes. That it's not just a service that can be provided over a network is another observation. Also by definition: you can certainly have an AES-CBC attack when using TLS when a server is sending data to a client, but the client then provides the "Oracle service" :) – Maarten Bodewes Mar 11 '21 at 20:55
4

The word online means controlled by or connected to another computer or to a network (Oxford).

The words query the oracle tells what you need and related to how your query is performed - online query and off-line query.

One queries the oracle then the oracle responds. Without a response, it is not an oracle. The response can be a bit or more, or even only return if there is an error ( wait x time, if not getting an error, you may assume it doesn't have an error).

  • The original padding oracle is executed online since the attacker doesn't have the encryption key and asks the oracle to check the padding is correct or not. If not correct, the oracle sends the padding incorrect error.

    This attack must be online since the attacker sends ciphertexts to the test. The server ( oracle) has the key to respond to the status of padding after the decryption.

    There can be a special case that creates the conflict; if an attacker has accessed your machine that has a program that responds to padding errors ( say the encryption and decryption can be executed in an HSM) then is this a local padding oracle attack or not? We can say still online since the attack created an online channel to execute the attack.

    If you are just trying to program padding oracles, then you may write a program that only responds to the padding status, this is a local padding oracle that has no use. This will be used in online padding oracle attacks.

    And, note that padding oracle is a decryption oracle that reveals the plaintext.

  • Partition oracle is also executed online, the attacker groups the keys produced by the KDF of passwords under a ciphertext and sends it to the server. The server responds tag as invalid or not.

    Note that the partition oracle is a key revealing oracle since the attacker learns the correct password with less query than usual online password attack. Since the password generates the key, they reach the encryption key.

To better understand the oracle; consider a gnome sitting in a box with a book and a pencil possible with a coin, too. If an encryption oracle then a key is also included.

  • Now you query a ciphertext to the gnome and it decrypts and returns padding is incorrect or not. That is padding oracle.

  • Now you query plaintext then the gnome returns the ciphertext. This is an encryption oracle. If the scheme is probabilistic the coin is tossed for the IV then the oracle returns with the probabilistic encryption.

  • Now you query ciphertext then the gnome returns the plaintext. This is a decryption oracle.

  • Now, you query a ciphertext and the oracle returns the tag status. This is authentication tag oracle that partition oracle is used.

  • Now, you send a message, and the gnome checks the book for existence, if exist returns from the book, if not the gnome toss coins, write the query to the book, and returns the value. This is random oracle

Normally, the box is not on the attacker's access. If they can access inside then the key is revealed. So we assume that, while constructing the oracle, the attacker has no access to the box other than query.

So this is about how the query is executed. If the query is executed online we can call this online oracle, if not off-line oracle ( if this helps). In practice, online attacks ( remote) are more considered.

As a special case, the oracle can be a TPM chip on your PC. You are attacking this chip as research then this is offline. But an attacker can also attack this remotely, then this is online.

