Practical Padding Oracle Attacks

Practical Padding Oracle Attacks
Juliano Rizzo
∗
Thai Duong
†
May 25th, 2010
Abstract
explained in Paterson and Yau's summary in [5], the
padding oracle attack requires an oracle which on receipt of a ciphertext, decrypts it and replies to the
At Eurocrypt 2002, Vaudenay introduced a powerful
VALID or INVALID. The
side-channel attack, which is called padding oracle
sender whether the padding is
attack, against CBC-mode encryption with PKCS#5
attack works under the assumption that the attack-
padding (See [6]). If there is an oracle which on re-
ers can intercept padded messages encrypted in CBC
ceipt of a ciphertext, decrypts it and then replies to
mode, and have access to the aforementioned padding
the sender whether the padding is correct or not, Vau-
oracle.
denay shows how to use that oracle to eciently de-
plaintext corresponding to any block of ciphertext
The result is that attackers can recover the
128 ? b
oracle calls, where
b
crypt data without knowing the encryption key. In
using an average of
this paper, we turn the padding oracle attack into
the number of bytes in a block.
is
a new set of practical web hacking techniques.
We
the padding oracle attack is to encrypt-then-MAC,
also introduce a new technique that allows attackers
i.e., encrypting information to get the ciphertext,
to use a padding oracle to encrypt messages of any
then protecting the ciphertext integrity with a Mes-
length without knowing the secret key.
Finally, we
sage Authentication Code scheme. For more details
show how to use that technique to mount advanced
on Vaudenay's attack and suggested xes, please see
padding oracle exploits against popular web develop-
[7, 1, 3, 4, 5].
ment frameworks.
In Section 2, we describe manual and automated test-
The easiest x for
ing techniques to nd padding oracles in real life sys-
1
tems. In Section 3, we describe basic padding oracle
Introduction
attacks to crack CAPTCHA, and decrypt secret data
of popular web sites and web development frame-
In this research, we show that widely used web de-
works. In Section 4, we introduce advanced padding
velopment frameworks and web sites are using en-
oracle attacks that allow attackers to mount the most
cryption incorrectly in a way that allows attackers to
interesting exploits such as creating malicious view
read and modify data that should be protected. It has
states to run arbitrary code in JavaServer Faces. In
been known for years in the cryptography community
Section 5, we describe padding oracle vulnerabilities
that encryption is not authentication.
If encrypted
in some other popular web development frameworks
messages are not authenticated, data integrity can-
besides JavaServer Faces. We conclude in Section 6.
not be guaranteed which makes systems vulnerable
to practical and dangerous chosen-ciphertext attacks,
2
one of them being the padding oracle attack pre-
Finding Padding Oracles
sented by Vaudenay at EuroCrypt 2002 (See [6]). As
∗
†
http://netifera.com, juliano at netifera.com
http://vnsecurity.net, thaidn at vnsecurity.net
If you start looking today, you will see that the
padding oracle vulnerability is pervasive.
1
It is ev-
1 . Then we de-
erywhere like SQL Injection or Cross Site Scripting.
elds, cookies, or request parameters
This is because few people understand that attackers
code each
can decrypt their secrets if they leak out just a single
random, and its length is a multiple of a common
bit of information. Unfortunately, the reality is that
block cipher size, i.e., 8, 16 or 32 bytes, then there's
if you somehow let attackers know whether or not an
a good chance that it is a ciphertext. We also look
error has occurred while you decrypt data supplied
for common separators, i.e.,
by them, then they can decrypt your messages.
ten used to separate IV, ciphertext, or MAC. Then
Base64
string found.
--, |
If the result looks
or
:,
which are of-
we replace a byte at the end of the ciphertext by a
It is also important to stress that people often use
random value, then send it back to the target, and
one global crypto key and a xed IV to encrypt ev-
see what changes in the response. If there is an er-
erything in their systems, so if attackers discover a
ror message, then there's a high chance that this is a
padding oracle, they can then use it to decrypt all
padding oracle. Even a blank page is enough infor-
data encrypted under that key and IV.
mation to perform this attack.
