Padding Oracle Attack
In this lesson module, you'll learn the mechanics of a padding oracle attack. Much more detail about the context of this attack is given in chapter 10 of the textbook.

CBC Malleability

Here's what CBC mode decryption looks like (with 16-bit blocks):
ciphertext =
F-1
What happens when you flip some bits in the first ciphertext block? What is the effect on the resulting plaintext? Try it! (click on ciphertext bits to flip them)

Padding

Let's consider a padding scheme where correctly padded blocks end in either

0001
or
0000
0010
or
0000
0000
0011
or
0000
0000
0000
0100

See if you can flip some bits in this ciphertext so that it decrypts to something with valid padding. Try it:

ciphertext =
valid padding? no
F-1

Look at the bits you had to flip to achieve valid padding (the red bits). What is the relationship between those bits and the bits of the original plaintext?

Attack

Now suppose the only information you can see is whether flipping certain ciphertext bits results in a plaintext with valid padding. Can you use this ability to decrypt the ciphertext? Try it!

When your guess of the plaintext is correct, it will turn green. If you need to "cheat," you can look at the entire result of decryption.

ciphertext =
(show/hide decryption)
F-1
valid padding? no
your plaintext guess:

Suggestions: