The very fact this article came to be implies the answer – yes, they are. Readers who are interested in knowing the rationale behind this statement are encouraged to continue reading.
The main motivation behind writing this article was a padding oracle vulnerability ( CVE-2016-2107 ) found on May 2016 in a popular OpenSSL cryptographic toolkit. Authors of this article decided that it is a great occasion to revisit this area and to refresh information about the padding oracles.
first demonstrated a practical
adaptive chosen-ciphertext attack
. Four years later in 2002
presented the very first practical
padding oracle attack
. Since that time notable vulnerabilities belonging to this category were also discovered, e.g.
, to name the most recognized ones.
After some time, some people even started to believe that this type of attack is no longer a problem (i.e. no longer considered a threat in real-life). Despite this and similar opinions, we can observe that new padding oracle vulnerabilities are continuously discovered by security researchers and 14 years after the first practical attack was presented, they still pose a very real security threat.
What is padding oracle? What can happen if someone finds this vulnerability in my application and will be able to exploit it? How can I test, identify and avoid this type of attack? Let’s address these and other questions in the following sections.
First things first. Let’s refresh on what the padding oracle attack is. The definition according to MITRE states:
“An attacker is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext.
In addition to performing decryption, an attacker is also able to produce valid ciphertexts
(i.e., perform encryption) by using the padding oracle, all without knowing the encryption key”.
For readers who would like to refresh information about the padding oracles, please refer to the following materials:
- MITRE CAPEC-463 – Padding Oracle Crypto Attack
- Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1
- Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS…
- Practical Padding Oracle Attacks
- Making sure crypto stays insecure
- Padding oracles and the decline of CBC-mode cipher suites