Padding Oracle Attack
What is Padding Oracle Attack?
Padding Oracle AttackA cryptographic attack (Vaudenay 2002) that decrypts CBC ciphertext when a server reveals whether a tampered message has correct PKCS#7 padding.
Serge Vaudenay introduced the padding oracle attack at Eurocrypt 2002 against CBC-mode ciphers using PKCS#5/PKCS#7 padding. If an attacker can submit modified ciphertexts and observe any oracle that distinguishes valid from invalid padding (HTTP 500 vs 200, different timing, distinct error codes), they can decrypt arbitrary ciphertext byte by byte without knowing the key. Real-world examples include ASP.NET's MachineKey oracle (CVE-2010-3332, Padding Oracle on Downgraded Legacy Encryption), POODLE, Lucky 13 and Bleichenbacher's RSA variant. Defences: authenticated encryption (AEAD modes such as AES-GCM, ChaCha20-Poly1305), encrypt-then-MAC with constant-time MAC checks, uniform error responses, and removal of CBC ciphersuites in TLS 1.3.
● Examples
- 01
Decrypting ASP.NET ViewState via the MachineKey padding oracle (CVE-2010-3332).
- 02
POODLE downgrading TLS to SSL 3.0 and exploiting its non-deterministic CBC padding.
● Frequently asked questions
What is Padding Oracle Attack?
A cryptographic attack (Vaudenay 2002) that decrypts CBC ciphertext when a server reveals whether a tampered message has correct PKCS#7 padding. It belongs to the Attacks & Threats category of cybersecurity.
What does Padding Oracle Attack mean?
A cryptographic attack (Vaudenay 2002) that decrypts CBC ciphertext when a server reveals whether a tampered message has correct PKCS#7 padding.
How does Padding Oracle Attack work?
Serge Vaudenay introduced the padding oracle attack at Eurocrypt 2002 against CBC-mode ciphers using PKCS#5/PKCS#7 padding. If an attacker can submit modified ciphertexts and observe any oracle that distinguishes valid from invalid padding (HTTP 500 vs 200, different timing, distinct error codes), they can decrypt arbitrary ciphertext byte by byte without knowing the key. Real-world examples include ASP.NET's MachineKey oracle (CVE-2010-3332, Padding Oracle on Downgraded Legacy Encryption), POODLE, Lucky 13 and Bleichenbacher's RSA variant. Defences: authenticated encryption (AEAD modes such as AES-GCM, ChaCha20-Poly1305), encrypt-then-MAC with constant-time MAC checks, uniform error responses, and removal of CBC ciphersuites in TLS 1.3.
How do you defend against Padding Oracle Attack?
Defences for Padding Oracle Attack typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Padding Oracle Attack?
Common alternative names include: CBC Padding Oracle.
● Related terms
- attacks№ 103
Bleichenbacher Attack
A 1998 adaptive chosen-ciphertext attack by Daniel Bleichenbacher that recovers RSA plaintext when the server leaks whether PKCS#1 v1.5 padding is valid.
- attacks№ 636
Lucky 13
A 2013 TLS timing attack by AlFardan and Paterson that exploits MAC-then-encrypt CBC processing to act as a padding oracle and recover plaintext.
- attacks№ 089
BEAST Attack
A 2011 chosen-plaintext attack on SSL 3.0 and TLS 1.0 CBC ciphers (CVE-2011-3389) by Rizzo and Duong that recovers HTTPS cookies via a predictable IV flaw.
- network-security№ 1159
TLS (Transport Layer Security)
The IETF-standardized cryptographic protocol that provides confidentiality, integrity, and authentication for traffic between two networked applications.
- vulnerabilities№ 1038
Side-Channel Attack
An attack that recovers secrets from a system by observing physical or implementation characteristics — timing, power, electromagnetic emissions, caches, acoustic signals — rather than logical flaws.
● See also
- № 122BREACH Attack
- № 941ROBOT Attack
- № 1093SSL/TLS Downgrade Attack