Coders Conquer Security: Share & Learn Series - Padding Oracle
While Padding Oracle sounds like a really bad name for an alternative rock band, it's actually a vulnerability that can be used by attackers to decrypt information without knowing the encryption key.
In terms of overall difficulty for an attacker, this one is near the top of the scale. We are not talking about a magic decryption button, but instead, a laborious process whereby hackers can examine error messages sent to them regarding cell padding, and use that to determine where encrypted data ends and the padding begins. They can then figure out various bits within the encryption, and possibly crack it given enough time and input to examine.
Thankfully, there are several relatively easy steps that can remove an attacker's ability to use padding oracle to decipher encrypted data. In this episode, we will learn:
- How it works
- Why this vulnerability is so dangerous
- How you can put defenses in place to prevent it.
How Does Padding Oracle Work?
Cipher block chaining (CBC) is a way to create a block cipher where an entire sequence of bits of information, such as cells stored within a database, are encrypted using an encryption key that applies to the entire chain of information. When using CBC, the encryption of a single block of ciphertext will depend on all of the proceeding blocks. In theory, this makes the encryption extremely strong, since anything, even the reordering of the blocks, will corrupt the data.
The problem with CBC ciphers (and any block ciphers, for that matter) is that they can only be encrypted using blocks of exact sizes. Normally, this is done in 8 or 16-byte sizes. So what happens when CBC needs to fit 2 bytes of data into a 16-byte ciphertext unit? It will use padding, basically just nonsense characters, to fill in the gaps and make the unit an appropriate size.
Most padding schemes are well known, with PKCS#7 being one of the most popular, so attackers might know what kind of padding is being used. For example, if the CBC needs to pad five characters in a block, PKCS#7 would use the byte value 0x05 repeated five times after the plain text.
Attackers use their knowledge of both CBC and padding schemes to send queries to a host server, also referred to as an oracle. If they have access to the right tools, they may be able to force the server to tell them if the padding in their query is incorrect. Achieving this, they can cycle from zero to 255 for every byte in the cipher until the server tells them that the padding is correct. Then, they move on to the next unit and repeat the process, recording where the padding begins in every case.
This does not let them decrypt the message or even the cell, but could allow them to map every link in the chain in terms of where the plain text ends and the padding begins. They can also potentially use XOR calculations to figure out the value of the last byte of the original plain text.
Why is Padding Oracle so Dangerous?
The reason why a hacker would put so much work into breaking encryption is because of the potential payout. Few people encrypt things that aren't valuable. The danger to the host organization depends on the data being compromised. That could include things like passwords, user accounts, financial information, credit card numbers, patient records, sensitive communications, or any number of highly sought-after and valuable pieces of information.
Using padding oracle could also be the gateway to subsequent attacks. If an attacker can use padding oracle to steal passwords for example, then elevating their privileges and penetrating deeper into a network is an easy secondary task.
Everyone thinks of encryption as the ultimate defense against snooping or compromise. However, the back-and-forth between encryption science and those that would break it has been going on for centuries. Padding oracle is just one method that gives the edge to attackers.
Giving Padding Oracle Attacks a Hard Landing
Thankfully, there are quite a few ways to prevent padding oracle. One of the best is to use stronger encryption mode of operations such as Galois/Counter Mode (GCM) or Offset Codebook Mode (OCB). It differs from CBC in that it uses a cipher block size of 128 bits. It also uses a counter for each block of data, then uses that number to create the ciphertext. In other words, it is not susceptible to padding oracle attacks.
Implementing good error handling controls can also severely hurt an attacker's chances of success. Since padding oracle attacks rely on information leakage, return generic error messages instead of specific padding errors on encryption/decryption failure.
You can also implement Message Authentication Code (MAC). MAC values protect the data integrity as well as its authenticity, by allowing verifiers to detect any changes to the message content using a secret key.
