In cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a "padding oracle" who freely responds to queries about whether a message is correctly padded or not. The information could be directly given, or leaked through a side-channel.
The earliest well-known attack that uses a padding oracle is Bleichenbacher's attack of 1998, which attacks RSA with PKCS #1 v1.5 padding.[1] The term "padding oracle" appeared in literature in 2002,[2] after Serge Vaudenay's attack on the CBC mode decryption used within symmetric block ciphers.[3] Variants of both attacks continue to find success more than one decade after their original publication.[1][4][5]
Bard12
was invoked but never defined (see the help page).Vau02
was invoked but never defined (see the help page).