Score:1

Impact of partitioning oracle attacks on file encryption?

be flag

I've just learned about partitioning oracle attacks recently, and I would like to clarify some things that are a little foggy to me right now.

According to this thread,

The aim is the recovery of a password pw. Consider that you want to test the membership of two passwords S∗1={pw1,pw2}. Create two keys K1=PBKDF(salt,pw1) and K2=PBKDF(salt,pw2) (the salt can be found by sniffing!), now use Dodis et, al's approach [1], construct a ciphertext C′ with a tag such that it decrypt correctly under the keys K1 and K2. Now send the splitting value V^ to the server. If the server indicates the decryption is successful then pw∈S∗1. With iterating this procedure the attacker can find the password in |D|/2+1 queries while the default brute-force requires |D| queries. This attack has degree 2, if k degree is possible then this will decrease the query amount substantially.

In this case, PKBDF is used to derive a key from the password. Assuming I use Argon2 with ample parameters (multi-second derivation), wouldn't this slow down the attacker to the point of making the attack impractical?

And from this thread, which relates to my question about file encryption,

This attack requires an oracle that returns a value like the padding oracle attacks. If there is no return, then there is not a test even for a normal online password guessing attack k=1. They have looked at the libraries the use OPAQUE and AEAD schemes and saw that some of them are not applicable. See the emits error column. The attack on Shadowsocks was interesting since the attacker had a side channel to test.

So, without an oracle, a partition oracle attack would not be feasible. But at the same time, file encryption will be able to tell an attacker if data was decrypted successfully or not, which is related to partitioning oracle attacks. But then again, file encryption is an offline activity, so if there's no server involved, is there an oracle?

Would partitioning oracle attacks affect file encryption, assuming that a secure password is derived through Argon2 with secure parameters? Thanks in advance.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.