Finally, all padding oracle attacks require repeated queries. There can be over 200 requests made to figure out the padding scheme on a single cell, multiplied by the number of units of information being protected in the chain. By restricting the number of requests coming in from the same source, you can shut down padding oracle attacks by denying an attacker access before they can really begin their attempt.
Further Study on Padding Oracle
Any method by which an attacker can decrypt sensitive information can become a real nightmare. But, we hope you have learned quite a few good methods for preventing that from happening in the first place.
For further reading, you can take a look at the OWASP definition and checklist on padding oracle. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Think youre up to the task of thwarting padding oracle attacks right now? Try it on the Secure Code Warrior platform:
While Padding Oracle sounds like a really bad name for an alternative rock band, it's actually a vulnerability that can be used by attackers to decrypt information without knowing the encryption key.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demo
While Padding Oracle sounds like a really bad name for an alternative rock band, it's actually a vulnerability that can be used by attackers to decrypt information without knowing the encryption key.
In terms of overall difficulty for an attacker, this one is near the top of the scale. We are not talking about a magic decryption button, but instead, a laborious process whereby hackers can examine error messages sent to them regarding cell padding, and use that to determine where encrypted data ends and the padding begins. They can then figure out various bits within the encryption, and possibly crack it given enough time and input to examine.
Thankfully, there are several relatively easy steps that can remove an attacker's ability to use padding oracle to decipher encrypted data. In this episode, we will learn:
- How it works
- Why this vulnerability is so dangerous
- How you can put defenses in place to prevent it.
How Does Padding Oracle Work?
Cipher block chaining (CBC) is a way to create a block cipher where an entire sequence of bits of information, such as cells stored within a database, are encrypted using an encryption key that applies to the entire chain of information. When using CBC, the encryption of a single block of ciphertext will depend on all of the proceeding blocks. In theory, this makes the encryption extremely strong, since anything, even the reordering of the blocks, will corrupt the data.
The problem with CBC ciphers (and any block ciphers, for that matter) is that they can only be encrypted using blocks of exact sizes. Normally, this is done in 8 or 16-byte sizes. So what happens when CBC needs to fit 2 bytes of data into a 16-byte ciphertext unit? It will use padding, basically just nonsense characters, to fill in the gaps and make the unit an appropriate size.
Most padding schemes are well known, with PKCS#7 being one of the most popular, so attackers might know what kind of padding is being used. For example, if the CBC needs to pad five characters in a block, PKCS#7 would use the byte value 0x05 repeated five times after the plain text.
Attackers use their knowledge of both CBC and padding schemes to send queries to a host server, also referred to as an oracle. If they have access to the right tools, they may be able to force the server to tell them if the padding in their query is incorrect. Achieving this, they can cycle from zero to 255 for every byte in the cipher until the server tells them that the padding is correct. Then, they move on to the next unit and repeat the process, recording where the padding begins in every case.
This does not let them decrypt the message or even the cell, but could allow them to map every link in the chain in terms of where the plain text ends and the padding begins. They can also potentially use XOR calculations to figure out the value of the last byte of the original plain text.
Why is Padding Oracle so Dangerous?
The reason why a hacker would put so much work into breaking encryption is because of the potential payout. Few people encrypt things that aren't valuable. The danger to the host organization depends on the data being compromised. That could include things like passwords, user accounts, financial information, credit card numbers, patient records, sensitive communications, or any number of highly sought-after and valuable pieces of information.
Using padding oracle could also be the gateway to subsequent attacks. If an attacker can use padding oracle to steal passwords for example, then elevating their privileges and penetrating deeper into a network is an easy secondary task.
Everyone thinks of encryption as the ultimate defense against snooping or compromise. However, the back-and-forth between encryption science and those that would break it has been going on for centuries. Padding oracle is just one method that gives the edge to attackers.
Giving Padding Oracle Attacks a Hard Landing
Thankfully, there are quite a few ways to prevent padding oracle. One of the best is to use stronger encryption mode of operations such as Galois/Counter Mode (GCM) or Offset Codebook Mode (OCB). It differs from CBC in that it uses a cipher block size of 128 bits. It also uses a counter for each block of data, then uses that number to create the ciphertext. In other words, it is not susceptible to padding oracle attacks.
