In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive.
[1] The term "padding oracle" appeared in literature in 2002,[2] after Serge Vaudenay's attack on the CBC mode decryption used within symmetric block ciphers.
[3] Variants of both attacks continue to find success more than one decade after their original publication.
[6] In symmetric cryptography, the padding oracle attack can be applied to the CBC mode of operation.
Leaked data on padding validity can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle's key, without knowing the encryption key.
[1] Both attacks target crypto systems commonly used for the time: CBC is the original mode used in Secure Sockets Layer (SSL) and had continued to be supported in TLS.
[4] A number of mitigations have been performed to prevent the decryption software from acting as an oracle, but newer attacks based on timing have repeatedly revived this oracle.
TLS 1.2 introduces a number of authenticated encryption with additional data modes that do not rely on CBC.
[4] The standard implementation of CBC decryption in block ciphers is to decrypt all ciphertext blocks, validate the padding, remove the PKCS7 padding, and return the message's plaintext.
If the server returns an "invalid padding" error instead of a generic "decryption failed" error, the attacker can use the server as a padding oracle to decrypt (and sometimes encrypt) messages.
The mathematical formula for CBC decryption is As depicted above, CBC decryption XORs each plaintext block with the previous block.
The server then returns whether or not the padding of the last decrypted block (
If the padding is correct, the attacker now knows that the last byte of
(Alternatively, the attacker can flip earlier bytes and binary search for the position to identify the padding.
If the padding is incorrect, the attacker can change the last byte of
The attacker then uses the same approach described above, this time modifying the second-to-last byte until the padding is correct (0x02, 0x02).
If a block consists of 128 bits (AES, for example), which is 16 bytes, the attacker will obtain plaintext
Using padding oracle attack CBC-R can craft an initialization vector and ciphertext block for any plaintext: To generate a ciphertext that is N blocks long, attacker must perform N numbers of padding oracle attacks.
These attacks are chained together so that proper plaintext is constructed in reverse order, from end of message (CN) to beginning message (C0, IV).
In each step, padding oracle attack is used to construct the IV to the previous chosen ciphertext.
The original attack against CBC was published in 2002 by Serge Vaudenay.
[3] Concrete instantiations of the attack were later realised against SSL[9] and IPSec.
[10][11] It was also applied to several web frameworks, including JavaServer Faces, Ruby on Rails[12] and ASP.NET[13][14][15] as well as other software, such as the Steam gaming client.
[16] In 2012 it was shown to be effective against PKCS 11 cryptographic tokens.
[1] While these earlier attacks were fixed by most TLS implementors following its public announcement, a new variant, the Lucky Thirteen attack, published in 2013, used a timing side-channel to re-open the vulnerability even in implementations that had previously been fixed.
As of early 2014, the attack is no longer considered a threat in real-life operation, though it is still workable in theory (see signal-to-noise ratio) against a certain class of machines.
As of 2015[update], the most active area of development for attacks upon cryptographic protocols used to secure Internet traffic are downgrade attack, such as Logjam[17] and Export RSA/FREAK[18] attacks, which trick clients into using less-secure cryptographic operations provided for compatibility with legacy clients when more secure ones are available.
In May 2016 it has been revealed in CVE-2016-2107 that the fix against Lucky Thirteen in OpenSSL introduced another timing-based padding oracle.