In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. Padding oracle attacks are mostly associated with CBC mode decryption used within block ciphers. Padding modes for asymmetric algorithms such as OAEP may also be vulnerable to padding oracle attacks.[1]

## Symmetric cryptography

In symmetric cryptography, the padding oracle attack can be applied to the CBC mode of operation, where the "oracle" (usually a server) leaks data about whether the padding of an encrypted message is correct or not. Such data can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle's key, without knowing the encryption key.

### Padding oracle attack on CBC encryption

The standard implementation of CBC decryption in block ciphers is to decrypt all ciphertext blocks, validate the padding, remove the PKCS7 padding, and return the message's plaintext. If the server returns an "invalid padding" error instead of a generic "decryption failed" error, the attacker can use the server as a padding oracle to decrypt (and sometimes encrypt) messages.

The mathematical formula for CBC decryption is

${\displaystyle P_{i}=D_{K}(C_{i})\oplus C_{i-1},}$
${\displaystyle C_{0}=IV.}$

As depicted above, CBC decryption XORs each plaintext block with the previous ciphertext block. As a result, a single-byte modification in block ${\displaystyle C_{1}}$ will make a corresponding change to a single byte in ${\displaystyle P_{2}}$.

Suppose the attacker has two ciphertext blocks ${\displaystyle C_{1},C_{2}}$ and he wants to decrypt the second block to get plaintext ${\displaystyle P_{2}}$. The attacker changes the last byte of ${\displaystyle C_{1}}$ (creating ${\displaystyle C_{1}'}$) and sends ${\displaystyle (IV,C_{1}',C_{2})}$ to the server. The server then returns whether or not the padding of the last decrypted block (${\displaystyle P_{2}'}$) is correct (equal to 0x01). If the padding is correct, the attacker now knows that the last byte of ${\displaystyle D_{K}(C_{2})\oplus C_{1}'}$ is ${\displaystyle \mathrm {0x01} }$. Therefore, ${\displaystyle D_{K}(C_{2})=C_{1}'\oplus \mathrm {0x01} }$. If the padding is incorrect, the attacker can change the last byte of ${\displaystyle C_{1}'}$ to the next possible value. At most, the attacker will need to make 256 attempts (one guess for every possible byte) to find the last byte of ${\displaystyle P_{2}}$. If the decrypted block contains padding information or bytes used for padding then an additional attempt will need to be made to resolve this ambiguity.[2]

After determining the last byte of ${\displaystyle P_{2}}$, the attacker can use the same technique to obtain the second-to-last byte of ${\displaystyle P_{2}}$. The attacker sets the last byte of ${\displaystyle P_{2}}$ to ${\displaystyle \mathrm {0x02} }$ by setting the last byte of ${\displaystyle C_{1}}$ to ${\displaystyle D_{K}(C_{2})\oplus \mathrm {0x02} }$. The attacker then uses the same approach described above, this time modifying the second-to-last byte until the padding is correct (0x02, 0x02).

If a block consists of 128 bits (AES, for example), which is 16 bytes, the attacker will obtain plaintext ${\displaystyle P_{2}}$ in no more than 255⋅16 = 4080 attempts. This is significantly faster than the ${\displaystyle 2^{128}}$ attempts required to bruteforce a 128-bit key.

The original attack was published in 2002 by Serge Vaudenay.[3] Concrete instantiations of the attack were later realised against SSL[4] and IPSec [5][6]. It was also applied to several web frameworks, including JavaServer Faces, Ruby on Rails[7] and ASP.NET[8][9][10] as well as other software, such as Steam gaming client.[11] In 2012 it was shown to be effective against some hardened security devices.[12]

While these earlier attacks were fixed by most TLS implementors following its public announcement, a new variant, the Lucky Thirteen attack, published in 2013, used a timing side-channel to re-open the vulnerability even in implementations that had previously been fixed. As of early 2014, the attack is no longer considered a threat in real-life operation, though it is still workable in theory (see signal-to-noise ratio) against a certain class of machines. As of 2015, the most active area of development for attacks upon cryptographic protocols used to secure Internet traffic are downgrade attack, such as Logjam[13] and Export RSA/FREAK[14] attacks, which trick clients into using less-secure cryptographic operations provided for compatibility with legacy clients when more secure ones are available. An attack called POODLE[15] (late 2014) combines both a downgrade attack (to SSL 3.0) with a padding oracle attack on the older, insecure protocol to enable compromise of the transmitted data. In May 2016 it has been revealed in CVE-2016-2107 that the fix against Lucky Thirteen in OpenSSL introduced another padding oracle.[16][17]

## References

1. ^ Manger, James. "A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0" (PDF). Telstra Research Laboratories.
2. ^
3. ^ Serge Vaudenay (2002). Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... (PDF). EUROCRYPT 2002.
4. ^ Brice Canvel; Alain Hiltgen; Serge Vaudenay; Martin Vuagnoux (2003), Password Interception in a SSL/TLS Channel (PDF).
5. ^ Jean Paul Degabriele; Kenneth G. Paterson (2007), Attacking the IPsec Standards in Encryption-only Configurations.
6. ^ Jean Paul Degabriele; Kenneth G. Paterson (2010), On the (In)Security of IPsec in MAC-then-Encrypt Configurations.
7. ^ Juliano Rizzo; Thai Duong (2010-05-25). Practical Padding Oracle Attacks (PDF). USENIX WOOT 2010.
8. ^ Thai Duong; Juliano Rizzo (2011). Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET (PDF). IEEE Symposium on Security and Privacy 2011.
9. ^ Dennis Fisher (13 September 2010). "'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps". Threat Post. Archived from the original on 13 October 2010.