In cryptography, a padding oracle attack is an attack which is performed using the padding of a cryptographic message. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. Padding oracle attacks are mostly associated with CBC mode decryption used within block ciphers. Padding modes for asymmetric algorithms such as OAEP may also be vulnerable to padding oracle attacks.
Contents
Symmetric cryptography
In symmetric cryptography, the padding oracle attack can be applied to the CBC mode of operation, where the "oracle" (usually a server) leaks data about whether the padding of an encrypted message is correct or not. Such data can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle's key, without knowing the encryption key.
Example of the attack on CBC encryption
Suppose the attacker has three ciphertext blocks
CBC decryption works as follows:
Let
After they know the last byte of
If any block consists of 128 bits (AES, for example), which is 16 bytes, the attacker will obtain plaintext
Attacks using padding oracles
The original attack was published in 2002 by Serge Vaudenay. The attack was applied to several web frameworks, including JavaServer Faces, Ruby on Rails and ASP.NET as well as other software, such as Steam gaming client. In 2012 it was shown to be effective against some hardened security devices.
While these earlier attacks were fixed by most TLS implementors following its public announcement, a new variant, the Lucky Thirteen attack, published in 2013, used a timing side-channel to re-open the vulnerability even in implementations that had previously been fixed. As of early 2014, the attack is no longer considered a threat in real-life operation, though it is still workable in theory (see signal-to-noise ratio) against a certain class of machines. As of 2015, the most active area of development for attacks upon cryptographic protocols used to secure Internet traffic are downgrade attack, such as Logjam and Export RSA/FREAK attacks, which trick clients in to using less-secure cryptographic operations provided for compatibility with legacy clients when more secure ones are available. An interesting attack called POODLE (late 2014) combines both a downgrade attack (to SSL 3.0) with a padding oracle attack on the older, insecure protocol to enable compromise of the transmitted data. In May 2016 it has been revealed in CVE-2016-2107 that the fix against Lucky Thirteen in OpenSSL introduced another padding oracle.