Padding oracle attack
In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. The information could be directly given, or leaked through a side-channel.
The earliest well-known attack that uses a padding oracle is
Asymmetric cryptography
In 1998, Daniel Bleichenbacher published a seminal paper on what became known as Bleichenbacher's attack (also known as "million message attack"). The attack uses a padding oracle against RSA with PKCS #1 v1.5 padding, but it does not include the term. Later authors have classified his attack as a padding oracle attack.[1]
Manger (2001) reports an attack on the replacement for PKCS #1 v1.5 padding, PKCS #1 v2.0 "OAEP".[6]
Symmetric cryptography
In symmetric cryptography, the padding
Compared to Bleichenbacher's attack on RSA with PKCS #1 v1.5, Vaudenay's attack on CBC is much more efficient.
A number of mitigations have been performed to prevent the decryption software from acting as an oracle, but newer
Padding oracle attack on CBC encryption
The standard implementation of CBC decryption in block ciphers is to decrypt all ciphertext blocks, validate the padding, remove the PKCS7 padding, and return the message's plaintext. If the server returns an "invalid padding" error instead of a generic "decryption failed" error, the attacker can use the server as a padding oracle to decrypt (and sometimes encrypt) messages.
The mathematical formula for CBC decryption is
As depicted above, CBC decryption XORs each plaintext block with the previous block. As a result, a single-byte modification in block will make a corresponding change to a single byte in .
Suppose the attacker has two ciphertext blocks and wants to decrypt the second block to get plaintext . The attacker changes the last byte of (creating ) and sends to the server. The server then returns whether or not the padding of the last decrypted block () is correct (a valid PKCS#7 padding). If the padding is correct, the attacker now knows that the last byte of is , the last two bytes are 0x02, the last three bytes are 0x03, …, or the last eight bytes are 0x08. The attacker can modify the second-last byte (flip any bit) to ensure that the last byte is 0x01. (Alternatively, the attacker can flip earlier bytes and
After determining the last byte of , the attacker can use the same technique to obtain the second-to-last byte of . The attacker sets the last byte of to by setting the last byte of to . The attacker then uses the same approach described above, this time modifying the second-to-last byte until the padding is correct (0x02, 0x02).
If a block consists of 128 bits (
Encrypting messages with Padding oracle attack (CBC-R)
CBC-R[8] turns a decryption oracle into an encryption oracle, and is primarily demonstrated against padding oracles.
Using padding oracle attack CBC-R can craft an initialization vector and ciphertext block for any plaintext:
- decrypt any ciphertext Pi = PODecrypt( Ci ) XOR Ci−1,
- select previous cipherblock Cx−1 freely,
- produce valid ciphertext/plaintext pair Cx-1 = Px XOR PODecrypt( Ci ).
To generate a ciphertext that is N blocks long, attacker must perform N numbers of padding oracle attacks. These attacks are chained together so that proper plaintext is constructed in reverse order, from end of message (CN) to beginning message (C0, IV). In each step, padding oracle attack is used to construct the IV to the previous chosen ciphertext.
The CBC-R attack will not work against an encryption scheme that authenticates ciphertext (using a message authentication code or similar) before decrypting.
Attacks using padding oracles
The original attack against CBC was published in 2002 by
While these earlier attacks were fixed by most
References
- ^ INRIA. p. 19.
- ^ Black, John; Urtubia, Hector (2002). Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption. USENET Security '02.
- ^ a b Serge Vaudenay (2002). Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... (PDF). EUROCRYPT 2002.
Similar attack model was used by Bleichenbacher against PKCS#1 v1.5 [5] and by Manger against PKCS#1 v2.0 [13]. This paper shows that similar attacks are feasible in the symmetric key world.
- ^ a b c Sullivan, Nick (12 February 2016). "Padding oracles and the decline of CBC-mode cipher suites". The Cloudflare Blog.
- ^ Hanno Böck; Juraj Somorovsky; Craig Young. "ROBOT attack: Return Of Bleichenbacher's Oracle Threat". Retrieved 27 February 2018.
- ^ Manger, James (2001). "A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0" (PDF). Telstra Research Laboratories.
- ^ Is the padding oracle attack deterministic
- ^ Juliano Rizzo; Thai Duong (25 May 2010). Practical Padding Oracle Attacks (PDF). USENIX WOOT 2010.
- ^ Brice Canvel; Alain Hiltgen; Serge Vaudenay; Martin Vuagnoux (2003), Password Interception in a SSL/TLS Channel (PDF).
- ^ Jean Paul Degabriele; Kenneth G. Paterson (2007), Attacking the IPsec Standards in Encryption-only Configurations (PDF), archived from the original on 19 December 2018, retrieved 25 September 2018.
- CiteSeerX 10.1.1.185.1534.
- ^ Juliano Rizzo; Thai Duong (25 May 2010). Practical Padding Oracle Attacks (PDF). USENIX WOOT 2010.
- ^ Thai Duong; Juliano Rizzo (2011). Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET (PDF). IEEE Symposium on Security and Privacy 2011.
- ^ Dennis Fisher (13 September 2010). "'Padding Oracle' Crypto Attack Affects Millions of ASP.NET Apps". Threat Post. Archived from the original on 13 October 2010.
- ^ Vlad Azarkhin (19 September 2010). ""Padding Oracle" ASP.NET Vulnerability Explanation". Archived from the original on 23 October 2010. Retrieved 11 October 2010.
- ^ "Breaking Steam Client Cryptography". Steam Database. Retrieved 1 May 2016.
- ^ Matthew Green; Nadia Heninger; Paul Zimmerman; et al. (2015), Imperfect Forward Secrecy: How Diffie–Hellman Fails in Practice (PDF). For further information see https://www.weakdh.org Archived 22 December 2019 at the Wayback Machine.
- ^ Matthew Green (3 March 2015). "Attack of the week: FREAK (or 'factoring the NSA for fun and profit')".; see https://www.freakattack.com Archived 5 March 2015 at the Wayback Machine for more information.
- ^ Matthew Green (14 October 2014). "Attack of the week: POODLE".; for further information, see https://www.poodle.io
- ^ OpenSSL Security Advisory [3rd May 2016], 3 May 2016
- ^ Yet Another Padding Oracle in OpenSSL CBC Ciphersuites, Cloudflare, 4 May 2016