2.1 Finding Potential Padding Oracles
For blackbox testing, the most important task is to
analyse and understand the meaning of error messages returned by the target upon receiving mangled
ciphertexts.
In short, you need to know which re-
We have been using three methods to nd potential
sponses from the target mean that the padding was
padding oracles:
VALID after decrypting your modied ciphertexts.
Google Hacking
messages
and
This algorithm, which is very similar to the last word
We
look
for
known
error
decryption algorithm that Vaudenay described in his
standard
API
exceptions.
In
seminal paper (See [6, Section 3.1]), can be used in
Java, the error message is
Given final block not
properly padded, and the standard
javax.crypto.BadPaddingException.
a black-box scenario as the rst step to learn if the
exception is
target leaks information about its padding validity.
Other plat-
forms and crypto libraries provide dierent error mes-
1. Determine the block size
sages and API exceptions. Just googling these mes-
b.
You can use the
algorithm described in Section 2.2.
sages, we promise that you can nd many applications potentially vulnerable to the padding oracle at-
2. Chose a few random bytes
tack.
r1 , ..., rb
where
b
de-
notes the cipher block size in bytes, and take
i = 0.
Source Code Auditing
Another way is to look
for known source code keywords.
3. Take
You can start by
r = r1 |...|rb−1 |(rb ⊕ i), where | denotes byte
concatenation.
looking for code that imports low level cryptography
libraries such as OpenSSL, Crypto++, PyCrypto,
4. Send
r|y
to the target where
y
is a valid cipher-
Microsoft Crypto API or Java Cryptography Exten-
text block that you found during the manual
sion. Then look for routines that perform encryption
testing phase.
and decryption. If there's some code to handle errors
length, elapsed time and content type of the re-
while decrypting, and/or no evidence of authentica-
sponse. Increment i, and go back to step 3 until
tion checks, then it is highly probable that you have
i > 255.
found a target for the padding oracle attack.
Backbox Testing
nd
Base64
Record the value of
i,
content
1 A funny side eect of doing this research is now both of us
are obsessed with Base64 strings. Every time we see a Base64
string, we decode it, and if it's not plaintext, we assume it is
a ciphertext, then go on trying to decrypt it using Padding
Oracle attack. It's really fun!
We crawl the target web site to
strings which can be found in hidden
2
5. Now you have 256 responses. If all of them are
2. Use the algorithm described in [1] to nd the
the same, then it is bad news, the target is not
padding length
easily showing you that it is vulnerable to the
queries.
l.
This takes
log2 (b)
oracle
padding oracle attack. Otherwise, look at each
value of
i
the rest.
r|y ,
3. Denote the last block of a valid captured cipher-
where the responses are dierent from
text as
Manually resend each corresponding
x0 , x1 , ..., xb .
Take
vi = l ,
for
i = 1, ..., l.
Run Vaudenay's Postx Equality Check algo-
and examine carefully each response to see
y0 , y1 , ..., yN =
w0 , w1, ..., wm = v0 , v1 , ..., vl . In
other words, check to see if the last l bytes of the
rithm (See [6], Section 3.4) with
what happens.
x0 , x1 , ..., xb
2.2 Conrm The Existence of Padding
Oracles
and
last block are the same as the padding bytes.
4. If Vaudenay's Postx Equality Check returns
After doing some manual testings, one usually needs
true, then we can say that we found a padding
to use an automated tool to conrm the existence
oracle with a high level of certainty. Otherwise,
of padding oracles.
we cannot be sure if the target is vulnerable or
We released
POET (Padding
2 which nds and ex-
Oracle Exploitation Tool)
not, but we are sure that we cannot use the oracle to decrypt a ciphertext in a reliable way.
ploits padding oracles automatically.
If you want to write your own tool to detect padding
oracles, you can implement the following algorithms.
Determine the block size
b
3
All padding oracle
attacks need a correct block size
b.
