Padding oracle attack

In 1998, Daniel Bleichenbacher published a seminal paper on what became known as Bleichenbacher's attack (also known as "million message attack"). The attack uses a padding oracle against RSA with PKCS #1 v1.5 padding, but it does not include the term. Later authors have classified his attack as a padding oracle attack. Manger (2001) reports an attack on the replacement for PKCS #1 v1.5 padding, PKCS #1 v2.0 "OAEP". ==Symmetric cryptography==

In symmetric cryptography, the padding oracle attack can be applied to the CBC mode of operation. Leaked data on padding validity can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle's key, without knowing the encryption key. Compared to Bleichenbacher's attack on RSA with PKCS #1 v1.5, Vaudenay's attack on CBC is much more efficient. After determining the last byte of P_2, the attacker can use the same technique to obtain the second-to-last byte of P_2. The attacker sets the last byte of P_2 to \mathrm{0x02} by setting the last byte of C_1 to D_K(C_2) \oplus \mathrm{0x02}. The attacker then uses the same approach described above, this time modifying the second-to-last byte until the padding is correct (0x02, 0x02). If a block consists of 128 bits (AES, for example), which is 16 bytes, the attacker will obtain plaintext P_2 in no more than 256⋅16 = 4096 attempts. This is significantly faster than the 2^{128} attempts required to bruteforce a 128-bit key. Encrypting messages with Padding oracle attack (CBC-R) CBC-R turns a decryption oracle into an encryption oracle, and is primarily demonstrated against padding oracles. Using padding oracle attack CBC-R can craft an initialization vector and ciphertext block for any plaintext: • decrypt any ciphertext , • select previous cipherblock freely, • produce valid ciphertext/plaintext pair . To generate a ciphertext that is blocks long, attacker must perform numbers of padding oracle attacks. These attacks are chained together so that proper plaintext is constructed in reverse order, from end of message () to beginning message (C0, IV). In each step, padding oracle attack is used to construct the IV to the previous chosen ciphertext. The CBC-R attack will not work against an encryption scheme that authenticates ciphertext (using a message authentication code or similar) before decrypting. ==Attacks using padding oracles==

The original attack against CBC was published in 2002 by Serge Vaudenay. Concrete instantiations of the attack were later realised against SSL and IPSec. It was also applied to several web frameworks, including JavaServer Faces, Ruby on Rails and ASP.NET as well as other software, such as the Steam gaming client. In 2012 it was shown to be effective against PKCS 11 cryptographic tokens. and Export RSA/FREAK attacks, which trick clients into using less-secure cryptographic operations provided for compatibility with legacy clients when more secure ones are available. An attack called POODLE (late 2014) combines both a downgrade attack (to SSL 3.0) with a padding oracle attack on the older, insecure protocol to enable compromise of the transmitted data. In May 2016 it has been revealed in that the fix against Lucky Thirteen in OpenSSL introduced another timing-based padding oracle. ==References==