padding oracle attack

Work in Progress

Summary

Encryption/decryption oracle

  • interface that encrypts/decrypts a query
  • the key is a secret known only to the oracle

Padding

  • fill some extra bytes such that the resulting plaintext is a multiple of the block length
  • needs to encode the amount that is padded, so that they can be removed during decryption

Padding oracle

  • takes in a ciphertext
  • returns whether its decrypted into the correct padding format

Concept

PKCS#7

  • padding standard
  • pad bytes with the number of padded bytes

Padding oracle attack(chosen ciphertext attack)

  • attacker has ciphertext(IV, C) and a padding oracle
  • attacker knows how the block is padded
  • use the padding oracle to expose information about non-padded bytes
  • modify the previous ciphertext block/IV to make the padding valid for one more

Deducing padding amount

  • linear search - start from most significant byte in IV, modify until the padding is invalid
  • binary search - modify bytes in a binary search pattern

Application

Padding oracle attack on CBC mode

  • padding oracle decryption
v1v2v3v4c1c2c3c4Dki1i2i3i4m1m20202IV,vcintermmediate,ipaddedmessage,munknownknown
  • exposing one more byte
v01v02v03v04c1c2c3c4Dki1i2i3i4m01030303modi¯edIV,v0cintermmediate,itargetmessage,m0

this is extendable to multiple blocks since the byte order is preserved in CBC

Extending beyond one byte