lolloj - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

How concerned should I be about a padding oracle attack?

Padding oracle attacks have long been well-known and well-understood. Find out how they work and why using modern encryption protocols can reduce the risks.

What is a padding oracle attack and how can we avoid it? Is it even something we should be worried about?

A padding oracle attack is based on the idea that an attacker can learn information about encrypted data by distinguishing between different kinds of errors. Padding oracles have plagued the security of the Transport Layer Security (TLS) protocol for years, but the encryption modes vulnerable to them are rarely used in modern systems, so the risk is declining.

The basic idea was introduced by cryptographer Serge Vaudenay in 2002. Vaudenay figured out that certain combinations of encryption and authentication are vulnerable if an attacker can distinguish two different types of errors. And it turns out that the cipher block chaining (CBC) encryption mode in TLS is one such problematic combination.

By manipulating encrypted messages in certain ways, an attacker can decrypt the content of an encrypted message. This requires the attacker to send the same message over and over again. In the case of the web and encrypted HTTPS connections, however, it is possible for an attacker to trigger such connections with JavaScript.

Vaudenay's original attack remained theoretical for TLS. While old TLS implementations emitted different kinds of error messages, those messages were encrypted as well, so the attacker couldn't see them.

However, recently, many variations of Vaudenay's attack have been shown to be feasible. Some use the timing differences of server answers, like the Lucky Thirteen attack. A variant of the padding oracle attack called Poodle -- Padding Oracle On Downgraded Legacy Encryption -- was found in the ancient SSL 3 protocol.

While security teams have known about these attacks for a long time, new variations show up repeatedly. Researchers at the Ruhr-University Bochum reported they found nearly 100 variations of padding oracle attacks in the wild in 2019.

It turns out it is incredibly difficult to implement the TLS CBC mode in a way that makes it safe from these attacks. The TLS community understood that when they designed TLS 1.3, so the latest version of the TLS standard no longer supports these problematic modes. Instead, TLS 1.3 exclusively uses so-called AEAD modes (Authenticated Encryption with Additional Data). These modes combine encryption and authentication in a safer way.

So while a padding oracle attack remains a possible threat, it's not a concern anymore with modern TLS implementations. Therefore, the best protection is to support modern TLS standards and slowly deprecate old versions and encryption modes.

This was last published in March 2019

Dig Deeper on PKI and digital certificates

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What steps have you taken to prevent padding oracle attacks?
Saying that Padding Oracles are not a threat for modern implementations is a little bit disingenuous. Only if both participating parties (client AND server) are modern implementations the threat is mostly mitigated. If either one is outdated the threat is still very much alive. There are still quite a few servers with padding oracles out there. Arguing that the issue is not serious because the algorithms are mostly unused is comparable to the argument that NULL, anon ciphers and tls-compression are not a big deal. They all show that your TLS stack is in a bad condition and if undealt show that you as a server owner do not care about security. Take responsiblity and patch your systems.