Padding oracle attack

In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. Padding oracle attacks are mostly associated with CBC mode decryption used within block ciphers. Padding modes for asymmetric algorithms such as OAEP may also be vulnerable to padding oracle attacks. In symmetric cryptography, the padding oracle attack can be applied to the CBC mode of operation, where the "oracle" (usually a server) leaks data about whether the padding of an encrypted message is correct or not. Such data can allow attackers to decrypt (and sometimes encrypt) messages through the oracle using the oracle's key, without knowing the encryption key. The standard implementation of CBC decryption in block ciphers is to decrypt all ciphertext blocks, validate the padding, remove the PKCS7 padding, and return the message's plaintext. If the server returns an "invalid padding" error instead of a generic "decryption failed" error, the attacker can use the server as a padding oracle to decrypt (and sometimes encrypt) messages. The mathematical formula for CBC decryption is As depicted above, CBC decryption XORs each plaintext block with the previous block. As a result, a single-byte modification in block will make a corresponding change to a single byte in . Suppose the attacker has two ciphertext blocks and wants to decrypt the second block to get plaintext . The attacker changes the last byte of (creating ) and sends to the server. The server then returns whether or not the padding of the last decrypted block () is correct (a valid PKCS#7 padding). If the padding is correct, the attacker now knows that the last byte of is , the last two bytes are 0x02, the last three bytes are 0x03, ...

À propos de ce résultat

Cette page est générée automatiquement et peut contenir des informations qui ne sont pas correctes, complètes, à jour ou pertinentes par rapport à votre recherche. Il en va de même pour toutes les autres pages de ce site. Veillez à vérifier les informations auprès des sources officielles de l'EPFL.

Publications associées (1)

Personnes associées (1)

Cours associés (2)

Séances de cours associées (19)

Cryptographie Elliptique Courbe: Bases et Applications

Explore les bases et les applications de la cryptographie à courbes elliptiques, couvrant la factorisation ECM, les courbes standard, les exemples pratiques et les implémentations du monde réel.

Cryptanalysis: Decorrelation & Sécurité Proving

Explore la cryptanalyse à travers des techniques de décorrélation et prouve la sécurité dans la cryptographie conventionnelle, couvrant des sujets tels que les fonctions distinctives, les matrices et le modèle oracle aléatoire.

Cryptographie Diffie-Hellman: échange de clés et cryptage ElGamal

Couvre le protocole d'échange de clés Diffie-Hellman et le cryptosystème à clé publique ElGamal.

COM-401: Cryptography and security

This course introduces the basics of cryptography. We review several types of cryptographic primitives, when it is safe to use them and how to select the appropriate security parameters. We detail how

COM-501: Advanced cryptography

This course reviews some failure cases in public-key cryptography. It introduces some cryptanalysis techniques. It also presents fundamentals in cryptography such as interactive proofs. Finally, it pr

Misuse Attacks on Post-quantum Cryptosystems

Serge Vaudenay, Loïs Evan Huguenin-Dumittan, Fatma Betül Durak, Abdullah Talayhan, Ciprian Baetu

Many post-quantum cryptosystems which have been proposed in the National Institute of Standards and Technology (NISI) standardization process follow the same meta-algorithm, but in different algebras

SPRINGER INTERNATIONAL PUBLISHING AG2019