CAPEC-463

Padding Oracle Crypto Attack
High
Draft
2014-06-23
00h00 +00:00
2022-02-22
00h00 +00:00
CAPEC Mitre.org
Alerte pour un CAPEC
Stay informed of any changes for a specific CAPEC.
Notifications manage

Descriptions CAPEC

An adversary is able to efficiently decrypt data without knowing the decryption key if a target system leaks data on whether or not a padding error happened while decrypting the ciphertext. A target system that leaks this type of information becomes the padding oracle and an adversary is able to make use of that oracle to efficiently decrypt data without knowing the decryption key by issuing on average 128*b calls to the padding oracle (where b is the number of bytes in the ciphertext block). In addition to performing decryption, an adversary is also able to produce valid ciphertexts (i.e., perform encryption) by using the padding oracle, all without knowing the encryption key.

Informations CAPEC

Prerequisites

The decryption routine does not properly authenticate the message / does not verify its integrity prior to performing the decryption operation
The target system leaks data (in some way) on whether a padding error has occurred when attempting to decrypt the ciphertext.
The padding oracle remains available for enough time / for as many requests as needed for the adversary to decrypt the ciphertext.

Resources Required

Ability to detect instances where a target system is vulnerable to an oracle padding attack

Sufficient cryptography knowledge and tools needed to take advantage of the presence of the padding oracle to perform decryption / encryption of data without a key


Mitigations

Design: Use a message authentication code (MAC) or another mechanism to perform verification of message authenticity / integrity prior to decryption
Implementation: Do not leak information back to the user as to any cryptography (e.g., padding) encountered during decryption.

Related Weaknesses

CWE-ID Weakness Name

CWE-209

 Generation of Error Message Containing Sensitive Information
The product generates an error message that includes sensitive information about its environment, users, or associated data.

CWE-514

 Covert Channel
A covert channel is a path that can be used to transfer information in a way not intended by the system's designers.

CWE-649

 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.

CWE-347

 Improper Verification of Cryptographic Signature
The product does not verify, or incorrectly verifies, the cryptographic signature for data.

CWE-354

 Improper Validation of Integrity Check Value
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.

CWE-696

 Incorrect Behavior Order
The product performs multiple related behaviors, but the behaviors are performed in the wrong order in ways which may produce resultant weaknesses.

References

REF-400

Practical Padding Oracle Attacks
Juliano Rizzo, Thai Duong.
https://www.usenix.org/legacy/events/woot10/tech/full_papers/Rizzo.pdf

Submission

Name Organization Date Date release
CAPEC Content Team The MITRE Corporation 2014-06-23 +00:00

Modifications

Name Organization Date Comment
CAPEC Content Team The MITRE Corporation 2017-08-04 +00:00 Updated Attack_Prerequisites, Description Summary
CAPEC Content Team The MITRE Corporation 2018-07-31 +00:00 Updated References
CAPEC Content Team The MITRE Corporation 2020-07-30 +00:00 Updated Related_Attack_Patterns
CAPEC Content Team The MITRE Corporation 2020-12-17 +00:00 Updated Description, Example_Instances, Mitigations
CAPEC Content Team The MITRE Corporation 2022-02-22 +00:00 Updated Description, Extended_Description