kelalaka
  • 48,443
  • 11
  • 116
  • 196
  • That's interesting, thank you. I thought partitioning oracle attacks could be executed offline. However, I'm not sure I understand why a padding oracle can't be executed offline. –  Mar 11 '21 at 14:24
  • Well, one needs to distinguish the on-line and off-line. Can you call of-line if you are on the same machine ( not talking about cloud sharing)? Just freeze the system and read the memory for the encryption key. – kelalaka Mar 11 '21 at 14:30
  • What I mean for instance is that there's a cryptopals CBC padding oracle challenge. Doesn't that involve executing a padding oracle attack offline? –  Mar 11 '21 at 14:35
  • How you can do that if you don't have the key. They need you to provide a program that behaves like a server ( that must contain the key). You only test it locally then execute it online. Then you may call the local version as padding oracle, too. This, however, is only testing purposes. – kelalaka Mar 11 '21 at 14:38
  • I thought a padding oracle attack didn't require knowledge of the key. If you had a file encryption program that used AES-CBC without HMAC and gave back invalid padding errors with the wrong key, then couldn't you execute the attack offline? The explanation from Microsoft seems to suggest this: https://docs.microsoft.com/en-us/dotnet/standard/security/vulnerabilities-cbc-mode –  Mar 11 '21 at 14:50
  • server or client is not the point. The oracle has the key, and the attacker must only be able to send it some stuff to decrypt or whatever, and use the result in some way. (I.e., if the "oracle" is "local", and attacker can directly grab the key from the program -- maybe it's in some config file or whatever -- then this whole "oracle" thing is moot right?) –  Mar 11 '21 at 15:37
  • @sitaram yes that is one point, why should I query if I can open the box in the real attacker send. In the research case, however, attacking the box without opening is more important. Since it may leave fewer trails. This can be also important if the attackers don't want to leave any trace. Maybe remote and local is better wording here. I'm still trying to use better words for a better answer. – kelalaka Mar 11 '21 at 15:42
  • @kelalaka I think server and client is OK. In practice that is the most common configuration that prevents attacker trivially having the key so as a "conceptual" binding it's fine. A non-"server" scenario could be for example a guest user, (or malicious Javascript) on a LUKS encrypted Linux machine tries to guess the LUKS password by querying the file system in various ways. Here, LUKS is a "server" in the sense that it has the key and the attacker does not and is responding to attacker's queries. (Just using this as an example; I know LUKS has no oracle problems!) –  Mar 11 '21 at 15:47
  • @sitaram if the attacker has the LUKS access, all they need password attack. They execute a password search that will take a long time. They can download the LUKS file and execute a local search, too. That is the point. I think the updated answer is much better now. – kelalaka Mar 11 '21 at 16:11
  • @kelalaka, second para in section "Partition Oracle" (i.e., Consider that the attacker downloads the files. Now they can use the partition oracle just the reduce the number of decryption if that helps. One can still consider that tag invalid returns an Oracle in some sense since the AEAD response is tag valid or not.) seems to be saying that oracle does not have the key, but still can be queried as an oracle. That is not oracle attack that is plain brute force. Tag valid or not is not possible to say without having proper key. –  Mar 11 '21 at 16:17
  • Thanks, Removed that part. It was incorrect. The oracle has the key so that can't be locally executed if TPM and HSM is not considered. – kelalaka Mar 11 '21 at 16:20
2

As I said in https://www.reddit.com/r/crypto/comments/m0gc2z/understanding_the_impact_of_partitioning_oracle/gqbciqj/, the oracle needs to have the decryption key.

You appear to still be under the impression that you can mount any kind of oracle attack when the oracle does not have the key (judging by your latest question to @kelalaka at Does a cryptographic oracle have to be a server?). This despite some patient explanations from @kelalaka I see in comments to that response.

Thinking about it in terms of "server" can be misleading, as I can see from your conversation with @titanlord. Perhaps you should ask him again "does a cryptographic oracle need to have the actual key?"

xkcd__386
  • 21
  • 3
  • Did you accidentally create 2 accounts? Look here if you need help. – DannyNiu Mar 12 '21 at 06:58
  • 2
    @DannyNiu -- no I did not. The "Questioning xkcd__386" was created by someone who didn't like what I told him about oracles over on reddit, where my account name is xkcd__386. Someone alerted me to this post and I felt compelled to create an account and respond. See above for links and more info. – xkcd__386 Mar 12 '21 at 11:55
2

Oracle attacks are online in the sense used in protocol design, meaning that they involve back-and-forth communication between the attacker and the victim. The point of an oracle attack is that the attacker arranges to send some data to the victim somehow, and the victim somehow sends back some information that helps the attacker indidrectly figure out some secret information. The attack doesn't have to be “online” in the sense that it's connected to the Internet: for example, the attacker could be a local process, or the communication could take place over analog means, or the attack could take place before the Internet even existed (e.g. crib dragging was a form of oracle attack against Enigma).

The victim doesn't have to be a server. In fact, many famous oracle attacks target clients, for example BREACH (attack against a web browser) and Efail (attack against a PGP client).

Gilles 'SO- stop being evil'
  • 19,134
  • 4
  • 50
  • 92