In cryptography, apadding oracle attack is an attack which uses thepadding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlyingcryptographic primitive. The attack relies on having a "paddingoracle" which freely responds to queries about whether a message is correctly padded or not. The information could be directly given, or leaked through aside-channel.

The earliest well-known attack that uses a padding oracle isBleichenbacher's attack of 1998, which attacksRSA withPKCS #1 v1.5 padding.^[1] The term "padding oracle" appeared in literature in 2002,^[2] afterSerge Vaudenay's attack on theCBC mode decryption used within symmetricblock ciphers.^[3] Variants of both attacks continue to find success more than one decade after their original publication.^[1][4][5]

In 1998,Daniel Bleichenbacher published a seminal paper on what became known asBleichenbacher's attack (also known as "million message attack"). The attack uses a padding oracle againstRSA withPKCS #1 v1.5 padding, but it does not include the term. Later authors have classified his attack as a padding oracle attack.^[1]

Manger (2001) reports an attack on the replacement for PKCS #1 v1.5 padding, PKCS #1 v2.0 "OAEP".^[6]

In symmetric cryptography, the paddingoracle attack can be applied to theCBC mode of operation. Leaked data on padding validity can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle's key, without knowing the encryption key.

Compared to Bleichenbacher's attack on RSA with PKCS #1 v1.5, Vaudenay's attack on CBC is much more efficient.^[1] Both attacks target crypto systems commonly used for the time: CBC is the original mode used inSecure Sockets Layer (SSL) and had continued to be supported in TLS.^[4]

A number of mitigations have been performed to prevent the decryption software from acting as an oracle, but newerattacks based on timing have repeatedly revived this oracle. TLS 1.2 introduces a number ofauthenticated encryption with additional data modes that do not rely on CBC.^[4]

The standard implementation of CBC decryption in block ciphers is to decrypt all ciphertext blocks, validate the padding, remove thePKCS7 padding, and return the message's plaintext. If the server returns an "invalid padding" error instead of a generic "decryption failed" error, the attacker can use the server as a padding oracle to decrypt (and sometimes encrypt) messages.

The mathematical formula for CBC decryption is

${\displaystyle P_i=D_K(C_i)\oplus C_{i-1},\text{ if }i\in \{1,N\}}$

${\displaystyle P_0=IV\oplus D_K(C_0).}$

As depicted above, CBC decryption XORs each plaintext block with the previous block.As a result, a single-byte modification in block${\displaystyle C_1}$ will make a corresponding change to a single byte in${\displaystyle P_2}$.

Suppose the attacker has two ciphertext blocks${\displaystyle C_1,C_2}$ and wants to decrypt the second block to get plaintext${\displaystyle P_2}$.The attacker changes the last byte of${\displaystyle C_1}$ (creating${\displaystyle C_1^{\prime }}$) and sends${\displaystyle (IV,C_1^{\prime },C_2)}$ to the server.The server then returns whether or not the padding of the last decrypted block (${\displaystyle P_2^{\prime }}$) is correct (a valid PKCS#7 padding).If the padding is correct, the attacker now knows that the last byte of${\displaystyle D_K(C_2)\oplus C_1^{\prime }}$ is${\displaystyle 0\mathrm{x}01}$, the last two bytes are 0x02, the last three bytes are 0x03, …, or the last eight bytes are 0x08. The attacker can modify the second-last byte (flip any bit) to ensure that the last byte is 0x01. (Alternatively, the attacker can flip earlier bytes andbinary search for the position to identify the padding. For example, if modifying the third-last byte is correct, but modifying the second-last byte is incorrect, then the last two bytes are known to be 0x02, allowing both of them to be decrypted.) Therefore, the last byte of${\displaystyle D_K(C_2)}$ equals${\displaystyle C_1^{\prime }\oplus 0\mathrm{x}01}$.If the padding is incorrect, the attacker can change the last byte of${\displaystyle C_1^{\prime }}$ to the next possible value.At most, the attacker will need to make 256 attempts to find the last byte of${\displaystyle P_2}$, 255 attempts for every possible byte (256 possible, minus one bypigeonhole principle), plus one additional attempt to eliminate an ambiguous padding.^[7]

After determining the last byte of${\displaystyle P_2}$, the attacker can use the same technique to obtain the second-to-last byte of${\displaystyle P_2}$.The attacker sets the last byte of${\displaystyle P_2}$ to${\displaystyle 0\mathrm{x}02}$ by setting the last byte of${\displaystyle C_1}$ to${\displaystyle D_K(C_2)\oplus 0\mathrm{x}02}$.The attacker then uses the same approach described above, this time modifying the second-to-last byte until the padding is correct (0x02, 0x02).

If a block consists of 128 bits (AES, for example), which is 16 bytes, the attacker will obtain plaintext${\displaystyle P_2}$ in no more than 256⋅16 = 4096 attempts. This is significantly faster than the${\displaystyle 2^{128}}$ attempts required to bruteforce a 128-bit key.

CBC-R^[8] turns a decryption oracle into an encryption oracle, and is primarily demonstrated against padding oracles.

Using padding oracle attack CBC-R can craft an initialization vector and ciphertext block for any plaintext:

• decrypt any ciphertextP_i = PODecrypt(C_i )⊕C_i−1,
• select previous cipherblockC_x−1 freely,
• produce valid ciphertext/plaintext pairC_x-1 =P_x ⊕ PODecrypt(C_i ).

To generate a ciphertext that isN blocks long, attacker must performN numbers of padding oracle attacks. These attacks are chained together so that proper plaintext is constructed in reverse order, from end of message (C_N) to beginning message (C₀, IV). In each step, padding oracle attack is used to construct the IV to the previous chosen ciphertext.

The CBC-R attack will not work against an encryption scheme that authenticates ciphertext (using amessage authentication code or similar) before decrypting.

The original attack against CBC was published in 2002 bySerge Vaudenay.^[3] Concrete instantiations of the attack were later realised against SSL^[9] and IPSec.^[10][11] It was also applied to severalweb frameworks, includingJavaServer Faces,Ruby on Rails^[12] andASP.NET^[13][14][15] as well as other software, such as theSteam gaming client.^[16] In 2012 it was shown to be effective againstPKCS 11 cryptographic tokens.^[1]

While these earlier attacks were fixed by mostTLS implementors following its public announcement, a new variant, theLucky Thirteen attack, published in 2013, used a timing side-channel to re-open the vulnerability even in implementations that had previously been fixed. As of early 2014, the attack is no longer considered a threat in real-life operation, though it is still workable in theory (seesignal-to-noise ratio) against a certain class of machines. As of 2015^[update], the most active area of development for attacks upon cryptographic protocols used to secure Internet traffic aredowngrade attack, such as Logjam^[17] and Export RSA/FREAK^[18] attacks, which trick clients into using less-secure cryptographic operations provided for compatibility with legacy clients when more secure ones are available. An attack calledPOODLE^[19] (late 2014) combines both a downgrade attack (to SSL 3.0) with a padding oracle attack on the older, insecure protocol to enable compromise of the transmitted data. In May 2016 it has been revealed inCVE-2016-2107 that the fix against Lucky Thirteen in OpenSSL introduced another timing-based padding oracle.^[20][21]

• Cryptographic attacks
• Transport Layer Security
• Computation oracles

• Webarchive template wayback links
• Articles with short description
• Short description is different from Wikidata
• Use dmy dates from March 2020
• Articles containing potentially dated statements from 2015
• All articles containing potentially dated statements