Les codeurs conquièrent la sécurité : série Share & Learn - Padding Oracle
While Padding Oracle sounds like a really bad name for an alternative rock band, it's actually a vulnerability that can be used by attackers to decrypt information without knowing the encryption key.
In terms of overall difficulty for an attacker, this one is near the top of the scale. We are not talking about a magic decryption button, but instead, a laborious process whereby hackers can examine error messages sent to them regarding cell padding, and use that to determine where encrypted data ends and the padding begins. They can then figure out various bits within the encryption, and possibly crack it given enough time and input to examine.
Thankfully, there are several relatively easy steps that can remove an attacker's ability to use padding oracle to decipher encrypted data. In this episode, we will learn:
- How it works
- Why this vulnerability is so dangerous
- How you can put defenses in place to prevent it.
How Does Padding Oracle Work?
Cipher block chaining (CBC) is a way to create a block cipher where an entire sequence of bits of information, such as cells stored within a database, are encrypted using an encryption key that applies to the entire chain of information. When using CBC, the encryption of a single block of ciphertext will depend on all of the proceeding blocks. In theory, this makes the encryption extremely strong, since anything, even the reordering of the blocks, will corrupt the data.
The problem with CBC ciphers (and any block ciphers, for that matter) is that they can only be encrypted using blocks of exact sizes. Normally, this is done in 8 or 16-byte sizes. So what happens when CBC needs to fit 2 bytes of data into a 16-byte ciphertext unit? It will use padding, basically just nonsense characters, to fill in the gaps and make the unit an appropriate size.
Most padding schemes are well known, with PKCS#7 being one of the most popular, so attackers might know what kind of padding is being used. For example, if the CBC needs to pad five characters in a block, PKCS#7 would use the byte value 0x05 repeated five times after the plain text.
Attackers use their knowledge of both CBC and padding schemes to send queries to a host server, also referred to as an oracle. If they have access to the right tools, they may be able to force the server to tell them if the padding in their query is incorrect. Achieving this, they can cycle from zero to 255 for every byte in the cipher until the server tells them that the padding is correct. Then, they move on to the next unit and repeat the process, recording where the padding begins in every case.
This does not let them decrypt the message or even the cell, but could allow them to map every link in the chain in terms of where the plain text ends and the padding begins. They can also potentially use XOR calculations to figure out the value of the last byte of the original plain text.
Why is Padding Oracle so Dangerous?
The reason why a hacker would put so much work into breaking encryption is because of the potential payout. Few people encrypt things that aren't valuable. The danger to the host organization depends on the data being compromised. That could include things like passwords, user accounts, financial information, credit card numbers, patient records, sensitive communications, or any number of highly sought-after and valuable pieces of information.
Using padding oracle could also be the gateway to subsequent attacks. If an attacker can use padding oracle to steal passwords for example, then elevating their privileges and penetrating deeper into a network is an easy secondary task.
Everyone thinks of encryption as the ultimate defense against snooping or compromise. However, the back-and-forth between encryption science and those that would break it has been going on for centuries. Padding oracle is just one method that gives the edge to attackers.
Giving Padding Oracle Attacks a Hard Landing
Thankfully, there are quite a few ways to prevent padding oracle. One of the best is to use stronger encryption mode of operations such as Galois/Counter Mode (GCM) or Offset Codebook Mode (OCB). It differs from CBC in that it uses a cipher block size of 128 bits. It also uses a counter for each block of data, then uses that number to create the ciphertext. In other words, it is not susceptible to padding oracle attacks.
Implementing good error handling controls can also severely hurt an attacker's chances of success. Since padding oracle attacks rely on information leakage, return generic error messages instead of specific padding errors on encryption/decryption failure.
You can also implement Message Authentication Code (MAC). MAC values protect the data integrity as well as its authenticity, by allowing verifiers to detect any changes to the message content using a secret key.
Finally, all padding oracle attacks require repeated queries. There can be over 200 requests made to figure out the padding scheme on a single cell, multiplied by the number of units of information being protected in the chain. By restricting the number of requests coming in from the same source, you can shut down padding oracle attacks by denying an attacker access before they can really begin their attempt.
Further Study on Padding Oracle
Any method by which an attacker can decrypt sensitive information can become a real nightmare. But, we hope you have learned quite a few good methods for preventing that from happening in the first place.
