Padding & Padding Oracle Attacks

Block Cipher Padding

PKCS #7 (Public Key Cryptography Standards #7)

  • Pad with N bytes of 0xN

  • If a message evenly divides the block size, add a block of all 00’s anyway.

  • Padding is unambiguous: every messages gets padded, and no padding string is a suffix of another

  • Only works for blocks up to 256 byes

Padding Oracle

$$ciphert\ text−−>Padding\ oracle−−>yes/no$$

  • Tells you if padding is valid! yes or no! doesn't decrypt but can be used to build a decryption oracle
  • Padding values = [01, 10] (because a block has 16 bytes), duh.

Padding Oracle Attacks

  • For each byte of ciphertext, Eve can recover associated plaintext in 255 queries

  • AES: 16 byte block times 255 queries = ~4000 queries per block.

  • Real PO implementations can decrypt plaintext in a few seconds

  • Can be used to recover authentication tokens\/cookies to hijack a session

  • How it works:

    • a = last byte of c1
    • b = last byte of m2

    • Eve guesses that a decrypts to g

      • a’ = a XOR g XOR 0x01

    • Bob decrypts c1 (and a), getting b'

      • b’ = b XOR ( g XOR 0x01 )

    • Case: g = b, b' = 01 \/\/ no padding error

      • b’ = b XOR g XOR 0x01 = 0x01

    • Case: g != b' b' != 01 \/\/ padding error!!

      • b’ != 0x01
      • which is _invalid _padding most of the time, depending on rest of plaintext

    • b' = a XOR g XOR 01 XOR B XOR A

Look at what generates a padding error and what doesnt. when you solve the last byte of a block, you can continue to the first byte.

How to stop a padding oracle attack

  • Don’t let decryption function return plaintext unless the ciphertext was valid

  • Make it infeasible for anyone except key holders to create valid cipher texts

  • It should be efficient for key holders to decide if a ciphertext is valid

results matching ""

    No results matching ""