Since HTTP is a stateless protocol, web developers
The most com-
must either manage states on the server, or push
mon block sizes are 8 and 16 bytes, thus of course
them to the client.
we can use trial and error. The following algorithm
the latter method. They want to keep the state as a
just one request to the target. The algorithm is not
secret, and turn to cryptography which is the right
perfect but it is good enough for most cases.
len(C)%16 = 8,
where
C
tool. However, they use it wrongly, i.e., neither apply a MAC to the ciphertext nor use an authenticated
is some captured
ciphertext, then stop and output
For performance and scalabil-
ity reasons, many web developers tend to go with
can be used to guess the correct block size by sending
1. If
Basic Padding Oracle Attacks
block cipher mode, and make their systems vulnera-
8.
ble. In this section, we show two basic padding ora2. Take
of
y = C[−16 :], i.e., y is the last sixteen bytes
cles attacks.
C.
3. Send
C|y
to the target,
if it returns
padding then stop and output
4. Output
VALID
3.1 Cracking CAPTCHA
8.
16.
CAPTCHA is the most popular technique to prevent
computer programs from submitting automated re-
Conrm The Existence of Padding Oracles
quests to web servers. A common type of CAPTCHA
requires that users enter an alphanumeric code from
if possible, otherwise
a distorted image. We found that some crypto-based
try the following steps for each potential block
CAPTCHA systems are the simplest examples of
1. Determine the block size
size, i.e.,
2 Download
8
and
b
padding oracle attacks.
16.
POET at http://netifera.com/research
A vulnerable CAPTCHA system works as follows:
3
1. The server generates a random code, encrypts it
attackers need to know the IV to be able to get
P0 .
using CBC-mode under some key K and some
In other words, if the IV is secret, it is not possible
IV:
to decrypt the rst block , making it impossible to
ERC = EK,IV (rand())
break CAPTCHA systems whose
P0
contains part of
the random code.
ERC will be used as a parameter for
captcha.jsp 3 which upon receipt of
ERC , will decrypt it, and generate a dis-
2. This
Fortunately, for those CAPTCHA systems that we
some
a
torted
image.
If
a
HTML
form
needs
have found during this research, the IV can be recovered easily with human intervention.
to
show a CAPTCHA, it just puts something like
/captcha.jsp?token=ERC
load a distorted image.
3.
ERC
into a
<img>
is exactly the same as
tag to
DP addingOracle (C0 ),
P0 ,
so if attackers know
then they can compute the se-
cret IV as following:
will be stored either as a hidden eld in
IV = Human ⊕ DP addingOracle (C0 )
the CAPTCHA form or as a cookie, so once a
user submits a form, it will be sent back to the
where
server.
Human denotes that somebody reads P0
from
the CAPTCHA image. This is very useful to attack
4. Then the server goes on decrypting
ERC ,
CAPTCHA systems where manually discovering the
and
IV a single time allows attackers to decrypt any new
compares it with the code that the user has en-
challenges, given the IV is not changed, without any
tered. If equal, the server accepts the request; it
further human intervention.
denies the request otherwise.
Because
Most of
the time the text shown in the CAPTCHA image
captcha.jsp
would decrypt any
ERC
3.2 Decrypting JSF view states
sent
to it, it is vulnerable to the padding oracle attack. As
we discussed in Section 2, the only remaining problem
now is to know when padding is
VALID,
JavaServer Faces introduces a powerful and ex-
and when it
ible
is not.
of
system
the
view
for
saving
between
and
restoring
requests
to
the
the
state
server.
Fortunately, most CAPTCHA systems would send
JSF implementations support two primary mech-
back an error notication when they fail to decrypt
anisms for saving states,
ERC ,
the
i.e., padding is
INVALID.
Some servers send
tion parameter. If this parameter is set to
either empty responses or HTML with an error message.
dered markup that is sent to the client (such as in a
hidden input eld for HTML). The state information
image with a broken code.
must be included in the subsequent request, making
If things work out that way, attackers now have
it possible for JSF to restore the view without having
a padding oracle, and they can use it to decrypt
any
ERC
initializa-
client, it
would cause the saved state to be included in the ren-
ERC so that
VALID, captcha.jsp would display an
In addition, when you modify
the padding is
based on the value of
javax.faces.STATE_SAVING_METHOD
saved information on the server side.
to get its random code, hence bypass the
Although JSF specication advises that state infor-
CAPTCHA protection completely.
mation should be encrypted and tamper evident, as
CAPTCHA with secret IV
far as we know no implementation follows that adSince
vice.
