In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. The information could be directly given, or leaked through a side-channel.
The earliest well-known attack that uses a padding oracle is Bleichenbacher's attack of 1998, which attacks RSA with PKCS #1 v1.5 padding. [1] The term "padding oracle" appeared in literature in 2002, [2] after Serge Vaudenay's attack on the CBC mode decryption used within symmetric block ciphers. [3] Variants of both attacks continue to find success more than one decade after their original publication. [1] [4] [5]
In 1998, Daniel Bleichenbacher published a seminal paper on what became known as Bleichenbacher's attack (also known as "million message attack"). The attack uses a padding oracle against RSA with PKCS #1 v1.5 padding, but it does not include the term. Later authors have classified his attack as a padding oracle attack. [1]
Manger (2001) reports an attack on the replacement for PKCS #1 v1.5 padding, PKCS #1 v2.0 "OAEP". [6]
In symmetric cryptography, the padding oracle attack can be applied to the CBC mode of operation. Leaked data on padding validity can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle's key, without knowing the encryption key.
Compared to Bleichenbacher's attack on RSA with PKCS #1 v1.5, Vaudenay's attack on CBC is much more efficient. [1] Both attacks target cryptosystems commonly-used for the time: CBC is the original mode used in Secure Sockets Layer (SSL) and had continued to be supported in TLS. [4]
A number of mitigations have been performed to prevent the decryption software from acting as an oracle, but newer attacks based on timing have repeatedly revived this oracle. TLS 1.2 introduces a number of authenticated encryption with additional data modes that do not rely on CBC. [4]
The standard implementation of CBC decryption in block ciphers is to decrypt all ciphertext blocks, validate the padding, remove the PKCS7 padding, and return the message's plaintext. If the server returns an "invalid padding" error instead of a generic "decryption failed" error, the attacker can use the server as a padding oracle to decrypt (and sometimes encrypt) messages.
The mathematical formula for CBC decryption is
As depicted above, CBC decryption XORs each plaintext block with the previous block. As a result, a single-byte modification in block will make a corresponding change to a single byte in .
Suppose the attacker has two ciphertext blocks and wants to decrypt the second block to get plaintext . The attacker changes the last byte of (creating ) and sends to the server. The server then returns whether or not the padding of the last decrypted block () is correct (a valid PKCS#7 padding). If the padding is correct, the attacker now knows that the last byte of is , the last two bytes are 0x02, the last three bytes are 0x03, …, or the last eight bytes are 0x08. The attacker can modify the second-last byte (flip any bit) to ensure that the last byte is 0x01. (Alternatively, the attacker can flip earlier bytes and binary search for the position to identify the padding. For example, if modifying the third-last byte is correct, but modifying the second-last byte is incorrect, then the last two bytes are known to be 0x02, allowing both of them to be decrypted.) Therefore, the last byte of equals . If the padding is incorrect, the attacker can change the last byte of to the next possible value. At most, the attacker will need to make 256 attempts to find the last byte of , 255 attempts for every possible byte (256 possible, minus one by pigeonhole principle), plus one additional attempt to eliminate an ambiguous padding. [7]
After determining the last byte of , the attacker can use the same technique to obtain the second-to-last byte of . The attacker sets the last byte of to by setting the last byte of to . The attacker then uses the same approach described above, this time modifying the second-to-last byte until the padding is correct (0x02, 0x02).
If a block consists of 128 bits (AES, for example), which is 16 bytes, the attacker will obtain plaintext in no more than 256⋅16 = 4096 attempts. This is significantly faster than the attempts required to bruteforce a 128-bit key.
CBC-R [8] turns a decryption oracle into an encryption oracle, and is primarily demonstrated against padding oracles.
Using padding oracle attack CBC-R can craft an initialization vector and ciphertext block for any plaintext:
To generate a ciphertext that is N blocks long, attacker must perform N numbers of padding oracle attacks. These attacks are chained together so that proper plaintext is constructed in reverse order, from end of message (CN) to beginning message (C0, IV). In each step, padding oracle attack is used to construct the IV to the previous chosen ciphertext.
