encryption aes padding-oracle: Updated Thu, 30 Jun 2022 05:13:59 GMT

Are there actual consequences of padding oracle attacks?

I am writing a program that encrypts data in Python and heard about padding oracle attacks, but I think they are overrated (I mean, what are the real-world uses?) even for the old implementations that are vulnerable (the ones that tell if padding is right or wrong like SSLv3).

Because:

If all I need are two ciphertexts $c(n-1)$, $c(n)$ which are the last two encrypted messages blocks, and a server to tell me if the padding of decrypted $c(n)$is correct or whatever, doesn't that mean that the server just decrypts whatever you send to it (I mean, just send the whole encrypted message as you received it and read the output). I mean, this is the server bug that it doesn't take a key in the first place and check if it's correct.
Let's assume that all we have to do is send those two cipher messages to know and decrypt the last block (the padding block). This only works since the padding plaintext is known or at least not random or whatever reason.

But what about, say, c2 and c3 which are in the middle of the whole message? We know c3 and c2, but we don't know and we will never know either p3 or p2 (plaintext), nor the intermediate state IS3; i.e. we can't XOR c2 with is3 to obtain p3, so this attack I think only allow us to decrypt the padding block with the only new thing we actually knew is an intermediate state of padding block.

I am asking to know if this attack is just a one with no real-world implications and no real data decryption capabilities (actual data).

Solution

I mean this is the server bug that it doesn't take a key in the first place and check if it's correct :)

What do you mean with that? The key must be the right one, and the padding oracle attacks actually change the ciphertext encrypted with that key on the other side to perform the attack.

but what about say c2, c3 which are in the middle of whole message, we know c3 and c2 but we dont know and we will never know either p3(plaintext of course) nor intermediate state IS3

No, a padding oracle attack is able to completely decrypt a message. This is precisely because the XOR influences the next block.

Note that padding oracle attacks are just one form of plaintext oracle attack. For instance, you can also perform plaintext oracle attacks on XML-enc, even without using the padding itself.

I am asking to know if this attack is just a one with no real world implications and no real data decryption capabilities(actual data) .

Yes, that's utterly and completely wrong. A padding oracle attack can decrypt the whole message using 128 tries per byte, and other plaintext oracles can actually be even more effective.

Besides that, having the receiving end accept a changed plaintext is possibly as dangerous as loosing confidentiality. For that reason you should use authenticated encryption - or rather a protocol that utilizes authenticated encryption instead of unauthenticated CBC.

Comments (3)

+0 – You are right that xor influence the next block but it doesn't influence the block before so decrypting last block how is it going to decrypt first blocks. I know the key must be the same what i mean is it doesn't allow for key retrieval. — Aug 18, 2020 at 23:20
+2 – "You are right that xor influence the next block but it doesn't influence the block before". No, you can still influence the plaintext in such a way that you can check if it is a padding byte or not, that's the problem. You don't need the padded last block to perform the attack, only the oracle is required. — Aug 18, 2020 at 23:24
+2 – Most people think that the padding oracle works in the last block. It works for all blocks. — Aug 19, 2020 at 12:10

External Links

External links referenced by this document:

https://en.wikipedia.org/wiki/Padding_oracle_attack

References

https://crypto.stackexchange.com/questions/83440