Coders Conquer Security: Share & Learn Series - Padding Oracle24th January 2019
While Padding Oracle sounds like a really bad name for an alternative rock band, it’s actually a vulnerability that can be used by attackers to decrypt information without knowing the encryption key.
In terms of overall difficulty for an attacker, this one is near the top of the scale. We are not talking about a magic decryption button, but instead, a laborious process whereby hackers can examine error messages sent to them regarding cell padding, and use that to determine where encrypted data ends and the padding begins. They can then figure out various bits within the encryption, and possibly crack it given enough time and input to examine.
Thankfully, there are several relatively easy steps that can remove an attacker’s ability to use padding oracle to decipher encrypted data. In this episode, we will learn:
- How it works
- Why this vulnerability is so dangerous
- How you can put defenses in place to prevent it.
How Does Padding Oracle Work?
Cipher block chaining (CBC) is a way to create a block cipher where an entire sequence of bits of information, such as cells stored within a database, are encrypted using an encryption key that applies to the entire chain of information. When using CBC, the encryption of a single block of ciphertext will depend on all of the proceeding blocks. In theory, this makes the encryption extremely strong, since anything, even the reordering of the blocks, will corrupt the data.
The problem with CBC ciphers (and any block ciphers, for that matter) is that they can only be encrypted using blocks of exact sizes. Normally, this is done in 8 or 16-byte sizes. So what happens when CBC needs to fit 2 bytes of data into a 16-byte ciphertext unit? It will use padding, basically just nonsense characters, to fill in the gaps and make the unit an appropriate size.
Most padding schemes are well known, with PKCS#7 being one of the most popular, so attackers might know what kind of padding is being used. For example, if the CBC needs to pad five characters in a block, PKCS#7 would use the byte value 0x05 repeated five times after the plain text.
Attackers use their knowledge of both CBC and padding schemes to send queries to a host server, also referred to as an oracle. If they have access to the right tools, they may be able to force the server to tell them if the padding in their query is incorrect. Achieving this, they can cycle from zero to 255 for every byte in the cipher until the server tells them that the padding is correct. Then, they move on to the next unit and repeat the process, recording where the padding begins in every case.
This does not let them decrypt the message or even the cell, but could allow them to map every link in the chain in terms of where the plain text ends and the padding begins. They can also potentially use XOR calculations to figure out the value of the last byte of the original plain text.
Why is Padding Oracle so Dangerous?
The reason why a hacker would put so much work into breaking encryption is because of the potential payout. Few people encrypt things that aren’t valuable. The danger to the host organization depends on the data being compromised. That could include things like passwords, user accounts, financial information, credit card numbers, patient records, sensitive communications, or any number of highly sought-after and valuable pieces of information.
Using padding oracle could also be the gateway to subsequent attacks. If an attacker can use padding oracle to steal passwords for example, then elevating their privileges and penetrating deeper into a network is an easy secondary task.
Everyone thinks of encryption as the ultimate defense against snooping or compromise. However, the back-and-forth between encryption science and those that would break it has been going on for centuries. Padding oracle is just one method that gives the edge to attackers.
Giving Padding Oracle Attacks a Hard Landing
Thankfully, there are quite a few ways to prevent padding oracle. One of the best is to use stronger encryption mode of operations such as Galois/Counter Mode (GCM) or Offset Codebook Mode (OCB). It differs from CBC in that it uses a cipher block size of 128 bits. It also uses a counter for each block of data, then uses that number to create the ciphertext. In other words, it is not susceptible to padding oracle attacks.
Implementing good error handling controls can also severely hurt an attacker’s chances of success. Since padding oracle attacks rely on information leakage, return generic error messages instead of specific padding errors on encryption/decryption failure.
You can also implement Message Authentication Code (MAC). MAC values protect the data integrity as well as its authenticity, by allowing verifiers to detect any changes to the message content using a secret key.
Finally, all padding oracle attacks require repeated queries. There can be over 200 requests made to figure out the padding scheme on a single cell, multiplied by the number of units of information being protected in the chain. By restricting the number of requests coming in from the same source, you can shut down padding oracle attacks by denying an attacker access before they can really begin their attempt.
Further Study on Padding Oracle
Any method by which an attacker can decrypt sensitive information can become a real nightmare. But, we hope you have learned quite a few good methods for preventing that from happening in the first place.
For further reading, you can take a look at the OWASP definition and checklist on padding oracle. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues’ gallery of other threats, visit the Secure Code Warrior blog.
Think you're up to the task of thwarting padding oracle attacks right now? Try it on the Secure Code Warrior platform: