comments (not for humans)
There has been a lot of fuzz about padding oracle attacks lately. ASP.NET was vulnerable and Apache MyFaces too (and other JSF implementations?).

The problem here is that the decryption function is leaking information about the outcome of the encryption. When encrypting a set of data, the encryption function normally requires the data to be divided into blocks of a certain size. The last block is padded to a full block. If during decryption that padding cannot be properly removed (is seen as invalid), many encryption functions throw an exception, and some websites reveal this information to the end user through error pages or error codes.

The algorithm for exploiting these padding oracles, is described in Practical Padding Oracle Attacks (by Juliano Rizzo and Thai Duongy) and Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption (by J. Black and H. Urtubia).

There is a really good explanation of padding, Cipher Block Chaining (CBC) encryption and padding oracles here: Automated Padding Oracle Attacks with PadBuster.

I've done some exploratory coding to see how this works. You'll find the C# code here:
I also have a javascript implementation here: /blog/poet

Comments closed for this post