OT: Padding Oracle Attacks

Tom Ritter tom at ritter.vg
Mon Sep 20 17:25:33 CEST 2010


> I've come across two interesting descriptions of the attack:
>
> http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
> https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf

The GDS blog post is the best visual example of how the Padding Oracle
can be used to decrypt data that I've seen.  Thai and Julian's
presentation linked, as well as the recent one at Ekoparty, are
excellent weaponizations.

> Am I right that this is exactly the sort of attack that the MDC in gpg
> is designed to prevent?

I don't know much about the MDC in gpg - I'm curious how it differs
from a HMAC.  If the MDC is checked before decryption is attempted, it
should thwart the attack, because gpg would fail with an error
indicating an incorrect MDC, rather than a message indicating the
padding is incorrect (for the 255 bad padding values) or the MDC is
incorrect (for the 1 good padding value but bad MDC).  This ordering
is vital, and what leads to the ASP.Net encrypted viewstate being
vulnerable.  There is an HMAC on the viewstate, but the HMAC is
checked _after_ the viewstate decryption is attempted.

Colin Percival has a good blog post explaining this concept as well:
http://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html

-tom



More information about the Gnupg-devel mailing list