Padding Oracle Attack
   HOME

TheInfoList



OR:

In cryptography, a padding oracle attack is an attack which uses the
padding Padding is thin cushioned material sometimes added to clothes. Padding may also be referred to as batting when used as a layer in lining quilts or as a packaging or stuffing material. When padding is used in clothes, it is often done in an attempt ...
validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. Padding oracle attacks are mostly associated with CBC mode decryption used within
block cipher In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups of bits, called ''blocks''. Block ciphers are specified cryptographic primitive, elementary components in the design of many cryptographic protocols and ...
s. Padding modes for asymmetric algorithms such as OAEP may also be vulnerable to padding oracle attacks.


Symmetric cryptography

In symmetric cryptography, the padding
oracle attack In the field of security engineering, an oracle attack is an attack that exploits the availability of a weakness in a system that can be used as an "test oracle, oracle" to give a simple go/no go indication to inform attackers how close they are to ...
can be applied to the CBC mode of operation, where the "
oracle An oracle is a person or agency considered to provide wise and insightful counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. As such, it is a form of divination. Description The word '' ...
" (usually a server) leaks data about whether the
padding Padding is thin cushioned material sometimes added to clothes. Padding may also be referred to as batting when used as a layer in lining quilts or as a packaging or stuffing material. When padding is used in clothes, it is often done in an attempt ...
of an encrypted message is correct or not. Such data can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle's key, without knowing the encryption key.


Padding oracle attack on CBC encryption

The standard implementation of CBC decryption in block ciphers is to decrypt all ciphertext blocks, validate the padding, remove the PKCS7 padding, and return the message's plaintext. If the server returns an "invalid padding" error instead of a generic "decryption failed" error, the attacker can use the server as a padding oracle to decrypt (and sometimes encrypt) messages. The mathematical formula for CBC decryption is :P_i = D_K(C_i) \oplus C_, :C_0 = IV. As depicted above, CBC decryption XORs each plaintext block with the previous block. As a result, a single-byte modification in block C_1 will make a corresponding change to a single byte in P_2. Suppose the attacker has two ciphertext blocks C_1, C_2 and wants to decrypt the second block to get plaintext P_2. The attacker changes the last byte of C_1 (creating C_1') and sends (IV,C_1',C_2) to the server. The server then returns whether or not the padding of the last decrypted block (P_2') is correct (a valid PKCS#7 padding). If the padding is correct, the attacker now knows that the last byte of D_K(C_2) \oplus C_1' is \mathrm, the last two bytes are 0x02, the last three bytes are 0x03, …, or the last eight bytes are 0x08. The attacker can modify the second-last byte (flip any bit) to ensure that the last byte is 0x01. (Alternatively, the attacker can flip earlier bytes and
binary search In computer science, binary search, also known as half-interval search, logarithmic search, or binary chop, is a search algorithm that finds the position of a target value within a sorted array. Binary search compares the target value to the m ...
for the position to identify the padding. For example, if modifying the third-last byte is correct, but modifying the second-last byte is incorrect, then the last two bytes are known to be 0x02, allowing both of them to be decrypted.) Therefore, the last byte of D_K(C_2) equals C_1' \oplus \mathrm. If the padding is incorrect, the attacker can change the last byte of C_1' to the next possible value. At most, the attacker will need to make 256 attempts to find the last byte of P_2, 255 attempts for every possible byte (256 possible, minus one by
pigeonhole principle In mathematics, the pigeonhole principle states that if items are put into containers, with , then at least one container must contain more than one item. For example, if one has three gloves (and none is ambidextrous/reversible), then there mu ...
), plus one additional attempt to eliminate an ambiguous padding. After determining the last byte of P_2, the attacker can use the same technique to obtain the second-to-last byte of P_2. The attacker sets the last byte of P_2 to \mathrm by setting the last byte of C_1 to D_K(C_2) \oplus \mathrm. The attacker then uses the same approach described above, this time modifying the second-to-last byte until the padding is correct (0x02, 0x02). If a block consists of 128 bits ( AES, for example), which is 16 bytes, the attacker will obtain plaintext P_2 in no more than 256⋅16 = 4096 attempts. This is significantly faster than the 2^ attempts required to bruteforce a 128-bit key.