Some frameworks such as SUN Mojarra and
Apache MyFaces do encrypt state information, but
P0 = IV ⊕ DP addingOracle (C0 )
they don't protect the integrity of encrypted states
3 Please
note that what we describe here works for any platform and language, we just use Java/JSP as an example
which makes them vulnerable to padding oracle attacks.
4
4.1.1 CBC-R Encryption
By default, all JSF frameworks would display a very
detailed error message if the decryption of a view
state fails , which makes the padding oracle very ob-
CBC-R turns a decryption oracle into an encryption
vious: if sees
oracle
then it is
javax.crypto.BadPaddingException,
INVALID padding; it is VALID padding oth-
5 . CBC decryption works as following:
Pi = DK (Ci ) ⊕ Ci−1
erwise.
Most
JSF
frameworks
o
error
messages.
the
following
trick.
allow
developers
to
Then
attackers
can
attacker
wants
Say
an
turn
C0 = IV
use
Look at the XOR operation.
to
If attackers control
create
C0 |C1 |...|Cn−1 , then he would append Crandom |Ci to
C0 |C1 |...|Cn−1 |Crandom |Ci , and send this mes-
Ci−1 , and they know DK (Ci ), then they can make
Pi equal to anything they want. Of course attackers
can control Ci−1 because this is a chosen-ciphertext
sage to the server. Since JSF frameworks ignore those
attack.
extra blocks while decrypting and deserializing view
have access to
but they can use a padding ora-
states, the attacker can have a safe bet that it is
cle to get
In other words, attackers can use
decrypt
VALID
block
Ci
of
an
encrypted
view
state
INVALID
K,
DK (Ci ).
a padding oracle to encrypt messages of any length
padding if the server returns the same page
as when the view state is unaltered.
For the second condition, attackers don't
without knowing the secret key.
It is probably
padding if he sees something else, e.g., a
The process is simple.
HTTP 500 error message.
ciphertext block, call it
Attackers choose a random
Ci .
Any random block would
View states usually do not contain very sensitive
work.
They send that block to the padding oracle
data, but it is important to stress that some frame-
to get its intermediate plaintext, call this operation
works save to the client not only the view, but also
DP addingOracle (Ci ).
the entire managed beans which could possibly contain condential data
4.
Since
Pi = DP addingOracle (Ci ) ⊕ Ci−1
and attackers control
4
Ci−1 ,
they can make
Pi
equal
to any block they want. Suppose they want to make
Advanced Padding Oracle At- P equal
i
set:
tacks
to some
4.1 Using Padding Oracles to Encrypt
Px ,
Ci−1 = Px ⊕ DP addingOracle (Ci )
A padding oracle is all attackers need to decrypt mes-
But does this make
sages.
Pi−1 ? Yes,
Ci−1 to the
But can it help if their goal is to encrypt
messages?
The short answer is yes.
then all they need to do is to
We designed
the following technique, which allows attackers to use
Ci−1
decrypt to a garbled block
but attackers can x
Pi−1
by sending
padding oracle to get its intermediate
plaintext, and set:
a padding oracle to encrypt messages of any length
without knowing the secret key.
Ci−2 = Pi−1 ⊕ DP addingOracle (Ci−1 )
Given the surpris-
ingly fruitful consequences of this technique, we are
surprised that it was not published before. We call
Now they have two consecutive plaintext blocks
it CBC-R encryption, and Section 4.1.2 shows that
and
CBC-R has permitted us to mount the most interest-
Pi−2
ing exploits.
text block
4 For
Apache
MyFaces,
http://wiki.apache.org/myfaces/SaveState
Pi
Pi−1
of their choice, and a leading garbled block
that they can correct by inserting a new cipher-
Ci−3 .