Implementing good error handling controls can also severely hurt an attacker's chances of success. Since padding oracle attacks rely on information leakage, return generic error messages instead of specific padding errors on encryption/decryption failure.
You can also implement Message Authentication Code (MAC). MAC values protect the data integrity as well as its authenticity, by allowing verifiers to detect any changes to the message content using a secret key.
Finally, all padding oracle attacks require repeated queries. There can be over 200 requests made to figure out the padding scheme on a single cell, multiplied by the number of units of information being protected in the chain. By restricting the number of requests coming in from the same source, you can shut down padding oracle attacks by denying an attacker access before they can really begin their attempt.
Further Study on Padding Oracle
Any method by which an attacker can decrypt sensitive information can become a real nightmare. But, we hope you have learned quite a few good methods for preventing that from happening in the first place.
For further reading, you can take a look at the OWASP definition and checklist on padding oracle. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Think youre up to the task of thwarting padding oracle attacks right now? Try it on the Secure Code Warrior platform:
While Padding Oracle sounds like a really bad name for an alternative rock band, it's actually a vulnerability that can be used by attackers to decrypt information without knowing the encryption key.
In terms of overall difficulty for an attacker, this one is near the top of the scale. We are not talking about a magic decryption button, but instead, a laborious process whereby hackers can examine error messages sent to them regarding cell padding, and use that to determine where encrypted data ends and the padding begins. They can then figure out various bits within the encryption, and possibly crack it given enough time and input to examine.
Thankfully, there are several relatively easy steps that can remove an attacker's ability to use padding oracle to decipher encrypted data. In this episode, we will learn:
- How it works
- Why this vulnerability is so dangerous
- How you can put defenses in place to prevent it.
How Does Padding Oracle Work?
Cipher block chaining (CBC) is a way to create a block cipher where an entire sequence of bits of information, such as cells stored within a database, are encrypted using an encryption key that applies to the entire chain of information. When using CBC, the encryption of a single block of ciphertext will depend on all of the proceeding blocks. In theory, this makes the encryption extremely strong, since anything, even the reordering of the blocks, will corrupt the data.
The problem with CBC ciphers (and any block ciphers, for that matter) is that they can only be encrypted using blocks of exact sizes. Normally, this is done in 8 or 16-byte sizes. So what happens when CBC needs to fit 2 bytes of data into a 16-byte ciphertext unit? It will use padding, basically just nonsense characters, to fill in the gaps and make the unit an appropriate size.
Most padding schemes are well known, with PKCS#7 being one of the most popular, so attackers might know what kind of padding is being used. For example, if the CBC needs to pad five characters in a block, PKCS#7 would use the byte value 0x05 repeated five times after the plain text.
Attackers use their knowledge of both CBC and padding schemes to send queries to a host server, also referred to as an oracle. If they have access to the right tools, they may be able to force the server to tell them if the padding in their query is incorrect. Achieving this, they can cycle from zero to 255 for every byte in the cipher until the server tells them that the padding is correct. Then, they move on to the next unit and repeat the process, recording where the padding begins in every case.
This does not let them decrypt the message or even the cell, but could allow them to map every link in the chain in terms of where the plain text ends and the padding begins. They can also potentially use XOR calculations to figure out the value of the last byte of the original plain text.
Why is Padding Oracle so Dangerous?
The reason why a hacker would put so much work into breaking encryption is because of the potential payout. Few people encrypt things that aren't valuable. The danger to the host organization depends on the data being compromised. That could include things like passwords, user accounts, financial information, credit card numbers, patient records, sensitive communications, or any number of highly sought-after and valuable pieces of information.
Using padding oracle could also be the gateway to subsequent attacks. If an attacker can use padding oracle to steal passwords for example, then elevating their privileges and penetrating deeper into a network is an easy secondary task.
