Padding Oracle Attacks

For the security of communication channels in today’s networks and encryption of messages therein, applications and their users rely on cryptographic protocols. These are supposed to provide confidentiality and integrity of message contents. They are relied upon by online shopping, banking, communication, scientific applications, and many others. Design errors in standard definition documents or in the implementation of widespread libraries, however, allow for the violation of these objectives by adversaries. Specifically, padding oracle attacks render the partial or complete recovery of the underlying plaintext of encrypted messages possible. Such attacks also affect the most common modus operandi of most modern cryptographic protocols, the cipher block chaining (CBC) mode. Thus, given a corresponding design or implementation error, these attacks can affect almost all online communication channels secured by such protocols. In this paper, we give an insight into the theoretical aspects of padding oracle attacks. We will outline all necessary background and detail prerequisites for a successful attack. An overview of resulting practical implementations in real-world applications such as Datagram TLS, among others, will also be provided. It is our intent to introduce the reader to common design flaws of cryptographic constructs in protocols that make them prone to padding oracle attacks, so that readers are able to avoid such mistakes and to assess cryptographic constructs in this regard.