Padding oracle attack

In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. The information could be directly given, or leaked through a side-channel.

The earliest well-known attack that uses a padding oracle is Bleichenbacher's attack of 1998, which attacks RSA with PKCS #1 v1.5 padding.[1] The term "padding oracle" appeared in literature in 2002,[2] after Serge Vaudenay's attack on the CBC mode decryption used within symmetric block ciphers.[3] Variants of both attacks continue to find success more than one decade after their original publication.[1][4][5]

  1. ^ a b Cite error: The named reference Bard12 was invoked but never defined (see the help page).
  2. ^ Black, John; Urtubia, Hector (2002). Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption. USENET Security '02.
  3. ^ Cite error: The named reference Vau02 was invoked but never defined (see the help page).
  4. ^ Sullivan, Nick (12 February 2016). "Padding oracles and the decline of CBC-mode cipher suites". The Cloudflare Blog.
  5. ^ Hanno Böck; Juraj Somorovsky; Craig Young. "ROBOT attack: Return Of Bleichenbacher's Oracle Threat". Retrieved 27 February 2018.