lolloj - Fotolia
What is a padding oracle attack and how can we avoid it? Is it even something we should be worried about?
A padding oracle attack is based on the idea that an attacker can learn information about encrypted data by distinguishing between different kinds of errors. Padding oracles have plagued the security of the Transport Layer Security (TLS) protocol for years, but the encryption modes vulnerable to them are rarely used in modern systems, so the risk is declining.
The basic idea was introduced by cryptographer Serge Vaudenay in 2002. Vaudenay figured out that certain combinations of encryption and authentication are vulnerable if an attacker can distinguish two different types of errors. And it turns out that the cipher block chaining (CBC) encryption mode in TLS is one such problematic combination.
Vaudenay's original attack remained theoretical for TLS. While old TLS implementations emitted different kinds of error messages, those messages were encrypted as well, so the attacker couldn't see them.
However, recently, many variations of Vaudenay's attack have been shown to be feasible. Some use the timing differences of server answers, like the Lucky Thirteen attack. A variant of the padding oracle attack called Poodle -- Padding Oracle On Downgraded Legacy Encryption -- was found in the ancient SSL 3 protocol.
While security teams have known about these attacks for a long time, new variations show up repeatedly. Researchers at the Ruhr-University Bochum reported they found nearly 100 variations of padding oracle attacks in the wild in 2019.
It turns out it is incredibly difficult to implement the TLS CBC mode in a way that makes it safe from these attacks. The TLS community understood that when they designed TLS 1.3, so the latest version of the TLS standard no longer supports these problematic modes. Instead, TLS 1.3 exclusively uses so-called AEAD modes (Authenticated Encryption with Additional Data). These modes combine encryption and authentication in a safer way.
So while a padding oracle attack remains a possible threat, it's not a concern anymore with modern TLS implementations. Therefore, the best protection is to support modern TLS standards and slowly deprecate old versions and encryption modes.
Dig Deeper on PKI and digital certificates
Related Q&A from Hanno Böck
Learn how managing web development content with the popular version control system can be risky without taking action to avoid these basic Git ... Continue Reading
Subdomain takeover exposure can happen when cloud-hosted web services are incompletely decommissioned, but configuration best practices can reduce ... Continue Reading
Discover how the MTA-STS specification will improve email security by encrypting messages and enabling secure, authenticated email transfers between ... Continue Reading