0Pricing
Cryptology Academy · Lesson

Padding Oracle Attacks in Detail

Walk through the CBC padding oracle attack and understand why even minor decryption error oracles are catastrophic.

CBC Mode Decryption Structure

In CBC (Cipher Block Chaining) mode, decryption of each block involves decrypting the ciphertext block with the block cipher, then XORing the result with the previous ciphertext block. This XOR operation introduces a critical property: by modifying bits in a ciphertext block, an attacker can predictably affect specific bits in the decrypted plaintext of the following block. This property enables the padding oracle attack.

PKCS#7 Padding Explained

Block ciphers require input in fixed-size blocks. PKCS#7 padding fills the last block: if 3 bytes of padding are needed, add three bytes each with value 0x03. If the block is already full, add a complete padding block where all 16 bytes are 0x10. During decryption, the padding bytes are verified to be consistent (all N bytes have value N) and removed. If the padding is invalid, the decryption should fail.

All lessons in this course

  1. Padding Oracle Attacks in Detail
  2. Replay Attacks and Nonce Reuse Vulnerabilities
  3. Timing Attacks in Application-Level Code
  4. Top Cryptographic Misuse Patterns
← Back to Cryptology Academy