Padding Oracle Attacks

The Weakness of CBC Mode

Older encryption modes like CBC require data to be cleanly divided into 16-byte blocks. If the data isn't perfectly aligned, 'padding' bytes are added to the end.

A padding oracle attack occurs when a server rejects invalid padding differently than valid padding. Attackers can submit thousands of subtly modified ciphertexts, using the server's error responses to systematically decrypt the message.

Execution Mechanics

Imagine sending a 15-byte message encrypted with AES-CBC. Because AES needs 16 bytes, the system automatically pads it with a '01' byte. If a hacker intercepts this and alters the last byte, the server decrypts it. If the padding is damaged, the server throws a 'Padding Exception'. The hacker uses this YES/NO server response as an 'Oracle' to systematically deduce the plaintext byte by byte.

Everyday Example

Imagine a locked vending machine that drops a candy bar when you put exactly one dollar in. If you put 99 cents in, the machine instantly beeps loudly. If you put a fake dollar in, it takes the dollar, tries to verify it for a few seconds, and then beeps. A thief can figure out exactly what your fake dollar looks like just by listening to when the machine beeps. That's an oracle attack!

The Deep Mathematics

In CBC decryption, C_i is decrypted and then mathematically XORed with C_i-1 to yield plaintext P_i. An attacker systematically alters C_i-1. If the server returns a padding validation error (e.g. PKCS#7 error), the attacker knows the alteration did not produce a valid padding byte. By iterating 256 byte guesses sequentially, the attacker maps the intermediate block state entirely algebraically without the key.