Repeating this operation, they can
5 Please note that padding oracle is just one kind of decryption oracles that can work well with CBC-R
see
5
1. choose a plaintext message, and divide it into
blocks of
b
bytes
Using Captured Ciphertext As Prex
N
2. chose a few random bytes
r1 , r2 , ..., rb ,
message, then they can prepend the ciphertext to
and set
their CBC-R encrypted message to get a valid header
Cn−1 = r1 |r2 |...|rb
3. for
i=N −1
down to
If at-
tackers capture a ciphertext whose plaintext is a valid
P0 , P1 , .., PN −1 .
after decrypting:
1:
Pvalid = DK (Ccaptured |IVCBC−R |PCBC−R )
Ci−1 = Pi ⊕ DP addingOracle (Ci )
4.
The resulting forged plaintext message will have a
IV = P0 ⊕ DP addingOracle (C0 )
5. output
IV
and
valid header, but it still has a garbled block at the
position of
C =C0 |C1 |...|Cn−1 .
IVCBC−R .
This broken block can still
make the victim reject the message, but we can make
the victim ignore it if we choose the prex carefully,
Figure 1: CBC-R pseudocode
i.e., the garbled block becomes part of some string
that doesn't aect the semantic of the message such
eciently encrypt a complete message block by block,
as a comment or textbox label.
starting from the last one. Since the rst block of the
CBC ciphertext stream depends on the
ers can set the
IV ,
IV , if attack-
Brute-Forcing C0
then the decrypted data will be
exactly as what they want without any garbled block.
If attackers don't control the
IV ,
Cn−1 would
then the rst block
yield a dierent
Cn−1
Each dierent
Cn−1 , ..., C0
chain.
In
other words, CBC-R can produce many dierent ci-
is garbled. In the next paragraph, we discuss what
attackers can do if they don't control the
In CBC-R, the nal block
is a random block (See Figure 1).
phertexts that are decrypted to the same plaintext
IV .
block chain
Pn−1 , ..., P1 .
The only dierence is the
rst plaintext block which is computed as following:
CBC-R Without Controlling IV
Dierent
cryptosystems handle IV in dierent ways.
P0 = DK (C0 ) ⊕ IV
IV can
be either a prex of the ciphertext, and totally con-
Attackers want
trollable by attackers, or a xed well known value,
systems, this means that the rst few bytes of
but attackers cannot change it. Cryptosystems also
must match some magic numbers.
use secret IVs, then either change them every once in
systems that accept a message only if the rst byte
a while, or set them as a xed static value.
of
P0
P0
to contain a valid header. In some
P0
There are also
matches the message length. If this is the case,
and if the message is short enough, attackers can try
We said that CBC-R allows attackers to encrypt any
their luck by brute-forcing
message, but if they cannot set the IV, the rst plain-
Cn−1 ,
P0 . For
C0 .
C0 ,
Attackers change
hence change
victim expects the decrypted message to start with
can get a valid
example, if the rst byte of
a standard header, and attackers don't control the
P0
IV, then the victim will ignore the forged message
dierent CBC-R ciphertexts is enough to obtain a
constructed by CBC-R. This is what happens with
valid message. For longer messages or more complex
compressed data, and Java serialized object streams
validation rules, brute-forcing is not practical.
text block will be random and meaningless.
If the
until they
must match the message size, trying at most 256
to name a few.
4.1.2 CBC-R Applications
This limitation could prevent some of the highest impact attacks, and we have not found generic way to
overcome it.
Creating Malicious JSF view states
However, we have found workarounds
for particular cases.
It is easy
to see that attackers can use CBC-R to create ma-
6
[...]it is possible for an attacker to supply
a new or modied view object as part of
a request. The malicious view can contain
arbitrary HTML code (allowing Cross-Site
Scripting), and arbitrary Expression Language (EL) statements that will be executed
on the server.
The EL statements can be
used to read data stored in user-scoped session variables, and application or serverscoped variables.
How to solve the garbled block problem?
We
have to solve the garbled block problem because we
can't control the IV in the JSF frameworks that we
have tested. The solution depends on the content of
Figure 2: CBC-R Encryption
JSF view states which are Java Object Serialization
Streams. The generic solution is to use the technique
licious view states that in the worst case could al-
described in Section 4.1.1 to prepend known valid
low them to execute code on vulnerable JSF systems.
ciphertext to our CBC-R encrypted view state, and
The two remaining questions are:
make the garbled block become part of a string that
doesn't aect the semantic of the view state such as
a textbox label.