For further reading, you can take a look at the OWASP definition and checklist on padding oracle. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Think youre up to the task of thwarting padding oracle attacks right now? Try it on the Secure Code Warrior platform:
Bien que Padding Oracle semble être un très mauvais nom pour un groupe de rock alternatif, il s'agit en fait d'une vulnérabilité qui peut être utilisée par des attaquants pour déchiffrer des informations sans connaître la clé de cryptage.
Secure Code Warrior est là pour aider votre organisation à sécuriser le code tout au long du cycle de développement logiciel et à créer une culture dans laquelle la cybersécurité est une priorité. Que vous soyez responsable de la sécurité des applications, développeur, responsable de la sécurité informatique ou toute autre personne impliquée dans la sécurité, nous pouvons aider votre organisation à réduire les risques associés à un code non sécurisé.
Réservez une démo
While Padding Oracle sounds like a really bad name for an alternative rock band, it's actually a vulnerability that can be used by attackers to decrypt information without knowing the encryption key.
In terms of overall difficulty for an attacker, this one is near the top of the scale. We are not talking about a magic decryption button, but instead, a laborious process whereby hackers can examine error messages sent to them regarding cell padding, and use that to determine where encrypted data ends and the padding begins. They can then figure out various bits within the encryption, and possibly crack it given enough time and input to examine.
Thankfully, there are several relatively easy steps that can remove an attacker's ability to use padding oracle to decipher encrypted data. In this episode, we will learn:
- How it works
- Why this vulnerability is so dangerous
- How you can put defenses in place to prevent it.
How Does Padding Oracle Work?
Cipher block chaining (CBC) is a way to create a block cipher where an entire sequence of bits of information, such as cells stored within a database, are encrypted using an encryption key that applies to the entire chain of information. When using CBC, the encryption of a single block of ciphertext will depend on all of the proceeding blocks. In theory, this makes the encryption extremely strong, since anything, even the reordering of the blocks, will corrupt the data.
The problem with CBC ciphers (and any block ciphers, for that matter) is that they can only be encrypted using blocks of exact sizes. Normally, this is done in 8 or 16-byte sizes. So what happens when CBC needs to fit 2 bytes of data into a 16-byte ciphertext unit? It will use padding, basically just nonsense characters, to fill in the gaps and make the unit an appropriate size.
Most padding schemes are well known, with PKCS#7 being one of the most popular, so attackers might know what kind of padding is being used. For example, if the CBC needs to pad five characters in a block, PKCS#7 would use the byte value 0x05 repeated five times after the plain text.
Attackers use their knowledge of both CBC and padding schemes to send queries to a host server, also referred to as an oracle. If they have access to the right tools, they may be able to force the server to tell them if the padding in their query is incorrect. Achieving this, they can cycle from zero to 255 for every byte in the cipher until the server tells them that the padding is correct. Then, they move on to the next unit and repeat the process, recording where the padding begins in every case.
This does not let them decrypt the message or even the cell, but could allow them to map every link in the chain in terms of where the plain text ends and the padding begins. They can also potentially use XOR calculations to figure out the value of the last byte of the original plain text.
Why is Padding Oracle so Dangerous?
The reason why a hacker would put so much work into breaking encryption is because of the potential payout. Few people encrypt things that aren't valuable. The danger to the host organization depends on the data being compromised. That could include things like passwords, user accounts, financial information, credit card numbers, patient records, sensitive communications, or any number of highly sought-after and valuable pieces of information.
Using padding oracle could also be the gateway to subsequent attacks. If an attacker can use padding oracle to steal passwords for example, then elevating their privileges and penetrating deeper into a network is an easy secondary task.
Everyone thinks of encryption as the ultimate defense against snooping or compromise. However, the back-and-forth between encryption science and those that would break it has been going on for centuries. Padding oracle is just one method that gives the edge to attackers.
Giving Padding Oracle Attacks a Hard Landing
Thankfully, there are quite a few ways to prevent padding oracle. One of the best is to use stronger encryption mode of operations such as Galois/Counter Mode (GCM) or Offset Codebook Mode (OCB). It differs from CBC in that it uses a cipher block size of 128 bits. It also uses a counter for each block of data, then uses that number to create the ciphertext. In other words, it is not susceptible to padding oracle attacks.