The CBC-R attack will not work against an encryption scheme that authenticates ciphertext (using a message authentication code or similar) before decrypting.
The original attack against CBC was published in 2002 by Serge Vaudenay. [3] Concrete instantiations of the attack were later realised against SSL [9] and IPSec. [10] [11] It was also applied to several web frameworks, including JavaServer Faces, Ruby on Rails [12] and ASP.NET [13] [14] [15] as well as other software, such as the Steam gaming client. [16] In 2012 it was shown to be effective against PKCS 11 cryptographic tokens. [1]
While these earlier attacks were fixed by most TLS implementors following its public announcement, a new variant, the Lucky Thirteen attack, published in 2013, used a timing side-channel to re-open the vulnerability even in implementations that had previously been fixed. As of early 2014, the attack is no longer considered a threat in real-life operation, though it is still workable in theory (see signal-to-noise ratio) against a certain class of machines. As of 2015 [update] , the most active area of development for attacks upon cryptographic protocols used to secure Internet traffic are downgrade attack, such as Logjam [17] and Export RSA/FREAK [18] attacks, which trick clients into using less-secure cryptographic operations provided for compatibility with legacy clients when more secure ones are available. An attack called POODLE [19] (late 2014) combines both a downgrade attack (to SSL 3.0) with a padding oracle attack on the older, insecure protocol to enable compromise of the transmitted data. In May 2016 it has been revealed in CVE - 2016-2107 that the fix against Lucky Thirteen in OpenSSL introduced another timing-based padding oracle. [20] [21]
In cryptography, a block cipher is a deterministic algorithm that operates on fixed-length groups of bits, called blocks. Block ciphers are the elementary building blocks of many cryptographic protocols. They are ubiquitous in the storage and exchange of data, where such data is secured and authenticated via encryption.
RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem, one of the oldest widely used for secure data transmission. The initialism "RSA" comes from the surnames of Ron Rivest, Adi Shamir and Leonard Adleman, who publicly described the algorithm in 1977. An equivalent system was developed secretly in 1973 at Government Communications Headquarters (GCHQ), the British signals intelligence agency, by the English mathematician Clifford Cocks. That system was declassified in 1997.
Malleability is a property of some cryptographic algorithms. An encryption algorithm is "malleable" if it is possible to transform a ciphertext into another ciphertext which decrypts to a related plaintext. That is, given an encryption of a plaintext , it is possible to generate another ciphertext which decrypts to , for a known function , without necessarily knowing or learning .
A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the secret key used for decryption.
In cryptography, a block cipher mode of operation is an algorithm that uses a block cipher to provide information security such as confidentiality or authenticity. A block cipher by itself is only suitable for the secure cryptographic transformation of one fixed-length group of bits called a block. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.
In cryptography, ciphertext or cyphertext is the result of encryption performed on plaintext using an algorithm, called a cipher. Ciphertext is also known as encrypted or encoded information because it contains a form of the original plaintext that is unreadable by a human or computer without the proper cipher to decrypt it. This process prevents the loss of sensitive information via hacking. Decryption, the inverse of encryption, is the process of turning ciphertext into readable plaintext. Ciphertext is not to be confused with codetext because the latter is a result of a code, not a cipher.
Articles related to cryptography include:
An adaptive chosen-ciphertext attack is an interactive form of chosen-ciphertext attack in which an attacker first sends a number of ciphertexts to be decrypted chosen adaptively, and then uses the results to distinguish a target ciphertext without consulting the oracle on the challenge ciphertext. In an adaptive attack, the attacker is further allowed adaptive queries to be asked after the target is revealed. It is extending the indifferent (non-adaptive) chosen-ciphertext attack (CCA1) where the second stage of adaptive queries is not allowed. Charles Rackoff and Dan Simon defined CCA2 and suggested a system building on the non-adaptive CCA1 definition and system of Moni Naor and Moti Yung.
