Last modified: 24 jan 2003

-- cbcpad Installation:
	see INSTALL for informations.

-- cbcpad Informations:

	*Abstract*
	Simple password authentification is often used e.g. from an email software
	application to a remote IMAP server. This is frequently done in a protected
	peer-to-peer tunnel e.g. by TLS.
	At Eurocrypt'02 Vaudenay presented vulnerabilities in padding shemes used
	for block ciphers in CBC mode. It used a side channel, namely error 
	information in the padding verification. This attack was not possible 
	against TLS due to both unavailability of the side channel (errors are
	encrypted) and premature aborption of the sessionn in case of errors. In
	this README we extend the attack and show it is actually applicable against 
	TLS for password interception.
	


	*Conditions of this attack*
	The attack is only for Outlook Express because the string is specially efficient.
	Thanks Microsoft :)
	

	*Cryptographic Informations*
	Check out the src/cbc_sha_attack.c to understand the algorithm of the attack.

	*Example of an attack*
	Let H the evil hacker ;)
	Let S the IMAP server.
	Let C the Client.

	first launch omen: omen -l 993 -r <ip_of_S>:<port_of_S> -a 0

	With no threshold (-t) the program try to find the threshold between a
	BAD_RECORD_MAC and a DECRYPTION_FAILED automatically.
	The return value is in microseconds e.g. 3400 us

	then re-launch omen: omen -l 993 -r <ip_of_S>:<port_of_S> -a 0 -t 3400

	The attack begin and you can see the password come in clear text.

	That's all folks.