Implementing good error handling controls can also severely hurt an attacker's chances of success. Since padding oracle attacks rely on information leakage, return generic error messages instead of specific padding errors on encryption/decryption failure.
You can also implement Message Authentication Code (MAC). MAC values protect the data integrity as well as its authenticity, by allowing verifiers to detect any changes to the message content using a secret key.
Finally, all padding oracle attacks require repeated queries. There can be over 200 requests made to figure out the padding scheme on a single cell, multiplied by the number of units of information being protected in the chain. By restricting the number of requests coming in from the same source, you can shut down padding oracle attacks by denying an attacker access before they can really begin their attempt.
Further Study on Padding Oracle
Any method by which an attacker can decrypt sensitive information can become a real nightmare. But, we hope you have learned quite a few good methods for preventing that from happening in the first place.
For further reading, you can take a look at the OWASP definition and checklist on padding oracle. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Think youre up to the task of thwarting padding oracle attacks right now? Try it on the Secure Code Warrior platform:
While Padding Oracle sounds like a really bad name for an alternative rock band, it's actually a vulnerability that can be used by attackers to decrypt information without knowing the encryption key.
In terms of overall difficulty for an attacker, this one is near the top of the scale. We are not talking about a magic decryption button, but instead, a laborious process whereby hackers can examine error messages sent to them regarding cell padding, and use that to determine where encrypted data ends and the padding begins. They can then figure out various bits within the encryption, and possibly crack it given enough time and input to examine.
Thankfully, there are several relatively easy steps that can remove an attacker's ability to use padding oracle to decipher encrypted data. In this episode, we will learn:
- How it works
- Why this vulnerability is so dangerous
- How you can put defenses in place to prevent it.
How Does Padding Oracle Work?
Cipher block chaining (CBC) is a way to create a block cipher where an entire sequence of bits of information, such as cells stored within a database, are encrypted using an encryption key that applies to the entire chain of information. When using CBC, the encryption of a single block of ciphertext will depend on all of the proceeding blocks. In theory, this makes the encryption extremely strong, since anything, even the reordering of the blocks, will corrupt the data.
The problem with CBC ciphers (and any block ciphers, for that matter) is that they can only be encrypted using blocks of exact sizes. Normally, this is done in 8 or 16-byte sizes. So what happens when CBC needs to fit 2 bytes of data into a 16-byte ciphertext unit? It will use padding, basically just nonsense characters, to fill in the gaps and make the unit an appropriate size.
Most padding schemes are well known, with PKCS#7 being one of the most popular, so attackers might know what kind of padding is being used. For example, if the CBC needs to pad five characters in a block, PKCS#7 would use the byte value 0x05 repeated five times after the plain text.
Attackers use their knowledge of both CBC and padding schemes to send queries to a host server, also referred to as an oracle. If they have access to the right tools, they may be able to force the server to tell them if the padding in their query is incorrect. Achieving this, they can cycle from zero to 255 for every byte in the cipher until the server tells them that the padding is correct. Then, they move on to the next unit and repeat the process, recording where the padding begins in every case.
This does not let them decrypt the message or even the cell, but could allow them to map every link in the chain in terms of where the plain text ends and the padding begins. They can also potentially use XOR calculations to figure out the value of the last byte of the original plain text.
Why is Padding Oracle so Dangerous?
The reason why a hacker would put so much work into breaking encryption is because of the potential payout. Few people encrypt things that aren't valuable. The danger to the host organization depends on the data being compromised. That could include things like passwords, user accounts, financial information, credit card numbers, patient records, sensitive communications, or any number of highly sought-after and valuable pieces of information.
Using padding oracle could also be the gateway to subsequent attacks. If an attacker can use padding oracle to steal passwords for example, then elevating their privileges and penetrating deeper into a network is an easy secondary task.
Everyone thinks of encryption as the ultimate defense against snooping or compromise. However, the back-and-forth between encryption science and those that would break it has been going on for centuries. Padding oracle is just one method that gives the edge to attackers.
Giving Padding Oracle Attacks a Hard Landing
Thankfully, there are quite a few ways to prevent padding oracle. One of the best is to use stronger encryption mode of operations such as Galois/Counter Mode (GCM) or Offset Codebook Mode (OCB). It differs from CBC in that it uses a cipher block size of 128 bits. It also uses a counter for each block of data, then uses that number to create the ciphertext. In other words, it is not susceptible to padding oracle attacks.
