Padding oracle attack

In cryptography, a padding oracle attack is a side channel attack which is performed on the padding

of a cryptographic message. The plain text message often has to be padded (expanded) to be

compatible with the underlying cryptographic primitive. Leakage of information about the padding may

occur mainly during decryption of the ciphertext. Padding oracle attacks are mostly associated with

ECB or CBC mode decryption used within block ciphers. Padding modes for asymmetric algorithms

such as OAEP may also be vulnerable to padding oracle attacks.

Attacks using padding oracles

The original attack was published in 2002 by Serge Vaudenay. In 2010 the attack was applied to

encrypted HTTP cookies in several web application frameworks, including JavaServer Faces,Ruby

on Rails and ASP.NET. In 2012 it was shown to be effective against some hardened security devices.

While these earlier attacks were fixed by most TLS implementors following its public announcement, a

new variant, the Lucky Thirteen attack, published in 2013, used a timing side-channel to re-open the

vulnerability even in implementations that had previously been fixed. As of February 2013, TLS

implementors are still working on developing fixes for their TLS code.