In cryptography, padding is any of a number of distinct practices which all include adding data to the beginning, middle, or end of a message prior to encryption. In classical cryptography, padding may include adding nonsense phrases to a message to obscure the fact that many messages end in predictable ways, e.g. sincerely yours.
In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext. Specifically, any probabilistic, polynomial-time algorithm (PPTA) that is given the ciphertext of a certain message , and the message's length, cannot determine any partial information on the message with probability non-negligibly higher than all other PPTA's that only have access to the message length. This concept is the computational complexity analogue to Shannon's concept of perfect secrecy. Perfect secrecy means that the ciphertext reveals no information at all about the plaintext, whereas semantic security implies that any information revealed cannot be feasibly extracted.
Probabilistic encryption is the use of randomness in an encryption algorithm, so that when encrypting the same message several times it will, in general, yield different ciphertexts. The term "probabilistic encryption" is typically used in reference to public key encryption algorithms; however various symmetric key encryption algorithms achieve a similar property, and stream ciphers such as Freestyle which are inherently random. To be semantically secure, that is, to hide even partial information about the plaintext, an encryption algorithm must be probabilistic.
In cryptography, ciphertext stealing (CTS) is a general method of using a block cipher mode of operation that allows for processing of messages that are not evenly divisible into blocks without resulting in any expansion of the ciphertext, at the cost of slightly increased complexity.
The Cramer–Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive chosen ciphertext attack using standard cryptographic assumptions. Its security is based on the computational intractability of the Decisional Diffie–Hellman assumption. Developed by Ronald Cramer and Victor Shoup in 1998, it is an extension of the ElGamal cryptosystem. In contrast to ElGamal, which is extremely malleable, Cramer–Shoup adds other elements to ensure non-malleability even against a resourceful attacker. This non-malleability is achieved through the use of a universal one-way hash function and additional computations, resulting in a ciphertext which is twice as large as in ElGamal.
In cryptography, Optimal Asymmetric Encryption Padding (OAEP) is a padding scheme often used together with RSA encryption. OAEP was introduced by Bellare and Rogaway, and subsequently standardized in PKCS#1 v2 and RFC 2437.
Ciphertext indistinguishability is a property of many encryption schemes. Intuitively, if a cryptosystem possesses the property of indistinguishability, then an adversary will be unable to distinguish pairs of ciphertexts based on the message they encrypt. The property of indistinguishability under chosen plaintext attack is considered a basic requirement for most provably secure public key cryptosystems, though some schemes also provide indistinguishability under chosen ciphertext attack and adaptive chosen ciphertext attack. Indistinguishability under chosen plaintext attack is equivalent to the property of semantic security, and many cryptographic proofs use these definitions interchangeably.
Authenticated Encryption (AE) is an encryption scheme which simultaneously assures the data confidentiality and authenticity. Examples of encryption modes that provide AE are GCM, CCM.
In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources.
In cryptography, PKCS #1 is the first of a family of standards called Public-Key Cryptography Standards (PKCS), published by RSA Laboratories. It provides the basic definitions of and recommendations for implementing the RSA algorithm for public-key cryptography. It defines the mathematical properties of public and private keys, primitive operations for encryption and signatures, secure cryptographic schemes, and related ASN.1 syntax representations.
There are various implementations of the Advanced Encryption Standard, also known as Rijndael.
The DROWN attack is a cross-protocol security bug that attacks servers supporting modern SSLv3/TLS protocol suites by using their support for the obsolete, insecure, SSL v2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure. DROWN can affect all types of servers that offer services encrypted with SSLv3/TLS yet still support SSLv2, provided they share the same public key credentials between the two protocols. Additionally, if the same public key certificate is used on a different server that supports SSLv2, the TLS server is also vulnerable due to the SSLv2 server leaking key information that can be used against the TLS server.
Similar attack model was used by Bleichenbacher against PKCS#1 v1.5 [5] and by Manger against PKCS#1 v2.0 [13]. This paper shows that similar attacks are feasible in the symmetric key world.