Block-size Detection

In the previous blog, “Detecting the mode of block cipher being used” was discussed. In this blog, the second step in the attacking of a block cipher i.e. detecting the block size of the cipher, will be discussed. Link to the implementation script has been given at the end of this post which is written in python.

We need to closely look at the padding implementation in the block cipher in order to get the size of the block used. It is good that we list down the key points: the ones that are given and the ones that are needed to be found out, before jumping to the padding function:


  1. The mode used for encryption.
  2. The standard block cipher encryption used.
  3. The encryption function.
  4. The padding function.

One needs to find out the size of block used, having access to the above things. If  you closely looks at how padding is implemented in any oracle function, you can observe that the number of bytes to be padded is the minimum number of bytes required to be added to the plaintext string, such that the length of the padded string becomes a multiple of the block-size. But a thing to be mentioned here is that the number of bytes to be padded should have a minimum value of 1 and maximum value equal to the block-size.

For example, let the block-size of the cipher be 16 bytes and length of input string be 7 bytes. This gives the number of bytes to be padded equal to 16 – 7 = 8. When the input string is 18 bytes long then the number of bytes to be padded is equal to 16*2 – 18 = 14. When the input string is 16 then the number of bytes to be padded is 16. Generalizing it:

padlen = n - (l % n)

where “padlen” is the number of bytes to be padded, “n” is the block size and “l” is the length of the original unpadded string.

When one encrypts this padded string, the length of the ciphertext remains the same. One catch in the padding function, the length of the ciphertext remains the same when one increases the length of the input string by one each time, until the length of the input string becomes a multiple of the block-size because then an entire block will be added to the plain-text string having length equal to the block-size.

So, to detect the size of the block cipher, one can simply call the encryption function each time, giving a single character as an input and noting the length of the ciphertext for each time. Keep on appending single characters to the input string each time and note down the length of ciphertext each time and checking if the length of the ciphertext generated in the current iteration is equal to the one generated in the previous iteration or not. If not, then one can conclude that an entire block has been added to the original string, and hence the size of the block is equal to the difference between the length of the original string when the length of the ciphertext just changed and the length of its corresponding ciphertext.

Here is the implementation of the exploit:

Cheers! All Hail Cryptography!


AES Mode Detection Oracle

In a series of blogs, attacks on AES- Advanced Encryption Standard, will be discussed. There are a number of steps involved to break a block cipher (AES being one of them):

  1. Recognizing the mode of block cipher being used.
  2. Finding the size of the block being used in the block cipher.
  3. Implementing a suitable attack according the mode of block cipher and the standard encryption used.

In this post, the first step in the attacking of block cipher will be discussed.

According to Shannon’s Theory of Communication, a cipher can be regarded as a perfectly secure cipher if the cipher text reveals no information about the plaintext being encrypted. So, the entire idea behind the attack lies in finding patterns in ciphertext that loosens up the framework on which the encryption standard is based.

There are different modes of encryption being used in a block cipher, but only on ECB (Electronic Code Book) and CBC (Cipher Block Chaining) will be focused as for now.

ECB mode of encryption:

This is the most insecure mode of encryption and one will realize it looking at this representation of ECB mode:


In this mode, same key is used to generate ciphertext block of the corresponding plaintext block. This exposes one vulnerability: since the key and the block cipher encryption algorithm remain the same across the entire process of encryption of plaintext, two plaintext blocks containing the same text, will have the same set of ciphertext blocks. So, in case two of the ciphertext blocks have the same value, the attacker can easily recognize that the plaintext contains a group of characters that are being repeated. This reveals some information about the plaintext and hence, according to Shannon, AES in ECB mode is not a perfectly secure cipher!

For example, let us assume the encryption used is AES and the block size is 16 bytes. Let the plaintext be “abcdefghijklmnopabcdefghijklmnop”. After padding there are three (Three, because the size of the original plaintext is exactly a multiple of block size, thus one more block of padded data has to be added due to reasons of security) blocks in the padded plaintext. What is peculiar about the plaintext is that two of the blocks contain the same data in them, i.e. “abcdefghijklmnop” is the content of two of the blocks! They then generate the same 16-byte ciphertext block!

So, to recognize whether a block cipher uses ECB or CBC mode of encryption, we just need to supply the input in the plaintext such that two plaintext blocks contain the same contents and then observe the corresponding ciphertext. If two of the ciphertext blocks have the same value, the encryption used is ECB otherwise another mode of encryption is used! (CBC in this case as only two modes are being discusses here)

CBC mode of encryption:

This mode of encryption has nullified the vulnerability that is present in the ECB mode of encryption. This mode of encryption is vulnerable to Padding Oracle Attacks and Bit Flipping Attacks which will be discussed in the next few blog posts. The encryption in the CBC mode looks like this:


Although the key used is same for every block, there is an additional step when compared to ECB and that is XORing of the padded plaintext block with a value and then encrypting it using a key. For the first block, the value is generated in a pseudo-random way for the first plaintext block, for the next block onwards, the value is the ciphertext block generated in the previous step.

So, using these essential characterstics peculiar to each mode, we are now able to decide if the cipher is encrypted using a particular mode (ECB or CBC). Following is the link to the python code for detecting this:

See you until next time!