ABSTRACT
Base64 encoding has been a popular method to encode binary data into printable ASCII characters. It is commonly used in several serialization protocols, web, and logging applications, while it is oftentimes the preferred method for human-readable database fields. However, while convenient and with a better compression rate than hex-encoding, the large number of base64 variants in relted standards and proposed padding-mode optionality have been proven problematic in terms of security and cross-platform compatibility.
This paper addresses a potential attack vector in the base64 decoding phase, where multiple different encodings can successfully decode into the same data, effectively breaking string uniqueness guarantees. The latter might result to log mismatches, denial of service attacks and duplicated database entries, among the others. Apart from documenting why canonicity can be broken by a malleable encoder, we also present an unexpected result, where most of today's base64 decoder libraries are not 100% compatible in their default settings. Some surprising results include the non-compatible behavior of major Rust base64 crates and between popular Javascript and NodeJS base64 implementations. Finally, we propose ways and test vectors for mitigating these issues until a more permanent solution is widely adopted.
Supplemental Material
- J. Callas, L. Donnerhacke, H. Finney, D. Shaw, and R. Thayer. 2007. Request for Comments: 4880. https://datatracker.ietf.org/doc/html/rfc4880Google Scholar
- Konstantinos Chalkias, Francc ois Garillot, and Valeria Nikolaenko. 2020. Taming the Many EdDSAs. In Security Standardisation Research.Google Scholar
- M. Crispin. 2003. Request for Comments: 3501. https://datatracker.ietf.org/doc/html/rfc3501#section-5.1.3Google Scholar
- Kevin Fiscus. 2011. Base64 Can Get You Pwned. https://www.sans.org/white-papers/33759/Google Scholar
- N. Freed and N. Borenstein. 1996. Request for Comments: 2045. https://datatracker.ietf.org/doc/html/rfc2045#page-24Google Scholar
- D. Goldsmith and M. Davis. 1997. Request for Comments: 2152. https://datatracker.ietf.org/doc/html/rfc2152Google Scholar
- S. Josefsson. 2006. Request for Comments: 4648. https://datatracker.ietf.org/doc/html/rfc4648#section-3.5Google Scholar
- Simon Josefsson and Sean Leonard. 2015. Textual encodings of PKIX, PKCS, and CMS structures. Internet Engineering Task Force April (2015).Google Scholar
- Kostas Kryptos. 2021. 3rd time that I find a serious exploitable bug in a multi-million business website. https://www.linkedin.com/posts/chalkiaskostas_programming-python-databases-activity-6820220132233748480--8teKGoogle Scholar
- J. Linn. 1993. Request for Comments: 1421. https://datatracker.ietf.org/doc/html/rfc1421Google Scholar
- Ajeet Ram Pathak, Sarita Deshpande, and Mudra Panchal. 2019. A Secure Framework for File Encryption Using Base64 Encoding. In Computing and Network Sustainability, Sheng-Lung Peng, Nilanjan Dey, and Mahesh Bundele (Eds.).Google Scholar
- Prabath Siriwardena. 2020. Base64 URL Encoding .Apress, Berkeley, CA, 397--399.Google Scholar
- Daniel Smallwood. 2021. Hacker Pig Latin: A Base64 Primer for Security Analysts. https://www.darkreading.com/edge-articles/hacker-pig-latin-a-base64-primer-for-security-analystsGoogle Scholar
- Wen Somchai and Dang Wen. 2018. Research on Base64 Encoding Algorithm and PHP Implementation. In Geoinformatics.Google Scholar
- Mars Caroline Wibowo, Phong Thanh Nguyen, Edmond Febrinicko Armay, and Robbi Rahim. 2020. Implementation of Base64 and caesar cipher in securing video files., Vol. 12, 2 (2020), 761--765. https://doi.org/10.5373/JARDCS/V12I2/S20201093Google Scholar
Index Terms
- Base64 Malleability in Practice
Recommendations
Base64 Encoding on OpenCL FPGA Platform
FPGA '19: Proceedings of the 2019 ACM/SIGDA International Symposium on Field-Programmable Gate ArraysBase64 encoding has many applications on the Web. Previous studies are focused on improving the efficiency of Base64 encoding on central processing units (CPUs). As field-programmable gate arrays (FPGAs) are becoming promising heterogeneous computing ...
ECG steganography using Base64 encoding and pixel swapping technique
AbstractECG signals tagged with secret information are transferred through wireless communication channel in remote health monitoring applications. To hide secret information, the proposed steganography system uses ECG signal as cover data. The ...
Comments