Which view state to create?
The
book
of
Please note that although we attack only JSF view
Apache MyFaces and Facelets technology observed
states, our techniques can be applied to exploit other
that (See [8]):
kind of state information in dierent formats such as
XML, serialized objects, JSON, simple comma sepa-
[...]The view is restored by reversing the pro-
rated variable-value pairs, etc.
cess used to obtain the view state: it is decoded and deserialized. This poses a major
4.2 Distributed Cross-Site Padding
Oracle Attack
security challenge to any JSF implementation because Sean has the freedom to change
the view state. He can toggle the rendered
attribute of UI controls that are not sup-
As we have demonstrated up to this point, all attack-
posed to be available to him. He can point a
ers need to exploit padding oracle vulnerabilities is a
commandButton to a method on any man-
single bit of information. If a web site leaks out that
aged bean in the application.
1-bit information, then there are a lot of ways for at-
He can cir-
tackers to obtain it using cross-domain information
cumvent an action listener.
leakage bugs in web browsers.
While
we
were
writing
this
paper,
a
researcher
If you are familiar with web browser security, you
evil.com can not
victim.com, other-
published an advisory describing vulnerabilities in
probably know that JavaScript at
Apache MyFaces and SUN Mojarra, and claimed that
read the response of a request to
(See [2])
wise this would allow all kind of abuses from evil web
6:
sites.
6 It is important to stress that the authors of [8] and [2] were
wrong when they suggested that encrypting view states would
prevent the attacks they described
But there's nothing to stop
encing resources on
victim.com,
evil.com
server responds, and deducing information.
7
refer-
observing how the
Using
events,
<img>
tag
JavaScript
browsers to load an
the onerror()/onload()
evil.com can make web
image at victim.com, and know
plus
provided
at
encrypt/decrypt
functions would be vul-
nerable to padding oracle attacks. It is ironic that the
ActiveSupport::MessageEncryptor
developers of
if the image is loaded or not. This is 1-bit informa-
do
tion, and as you know, it is enough for the padding
crypt/decrypt
oracle attack to work: if the image is loaded, then it
padding oracle attacks, but they still keep the vul-
is
nerable ones.
VALID padding; otherwise, it is INVALID padding.
provide
a
secure
data
pair
that
of
are
functions
not
to
vulnerable
ento
8.
This technique has allowed us to successfully de-
5.2 OWASP ESAPI
crypt all CAPTCHA on a target web site using only
JavaScript hosted in a dierent server
7 . If a target is
interesting enough, attackers could inject JavaScript
OWASP ESAPI, which stands for OWASP Enter-
code into popular web sites, and when people visit
prise Security API Toolkits, is a project that claim
those web sites, the code will run in their browsers,
to help software developers guard against security-
and use their CPU time and Internet connection to
related design and implementation aws. However,
decrypt the target's secrets. It is possible to distribu-
we found that all OWASP ESAPI for Java up to ver-
tively build a code book, i.e., a mapping of ciphertext
sion 2.0 RC2 are vulnerable to padding oracle at-
to corresponding plaintext under the same key and
tacks. There were some signicant changes in ESAPI
IV as the padding oracle. This code book in turn can
Encryption API since 2.0 RC3. Unfortunately, while
be used to automatically bypass CAPTCHA protec-
these changes are heading towards the correct direc-
tion with 100% accuracy regardless of the graphical
tion, i.e., signing the ciphertext or using an authenti-
complexity.
cated encryption mode, but at the time of this writing, there are still some bugs in the latest implemen-
5
tation that make applications using ESAPI for Java
Vulnerable Web Frameworks
still vulnerable to padding oracle attacks. We leave
the nding of these bugs as an exercise for readers.
Besides JavaServer Faces, we have also audited some
other popular web frameworks to see if they are vul-
6
nerable to padding oracle attacks. Here are some of
Conclusion
our ndings. We will publish more results in the near
future.
In summary, in this paper we showed that padding
oracle attacks allow us to decrypt ciphertext with-
5.1 Ruby On Rails
out knowing the key. We also described how to use
padding oracle attacks to break CAPTCHA systems,
and decrypt JSF view state.
