How concerned should I be about a padding oracle attack?
Padding oracle attacks have long been well-known and well-understood. Find out how they work and why using modern encryption protocols can reduce the risks.
What is a padding oracle attack and how can we avoid it? Is it even something we should be worried about?
A padding oracle attack is based on the idea that an attacker can learn information about encrypted data by distinguishing between different kinds of errors. Padding oracles have plagued the security of the Transport Layer Security (TLS) protocol for years, but the encryption modes vulnerable to them are rarely used in modern systems, so the risk is declining.
The basic idea was introduced by cryptographer Serge Vaudenay in 2002. Vaudenay figured out that certain combinations of encryption and authentication are vulnerable if an attacker can distinguish two different types of errors. And it turns out that the cipher block chaining (CBC) encryption mode in TLS is one such problematic combination.
By manipulating encrypted messages in certain ways, an attacker can decrypt the content of an encrypted message. This requires the attacker to send the same message over and over again. In the case of the web and encrypted HTTPS connections, however, it is possible for an attacker to trigger such connections with JavaScript.
Vaudenay's original attack remained theoretical for TLS. While old TLS implementations emitted different kinds of error messages, those messages were encrypted as well, so the attacker couldn't see them.
However, recently, many variations of Vaudenay's attack have been shown to be feasible. Some use the timing differences of server answers, like the Lucky Thirteen attack. A variant of the padding oracle attack called Poodle -- Padding Oracle On Downgraded Legacy Encryption -- was found in the ancient SSL 3 protocol.
While security teams have known about these attacks for a long time, new variations show up repeatedly. Researchers at the Ruhr-University Bochum reported they found nearly 100 variations of padding oracle attacks in the wild in 2019.
It turns out it is incredibly difficult to implement the TLS CBC mode in a way that makes it safe from these attacks. The TLS community understood that when they designed TLS 1.3, so the latest version of the TLS standard no longer supports these problematic modes. Instead, TLS 1.3 exclusively uses so-called AEAD modes (Authenticated Encryption with Additional Data). These modes combine encryption and authentication in a safer way.
So while a padding oracle attack remains a possible threat, it's not a concern anymore with modern TLS implementations. Therefore, the best protection is to support modern TLS standards and slowly deprecate old versions and encryption modes.