Join Log in
Score:0
Rohan Padshah avatar Crypto

Microsoft exchange server data breach relevance to IND-CPA, IND-CCA1, IND-CCA2

kw flag
Rohan Padshah

I was studying about the Microsoft exchange server data breach attack of 2021 as part of assignment case study. One of the tasks of the assignment it to find its relevance with IND-CPA, IND-CCA1, IND-CCA2 standards.

From my understanding the attack is seemed to be caused due to some logical bugs in the code base of certain versions of exchange server and attacker exploiting it with intelligently crafted HTTP request. While this standards talk about the strength of any encryption scheme.

Is there any possible link between the attack and standards that I am missing, is there any relevance between them at all?

53
0 + 6
fgrieu avatar
ng flag
fgrieu
IND-CPA (or IND-CCA1, IND-CCA2) is not a _standard_ (noun). It's a _security property_ for an encryption scheme, and has a standard (adjective) definition. The [info on Wikipedia about the data breach](https://en.wikipedia.org/wiki/2021_Microsoft_Exchange_Server_data_breach) is low on detail, do you have a better source?
1
Reply
Rohan Padshah avatar
kw flag
Rohan Padshah
@fgrieu please refer this blog. https://devco.re/blog/2021/08/06/a-new-attack-surface-on-MS-exchange-part-1-ProxyLogon/
1
Reply
SAI Peregrinus avatar
si flag
SAI Peregrinus
Part 2 links the relevant CVE: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31196
0
Reply
SAI Peregrinus avatar
si flag
SAI Peregrinus
There was a padding oracle attack. We don't provide direct answers to homework, but knowing the phrase "padding oracle" should be enough to figure out which IND- property/properties got violated.
1
Reply
Rohan Padshah avatar
kw flag
Rohan Padshah
@SAIPeregrinus What do you exactly mean by "There was a padding oracle attack" ? Also I am not looking for direct answer, just a hint or reference to get unblocked.
0
Reply
Mark avatar
ng flag
Mark
padding oracle attack is a standard phrase/technique, so that's a hint for what to read more about. In particular, you should examine whether an adversary can execute a padding oracle attack in the INDCPA, INDCCA1, or INDCCA2 attack models. These are linearly ordered, in the sense that if an adversary can execute the attack in the INDCPA model they can execute it in the INDCCA1 model (and similarly for INDCCA1 and INDCCA2). What is the minimal model they can execute the attack in though?
2
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.