We build a practical partitioning oracle attack that quickly recovers passwords from Shadowsocks proxy servers. We also survey early implementations of the OPAQUE protocol for password-based key exchange, and show how many could be vulnerable to partitioning oracle attacks due to incorrectly using non-committing AEAD. Our results suggest that the community should standardize and make widely available committing AEAD to avoid such vulnerabilities.
Category / Keywords: applications / authenticated encryption, committing AEAD, robustness, key commitment, AES-GCM, chosen ciphertext attack Original Publication (with major differences): USENIX Security 2021 Date: received 28 Nov 2020, last revised 11 Dec 2020 Contact author: jlen at cs cornell edu Available format(s): PDF | BibTeX Citation Note: We updated our work to include a better discussion of prior work and incorporate miscellaneous feedback. Version: 20201211:214322 (All versions of this report) Short URL: ia.cr/2020/1491