Score:1

Where exactly do you add the zeroes to a URL in a padding oracle attack? Also, how would you decrypt a file this way?

uz flag

I have been studying various crypto attacks, and one of the attacks that I have recently studied was the padding oracle attack. Now, I mostly understand it, but there is one aspect of the padding oracle attack that different teachers from different sources have confused me about:

Let's say I have a URL:

http://somesite.com/place?ciphertext=aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccdddddddddddddddd

(Assume that the ciphertext is in hex, and that 'aa' is one byte, so in total, this ciphertext consists of 32 bytes arranged into two 16 byte blocks. In this example, the first block starts at the first 'aa' and ends with the last 'bb'. Everything after that is the 2nd block of ciphertext.)

Now, I know that to start the padding oracle attack, you would add in a block of 0's as an initialization vector to this ciphertext. However, I have been getting ambiguous and inconsistent signals as to where these 0's would be added.

For example, one source made it seem as if the 0's would be added in as a prefix to the first block of ciphertext, so the above URL would become:

http://somesite.com/place?ciphertext=00000000000000000000000000000000aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccdddddddddddddddd

Another source however, made it seem as if the zeroes would replace the first block of ciphertext, so the URL would become:

http://somesite.com/place?ciphertext=00000000000000000000000000000000ccccccccccccccccdddddddddddddddd

Yet, another source made it seem as if you append the zeroes to the end of the ciphertext like so:

http://somesite.com/place?ciphertext=aaaaaaaaaaaaaaaabbbbbbbbbbbbbbbbccccccccccccccccdddddddddddddddd00000000000000000000000000000000

Which is it, or is it optional?

Also, the above method of attempting a padding oracle attack assumes that the ciphertext is present in a URL, but what if you want to decrypt a file such as a cookie or something like that? When attacking through a URL, you can get responses such as status 200 and 500 responses back from the server. However, if it is just a file on your computer that you are trying to decrypt, then what would act as the server? As far as I'm aware, if it is just a file then there is no server to give you any responses back or any "badPaddingException" errors or anything like that. This also means that there is no server that would actually know the intermediary bytes that were used in encryption. How then, would you go about decrypting a file (as opposed to a URL) using the padding oracle attack method?

bk2204 avatar
fr flag
The location of the IV depends on how the ciphertext is serialized. Usually it is just prepended, but sometimes it is serialized differently, or the IV is generated using a key derivation function and can't be controlled at all.
Rikudou avatar
uz flag
@bk2204 Thank you for that reply. Furthermore, do you know how one would go about using a padding oracle attack to decrypt something like a file or a cookie (or something that is not in a URL)? I don't know how exactly one would use this method on a file when a simple file on your computer has no server to send you a response status back.
et flag
@Rikudou for using a padding oracle attack, you need a padding oracle who freely responds to queries about whether a message is correctly padded or not. If you don't have a padding oracle, you can't do a padding oracle attack. In a URL, the webserver which responds to the URL is the padding oracle.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.