Everyone thinks of encryption as the ultimate defense against snooping or compromise. However, the back-and-forth between encryption science and those that would break it has been going on for centuries. Padding oracle is just one method that gives the edge to attackers.
Giving Padding Oracle Attacks a Hard Landing
Thankfully, there are quite a few ways to prevent padding oracle. One of the best is to use stronger encryption mode of operations such as Galois/Counter Mode (GCM) or Offset Codebook Mode (OCB). It differs from CBC in that it uses a cipher block size of 128 bits. It also uses a counter for each block of data, then uses that number to create the ciphertext. In other words, it is not susceptible to padding oracle attacks.
Implementing good error handling controls can also severely hurt an attacker's chances of success. Since padding oracle attacks rely on information leakage, return generic error messages instead of specific padding errors on encryption/decryption failure.
You can also implement Message Authentication Code (MAC). MAC values protect the data integrity as well as its authenticity, by allowing verifiers to detect any changes to the message content using a secret key.
Finally, all padding oracle attacks require repeated queries. There can be over 200 requests made to figure out the padding scheme on a single cell, multiplied by the number of units of information being protected in the chain. By restricting the number of requests coming in from the same source, you can shut down padding oracle attacks by denying an attacker access before they can really begin their attempt.
Further Study on Padding Oracle
Any method by which an attacker can decrypt sensitive information can become a real nightmare. But, we hope you have learned quite a few good methods for preventing that from happening in the first place.
For further reading, you can take a look at the OWASP definition and checklist on padding oracle. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Think youre up to the task of thwarting padding oracle attacks right now? Try it on the Secure Code Warrior platform:
Click on the link below and download the PDF of this resource.
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
View reportBook a demo
While Padding Oracle sounds like a really bad name for an alternative rock band, it's actually a vulnerability that can be used by attackers to decrypt information without knowing the encryption key.
In terms of overall difficulty for an attacker, this one is near the top of the scale. We are not talking about a magic decryption button, but instead, a laborious process whereby hackers can examine error messages sent to them regarding cell padding, and use that to determine where encrypted data ends and the padding begins. They can then figure out various bits within the encryption, and possibly crack it given enough time and input to examine.
Thankfully, there are several relatively easy steps that can remove an attacker's ability to use padding oracle to decipher encrypted data. In this episode, we will learn:
- How it works
- Why this vulnerability is so dangerous
- How you can put defenses in place to prevent it.
How Does Padding Oracle Work?
Cipher block chaining (CBC) is a way to create a block cipher where an entire sequence of bits of information, such as cells stored within a database, are encrypted using an encryption key that applies to the entire chain of information. When using CBC, the encryption of a single block of ciphertext will depend on all of the proceeding blocks. In theory, this makes the encryption extremely strong, since anything, even the reordering of the blocks, will corrupt the data.
The problem with CBC ciphers (and any block ciphers, for that matter) is that they can only be encrypted using blocks of exact sizes. Normally, this is done in 8 or 16-byte sizes. So what happens when CBC needs to fit 2 bytes of data into a 16-byte ciphertext unit? It will use padding, basically just nonsense characters, to fill in the gaps and make the unit an appropriate size.
Most padding schemes are well known, with PKCS#7 being one of the most popular, so attackers might know what kind of padding is being used. For example, if the CBC needs to pad five characters in a block, PKCS#7 would use the byte value 0x05 repeated five times after the plain text.
Attackers use their knowledge of both CBC and padding schemes to send queries to a host server, also referred to as an oracle. If they have access to the right tools, they may be able to force the server to tell them if the padding in their query is incorrect. Achieving this, they can cycle from zero to 255 for every byte in the cipher until the server tells them that the padding is correct. Then, they move on to the next unit and repeat the process, recording where the padding begins in every case.
This does not let them decrypt the message or even the cell, but could allow them to map every link in the chain in terms of where the plain text ends and the padding begins. They can also potentially use XOR calculations to figure out the value of the last byte of the original plain text.