Implementing good error handling controls can also severely hurt an attacker's chances of success. Since padding oracle attacks rely on information leakage, return generic error messages instead of specific padding errors on encryption/decryption failure.
You can also implement Message Authentication Code (MAC). MAC values protect the data integrity as well as its authenticity, by allowing verifiers to detect any changes to the message content using a secret key.
Finally, all padding oracle attacks require repeated queries. There can be over 200 requests made to figure out the padding scheme on a single cell, multiplied by the number of units of information being protected in the chain. By restricting the number of requests coming in from the same source, you can shut down padding oracle attacks by denying an attacker access before they can really begin their attempt.
Further Study on Padding Oracle
Any method by which an attacker can decrypt sensitive information can become a real nightmare. But, we hope you have learned quite a few good methods for preventing that from happening in the first place.
For further reading, you can take a look at the OWASP definition and checklist on padding oracle. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Think youre up to the task of thwarting padding oracle attacks right now? Try it on the Secure Code Warrior platform:
Cliquez sur le lien ci-dessous et téléchargez le PDF de cette ressource.
Secure Code Warrior est là pour aider votre organisation à sécuriser le code tout au long du cycle de développement logiciel et à créer une culture dans laquelle la cybersécurité est une priorité. Que vous soyez responsable de la sécurité des applications, développeur, responsable de la sécurité informatique ou toute autre personne impliquée dans la sécurité, nous pouvons aider votre organisation à réduire les risques associés à un code non sécurisé.
Afficher le rapportRéservez une démo
While Padding Oracle sounds like a really bad name for an alternative rock band, it's actually a vulnerability that can be used by attackers to decrypt information without knowing the encryption key.
In terms of overall difficulty for an attacker, this one is near the top of the scale. We are not talking about a magic decryption button, but instead, a laborious process whereby hackers can examine error messages sent to them regarding cell padding, and use that to determine where encrypted data ends and the padding begins. They can then figure out various bits within the encryption, and possibly crack it given enough time and input to examine.
Thankfully, there are several relatively easy steps that can remove an attacker's ability to use padding oracle to decipher encrypted data. In this episode, we will learn:
- How it works
- Why this vulnerability is so dangerous
- How you can put defenses in place to prevent it.
How Does Padding Oracle Work?
Cipher block chaining (CBC) is a way to create a block cipher where an entire sequence of bits of information, such as cells stored within a database, are encrypted using an encryption key that applies to the entire chain of information. When using CBC, the encryption of a single block of ciphertext will depend on all of the proceeding blocks. In theory, this makes the encryption extremely strong, since anything, even the reordering of the blocks, will corrupt the data.
The problem with CBC ciphers (and any block ciphers, for that matter) is that they can only be encrypted using blocks of exact sizes. Normally, this is done in 8 or 16-byte sizes. So what happens when CBC needs to fit 2 bytes of data into a 16-byte ciphertext unit? It will use padding, basically just nonsense characters, to fill in the gaps and make the unit an appropriate size.
Most padding schemes are well known, with PKCS#7 being one of the most popular, so attackers might know what kind of padding is being used. For example, if the CBC needs to pad five characters in a block, PKCS#7 would use the byte value 0x05 repeated five times after the plain text.
Attackers use their knowledge of both CBC and padding schemes to send queries to a host server, also referred to as an oracle. If they have access to the right tools, they may be able to force the server to tell them if the padding in their query is incorrect. Achieving this, they can cycle from zero to 255 for every byte in the cipher until the server tells them that the padding is correct. Then, they move on to the next unit and repeat the process, recording where the padding begins in every case.
This does not let them decrypt the message or even the cell, but could allow them to map every link in the chain in terms of where the plain text ends and the padding begins. They can also potentially use XOR calculations to figure out the value of the last byte of the original plain text.
Why is Padding Oracle so Dangerous?
The reason why a hacker would put so much work into breaking encryption is because of the potential payout. Few people encrypt things that aren't valuable. The danger to the host organization depends on the data being compromised. That could include things like passwords, user accounts, financial information, credit card numbers, patient records, sensitive communications, or any number of highly sought-after and valuable pieces of information.
