CAPEC-463
Padding Oracle Crypto Attack
HIGH
Draft
2014-06-23 00:00 +00:00
2022-02-22 00:00 +00:00
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Description
An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.
Informations
Prerequisites
The decryption routine does not properly authenticate the message / does not verify its integrity prior to performing the decryption operationThe target system leaks data (in some way) on whether a padding error has occurred when attempting to decrypt the ciphertext.
The padding oracle remains available for enough time / for as many requests as needed for the adversary to decrypt the ciphertext.
Resources Required
Ability to detect instances where a target system is vulnerable to an oracle padding attack
Sufficient cryptography knowledge and tools needed to take advantage of the presence of the padding oracle to perform decryption / encryption of data without a key
Mitigations
Design: Use a message authentication code (MAC) or another mechanism to perform verification of message authenticity / integrity prior to decryptionImplementation: Do not leak information back to the user as to any cryptography (e.g., padding) encountered during decryption.
Related Weaknesses
| Weakness Name | |
|---|---|
| Generation of Error Message Containing Sensitive Information The product generates an error message that includes sensitive information about its environment, users, or associated data. |
|
| Covert Channel A covert channel is a path that can be used to transfer information in a way not intended by the system's designers. |
|
| Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified. |
|
| Improper Verification of Cryptographic Signature The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
|
| Improper Validation of Integrity Check Value The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. |
|
| Incorrect Behavior Order The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses. |
References
REF-400
Practical Padding Oracle AttacksJuliano Rizzo, Thai Duong.
https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf
Submission
| Name | Organization | Date | Date Release |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation |
Modifications
| Name | Organization | Date | Comment |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Attack_Prerequisites, Description Summary | |
| CAPEC Content Team | The MITRE Corporation | Updated References | |
| CAPEC Content Team | The MITRE Corporation | Updated Related_Attack_Patterns | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Example_Instances, Mitigations | |
| CAPEC Content Team | The MITRE Corporation | Updated Description, Extended_Description |
2024©
tesweb SA