Why is Padding Oracle so Dangerous?
The reason why a hacker would put so much work into breaking encryption is because of the potential payout. Few people encrypt things that aren't valuable. The danger to the host organization depends on the data being compromised. That could include things like passwords, user accounts, financial information, credit card numbers, patient records, sensitive communications, or any number of highly sought-after and valuable pieces of information.
Using padding oracle could also be the gateway to subsequent attacks. If an attacker can use padding oracle to steal passwords for example, then elevating their privileges and penetrating deeper into a network is an easy secondary task.
Everyone thinks of encryption as the ultimate defense against snooping or compromise. However, the back-and-forth between encryption science and those that would break it has been going on for centuries. Padding oracle is just one method that gives the edge to attackers.
Giving Padding Oracle Attacks a Hard Landing
Thankfully, there are quite a few ways to prevent padding oracle. One of the best is to use stronger encryption mode of operations such as Galois/Counter Mode (GCM) or Offset Codebook Mode (OCB). It differs from CBC in that it uses a cipher block size of 128 bits. It also uses a counter for each block of data, then uses that number to create the ciphertext. In other words, it is not susceptible to padding oracle attacks.
Implementing good error handling controls can also severely hurt an attacker's chances of success. Since padding oracle attacks rely on information leakage, return generic error messages instead of specific padding errors on encryption/decryption failure.
You can also implement Message Authentication Code (MAC). MAC values protect the data integrity as well as its authenticity, by allowing verifiers to detect any changes to the message content using a secret key.
Finally, all padding oracle attacks require repeated queries. There can be over 200 requests made to figure out the padding scheme on a single cell, multiplied by the number of units of information being protected in the chain. By restricting the number of requests coming in from the same source, you can shut down padding oracle attacks by denying an attacker access before they can really begin their attempt.
Further Study on Padding Oracle
Any method by which an attacker can decrypt sensitive information can become a real nightmare. But, we hope you have learned quite a few good methods for preventing that from happening in the first place.
For further reading, you can take a look at the OWASP definition and checklist on padding oracle. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Think youre up to the task of thwarting padding oracle attacks right now? Try it on the Secure Code Warrior platform:
Table of contents
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Book a demoDownloadResources to get you started
Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise
The Secure-by-Design movement is the future of secure software development. Learn about the key elements companies need to keep in mind when they think about a Secure-by-Design initiative.
DigitalOcean Decreases Security Debt with Secure Code Warrior
DigitalOcean's use of Secure Code Warrior training has significantly reduced security debt, allowing teams to focus more on innovation and productivity. The improved security has strengthened their product quality and competitive edge. Looking ahead, the SCW Trust Score will help them further enhance security practices and continue driving innovation.
Resources to get you started
Trust Score Reveals the Value of Secure-by-Design Upskilling Initiatives
Our research has shown that secure code training works. Trust Score, using an algorithm drawing on more than 20 million learning data points from work by more than 250,000 learners at over 600 organizations, reveals its effectiveness in driving down vulnerabilities and how to make the initiative even more effective.
.png)
Reactive Versus Preventive Security: Prevention Is a Better Cure
The idea of bringing preventive security to legacy code and systems at the same time as newer applications can seem daunting, but a Secure-by-Design approach, enforced by upskilling developers, can apply security best practices to those systems. It’s the best chance many organizations have of improving their security postures.
The Benefits of Benchmarking Security Skills for Developers
The growing focus on secure code and Secure-by-Design principles requires developers to be trained in cybersecurity from the start of the SDLC, with tools like Secure Code Warrior’s Trust Score helping measure and improve their progress.
Driving Meaningful Success for Enterprise Secure-by-Design Initiatives
Our latest research paper, Benchmarking Security Skills: Streamlining Secure-by-Design in the Enterprise is the result of deep analysis of real Secure-by-Design initiatives at the enterprise level, and deriving best practice approaches based on data-driven findings.
Developer-driven coding.
Securely.
Contact us today and make software security an intrinsic part of your development process.
