Paper 2022/361

Base64 Malleability in Practice

Panagiotis Chatzigiannis and Konstantinos Chalkias

Abstract

Base64 encoding has been a popular method to encode binary data into printable ASCII characters. It is commonly used in several serialization protocols, web, and logging applications, while it is oftentimes the preferred method for human-readable database fields. However, while convenient and with a better compression rate than hex-encoding, the large number of base64 variants in related standards and proposed padding-mode optionality have been proven problematic in terms of security and cross-platform compatibility. This paper addresses a potential attack vector in the base64 decoding phase, where multiple different encodings can successfully decode into the same data, effectively breaking string uniqueness guarantees. The latter might result to log mismatches, denial of service attacks and duplicated database entries, among the others. Apart from documenting why canonicity can be broken by a malleable encoder, we also present an unexpected result, where most of today's base64 decoder libraries are not 100% compatible in their default settings. Some surprising results include the non-compatible behavior of major Rust base64 crates and between popular Javascript and NodeJS base64 implementations. Finally, we propose ways and test vectors for mitigating these issues until a more permanent solution is widely adopted.

Metadata
Available format(s)
PDF
Category
Implementation
Publication info
Published elsewhere. Minor revision.AsiaCCS 2022
Keywords
base64malleabilityencoding incompatibilitypadding attacks
Contact author(s)
chalkiaskostas @ gmail com
pchatzig @ gmu edu
History
2022-03-18: received
Short URL
https://ia.cr/2022/361
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2022/361,
      author = {Panagiotis Chatzigiannis and Konstantinos Chalkias},
      title = {Base64 Malleability in Practice},
      howpublished = {Cryptology ePrint Archive, Paper 2022/361},
      year = {2022},
      note = {\url{https://eprint.iacr.org/2022/361}},
      url = {https://eprint.iacr.org/2022/361}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.