在「IEEE P1735 Encryption Is Broken—Flaws Allow Intellectual Property Theft」這邊看到 US-CERT 發表的「IEEE P1735 implementations may have weak cryptographic protections」,裡面提到的主要漏洞:
The methods are flawed and, in the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP.
主要應該是第一包:
CVE-2017-13091: improperly specified padding in CBC mode allows use of an EDA tool as a decryption oracle.
又是 CBC 的 padding oracle attack 啊... 看起來是標準沒有強制定義好造成的?
The main vulnerability (CVE-2017-13091) resides in the IEEE P1735 standard's use of AES-CBC mode.
Since the standard makes no recommendation for any specific padding scheme, the developers often choose the wrong scheme, making it possible for attackers to use a well-known classic padding-oracle attack (POA) technique to decrypt the system-on-chip blueprints without knowledge of the key.
去年 Cloudflare 寫的「Padding oracles and the decline of CBC-mode cipher suites」這邊有提到 padding oracle attack 的方式,比較一般性的解法是避開要自己決定 Encrypt-then-MAC (IPsec;也是數學上證明安全性) 或 Encrypt-and-MAC (SSH) 或是 MAC-then-Encrypt (SSL),而是用 AEAD 類的加密元件直接躲開 padding oracle attack 的某些必要條件 (像是 AES-GCM 或是 ChaCha20-Poly1305)。
不過這也是這幾年大家才了解這樣做的重要性,當年在訂規格的時候都比較沒在在意這些...