Ruby On Rails, which was created in 2003, is one
of the most widely used web development frame-
acle into an encryption oracle, and allow us to create
work in the world. Since version 2.3, Ruby On Rails
has introduced
malicious JSF view states.
ActiveSupport::MessageEncryptor
age in web browsers to deploy a distributed padding
way to encrypt information for storage in an un-
oracle attack that allow us to crack all CAPTCHA
If you look at
ActiveSupport::MessageEncryptor's
codes of a target web site using only Javascript hosted
source code,
in a dierent server.
you would probably see that applications that use the
7 Watch
We also demonstrated
how to leverage cross-domain site information leak-
which is a set of functions to provide a simple
trusted location (like cookies).
We also introduced
CBC-R, a new technique that turns a decryption or-
8 Fortunately, ActiveSupport::MessageEncryptor
http://youtube.com/watch?v=e46A-PUpDvk
widely used.
8
is not
We hope that this research has convinced you that
nel. In Proc. CRYPTO 2003, D. Boneh (ed.),
rolling your own crypto is extremely risky, and should
LNCS Vol. 2729, pp. 583599, 2003.
be avoided.
After all, the padding oracle attack
[4] V. Klima and T. Rosa. Side Channel Attacks
has been known in crypto academic community since
2002.
on CBC Encrypted Messages in the PKCS#7
After 8 years, however, we still have a large
Format.
number of systems vulnerable to this attack. What
Cryptology
ePrint
Archive,
Report
2003/098, 2003.
is even more surprising is the fact that we were the
rst to identify this vulnerability in popular technolo-
[5] K.G. Paterson and A. Yau. Padding Oracle At-
gies like JavaServer Faces.
tacks on the ISO CBC Mode Padding Standard.
Since August 2009 we have been carrying out a re-
In T. Okamoto, editor, Topics in Cryptology search in which we test-run a number of identied
CT-RSA 2004, volume 2964 of Lecture Notes
practical crypto attacks on random widely-used soft-
in Computer Science, pages 305323. Springer-
ware systems. To our surprise, most, if not all, can be
Verlag, 2004.
attacked by one or more of well-known crypto bugs.
[6] S. Vaudenay. Security Flaws Induced by CBC
This case is just one example. We hope that publish-
Padding
ing this vulnerability and other future results from
WTLS...In
our research would encourage the security commu-
Applications
L.
Knudsen,
to
SSL,
editor,
IPSEC,
Advances
in
Cryptology EUROCRYPT 2002, volume 2332
nity in taking a more serious look at crypto bugs in
of Lecture Notes in Computer Science,
software system which is as pervasive as SQL Injec-
pages
534545. Springer-Verlag, 2002
tion or XSS in early 2000.
[7] A. K. L. Yau, K. G. Paterson, and C. J. Mitchell.
We hope you enjoy reading this paper as much as we
Padding Oracle Attacks on CBC- Mode Encryp-
enjoyed writing it.
tion with Secret and Random IVs. In H. Gilbert
and H. Handschuh, editors, Proceedings of FSE
Acknowledgements
We
would
like
to
2005,
thank
volume
3557
of
LNCS,
pages
299319.
Springer- Verlag, 2005.
Huong L. Nguyen, Agustin Azubel, Thomas Ptacek,
rd, Gunther, Bruce Leidl, and Alex Sotirov for read-
[8] Z. Wadia,
ing and editing the draft of this paper.
Dennis
M. Marinschek,
Byrne.
Hazem Saleh,
Antipatterns
and
Pitfalls.
and
In
The Denitive Guide to Apache MyFaces and
Facelets, pages 229-269. Apress, 2008
References
[1] J. Black and H. Urtubia. Side-Channel Attacks
on Symmetric Encryption Schemes: The Case for
Authenticated Encryption. In Proceedings of the
11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, 2002, pages 327338.
USENIX, 2002.
[2] D. Byrne. Multiplatform View State Tampering
Vulnerabilities. Trustwave's SpiderLabs. 8 Feb.
2009. Trustwave.
[3] B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux. Password Interception in a SSL/TLS Chan-
9