Encrypting messages with Padding oracle attack (CBC-R)

CBC-R turns a decryption oracle into an encryption oracle, and is primarily demonstrated against padding oracles. Using padding oracle attack CBC-R can craft an initialization vector and ciphertext block for any plaintext: * decrypt any ciphertext Pi = PODecrypt( Ci ) XOR Ci−1, * select previous cipherblock Cx−1 freely, * produce valid ciphertext/plaintext pair Cx-1 = Px XOR PODecrypt( Ci ). To generate a ciphertext that is N blocks long, attacker must perform N numbers of padding oracle attacks. These attacks are chained together so that proper plaintext is constructed in reverse order, from end of message (CN) to beginning message (C0, IV). In each step, padding oracle attack is used to construct the IV to the previous chosen ciphertext. The CBC-R attack will not work against an encryption scheme that authenticates ciphertext (using a
message authentication code In cryptography, a message authentication code (MAC), sometimes known as a ''tag'', is a short piece of information used for authenticating a message. In other words, to confirm that the message came from the stated sender (its authenticity) and ...
or similar) before decrypting.


Attacks using padding oracles

The original attack was published in 2002 by
Serge Vaudenay Serge Vaudenay (born 5 April 1968) is a French cryptographer and professor, director of the Communications Systems Section at the École Polytechnique Fédérale de Lausanne Serge Vaudenay entered the École Normale Supérieure in Paris as a '' ...
. Concrete instantiations of the attack were later realised against SSL and IPSec. It was also applied to several
web framework A web framework (WF) or web application framework (WAF) is a software framework that is designed to support the development of web applications including web services, web resources, and web APIs. Web frameworks provide a standard way to build and ...
s, including
JavaServer Faces Jakarta Faces, formerly Jakarta Server Faces and JavaServer Faces (JSF) is a Java specification for building component-based user interfaces for web applications and was formalized as a standard through the Java Community Process being part of t ...
,
Ruby on Rails Ruby on Rails (simplified as Rails) is a server-side web application framework written in Ruby under the MIT License. Rails is a model–view–controller (MVC) framework, providing default structures for a database, a web service, and web p ...
and
ASP.NET ASP.NET is an open-source, server-side web-application framework designed for web development to produce dynamic web pages. It was developed by Microsoft to allow programmers to build dynamic web sites, applications and services. The name s ...
as well as other software, such as the
Steam Steam is a substance containing water in the gas phase, and sometimes also an aerosol of liquid water droplets, or air. This may occur due to evaporation or due to boiling, where heat is applied until water reaches the enthalpy of vaporization ...
gaming client. In 2012 it was shown to be effective against some hardened security devices. While these earlier attacks were fixed by most TLS implementors following its public announcement, a new variant, the
Lucky Thirteen attack A Lucky Thirteen attack is a cryptographic timing attack against implementations of the Transport Layer Security (TLS) protocol that use the CBC mode of operation, first reported in February 2013 by its developers Nadhem J. AlFardan and Kenny Pater ...
, published in 2013, used a timing side-channel to re-open the vulnerability even in implementations that had previously been fixed. As of early 2014, the attack is no longer considered a threat in real-life operation, though it is still workable in theory (see
signal-to-noise ratio Signal-to-noise ratio (SNR or S/N) is a measure used in science and engineering that compares the level of a desired signal to the level of background noise. SNR is defined as the ratio of signal power to the noise power, often expressed in deci ...
) against a certain class of machines. , the most active area of development for attacks upon cryptographic protocols used to secure Internet traffic are
downgrade attack A downgrade attack, also called a bidding-down attack or version rollback attack, is a form of cryptographic attack on a computer system or communications protocol that makes it abandon a high-quality mode of operation (e.g. an encrypted connec ...
, such as Logjam and Export RSA/FREAK attacks, which trick clients into using less-secure cryptographic operations provided for compatibility with legacy clients when more secure ones are available. An attack called
POODLE , nickname = , stock = , country = Germany or France (see history) , height = , maleheight = , femaleheight = , weight = , maleweight = , femaleweight = , coat ...
(late 2014) combines both a downgrade attack (to SSL 3.0) with a padding oracle attack on the older, insecure protocol to enable compromise of the transmitted data. In May 2016 it has been revealed in that the fix against Lucky Thirteen in OpenSSL introduced another padding oracle.


References

{{SSL/TLS Cryptographic attacks Transport Layer Security Computation oracles