Using padding oracle could also be the gateway to subsequent attacks. If an attacker can use padding oracle to steal passwords for example, then elevating their privileges and penetrating deeper into a network is an easy secondary task.
Everyone thinks of encryption as the ultimate defense against snooping or compromise. However, the back-and-forth between encryption science and those that would break it has been going on for centuries. Padding oracle is just one method that gives the edge to attackers.
Giving Padding Oracle Attacks a Hard Landing
Thankfully, there are quite a few ways to prevent padding oracle. One of the best is to use stronger encryption mode of operations such as Galois/Counter Mode (GCM) or Offset Codebook Mode (OCB). It differs from CBC in that it uses a cipher block size of 128 bits. It also uses a counter for each block of data, then uses that number to create the ciphertext. In other words, it is not susceptible to padding oracle attacks.
Implementing good error handling controls can also severely hurt an attacker's chances of success. Since padding oracle attacks rely on information leakage, return generic error messages instead of specific padding errors on encryption/decryption failure.
You can also implement Message Authentication Code (MAC). MAC values protect the data integrity as well as its authenticity, by allowing verifiers to detect any changes to the message content using a secret key.
Finally, all padding oracle attacks require repeated queries. There can be over 200 requests made to figure out the padding scheme on a single cell, multiplied by the number of units of information being protected in the chain. By restricting the number of requests coming in from the same source, you can shut down padding oracle attacks by denying an attacker access before they can really begin their attempt.
Further Study on Padding Oracle
Any method by which an attacker can decrypt sensitive information can become a real nightmare. But, we hope you have learned quite a few good methods for preventing that from happening in the first place.
For further reading, you can take a look at the OWASP definition and checklist on padding oracle. You can also put your newfound defensive knowledge to the test with the free demo of the Secure Code Warrior platform, which trains cybersecurity teams to become the ultimate cyber warriors. To learn more about defeating this vulnerability, and a rogues'gallery of other threats, visit the Secure Code Warrior blog.
Think youre up to the task of thwarting padding oracle attacks right now? Try it on the Secure Code Warrior platform:
Table des matières
Secure Code Warrior est là pour aider votre organisation à sécuriser le code tout au long du cycle de développement logiciel et à créer une culture dans laquelle la cybersécurité est une priorité. Que vous soyez responsable de la sécurité des applications, développeur, responsable de la sécurité informatique ou toute autre personne impliquée dans la sécurité, nous pouvons aider votre organisation à réduire les risques associés à un code non sécurisé.
Réservez une démoTéléchargerRessources pour vous aider à démarrer
Sujets et contenus de formation sur le code sécurisé
Notre contenu de pointe évolue constamment pour s'adapter à l'évolution constante du paysage du développement de logiciels tout en tenant compte de votre rôle. Des sujets couvrant tout, de l'IA à l'injection XQuery, proposés pour une variété de postes, allant des architectes aux ingénieurs en passant par les chefs de produit et l'assurance qualité. Découvrez un aperçu de ce que notre catalogue de contenu a à offrir par sujet et par rôle.
%20(1).avif)
.avif)
Threat Modeling with AI: Turning Every Developer into a Threat Modeler
Walk away better equipped to help developers combine threat modeling ideas and techniques with the AI tools they're already using to strengthen security, improve collaboration, and build more resilient software from the start.
Ressources pour vous aider à démarrer
Cybermon est de retour : les missions d'IA Beat the Boss sont désormais disponibles à la demande
Cybermon 2025 Beat the Boss est désormais disponible toute l'année dans SCW. Déployez des défis de sécurité avancés liés à l'IA et au LLM pour renforcer le développement sécurisé de l'IA à grande échelle.
Explication de la loi sur la cyberrésilience : ce que cela signifie pour le développement de logiciels sécurisés dès la conception
Découvrez ce que la loi européenne sur la cyberrésilience (CRA) exige, à qui elle s'applique et comment les équipes d'ingénieurs peuvent se préparer grâce à des pratiques de sécurité dès la conception, à la prévention des vulnérabilités et au renforcement des capacités des développeurs.
Facilitateur 1 : Critères de réussite définis et mesurables
Enabler 1 donne le coup d'envoi de notre série en 10 parties intitulée Enablers of Success en montrant comment associer le codage sécurisé à des résultats commerciaux tels que la réduction des risques et la rapidité pour assurer la maturité à long terme des programmes.
