I have found what I believe to be a straightforward explanation of the oracle padding attack here: http://robertheaton.com/2013/07/29/padding-oracle-attack/
I am however getting confused by something which experts here should I believe find so easy.
When you open the link and browse to the subsection titled "Manipulating the Cipher text", there is a statement which says ...
If the server says that we have produced a plaintext with valid padding, then we can be pretty sure that
I am unable to understand why a value of
01 will imply that the padding is OK. I know that as per PKCS#5, the only way we can get
01 as the last byte is when there was only 1 byte of padding. But according to the example on this page, I don't see anything that suggests that the data had 1 byte of padding. So, I fail to understand why a result of 01 is considered successful.
Is anyone able to look at the document and advise where the
01 comes from?
Actually, we don't care about the amount of padding the original message had; we care whether the modified plaintext (that is, the result of the decryption of the modified ciphertext) has good padding or not.
The padding will be valid if the last block had one of these patterns:
XX XX XX XX XX XX XX 01
XX XX XX XX XX XX 02 02
XX XX XX XX XX 03 03 03
XX XX XX XX 04 04 04 04
XX XX XX 05 05 05 05 05
(where XX is any byte value). If we modify the ciphertext, and then the decryptor decrypts and packet and finds a valid padding, then we know that the value in that last block is one of those patterns.
Now, why do we initially consider one the first one, and essentially ignores the others? Well, for a random change (that is, if the attacker is in the initial stages of that attack, and may have no information about the decryption), then the last block will have the last byte
01 with probability 1/256; the rest of the alternatives will, in aggregate, happen with probability less than 1/65280, hence with quite high probability, the ciphertext being accepted with indicate that the last byte of the plaintext was
03 03or so on). If that happens, we can easily find out which block is which by changing the second-to-last byte and seeing if that makes the padding invalid or not. — Jul 09, 2016 at 18:35
02, or the last three bytes might be
03, etc. However, the last byte
01will be the most frequent (and it's easy for the attacker to double check with just one addition query) — Jul 09, 2016 at 18:54
01, the padding will still be valid; if the pattern was anything else, that'd break up the padding pattern. — Jul 09, 2016 at 19:07
External links referenced by this document: