OT: Padding Oracle Attacks

Nicholas Cole nicholas.cole at gmail.com
Mon Sep 20 23:13:04 CEST 2010

On Mon, Sep 20, 2010 at 4:25 PM, Tom Ritter <tom at ritter.vg> wrote:
>> I've come across two interesting descriptions of the attack:
>> http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
>> https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf
> The GDS blog post is the best visual example of how the Padding Oracle
> can be used to decrypt data that I've seen.  Thai and Julian's
> presentation linked, as well as the recent one at Ekoparty, are
> excellent weaponizations.
>> Am I right that this is exactly the sort of attack that the MDC in gpg
>> is designed to prevent?
> I don't know much about the MDC in gpg - I'm curious how it differs
> from a HMAC.  If the MDC is checked before decryption is attempted, it
> should thwart the attack, because gpg would fail with an error
> indicating an incorrect MDC, rather than a message indicating the
> padding is incorrect (for the 255 bad padding values) or the MDC is
> incorrect (for the 1 good padding value but bad MDC).  This ordering
> is vital, and what leads to the ASP.Net encrypted viewstate being
> vulnerable.  There is an HMAC on the viewstate, but the HMAC is
> checked _after_ the viewstate decryption is attempted.
> Colin Percival has a good blog post explaining this concept as well:
> http://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html

The workings of the MDC are set out here:

http://tools.ietf.org/html/rfc4880   (see section 5.13).

It isn't clear to me after reading that whether this kind of attack would
be thwarted by the MDC or not.


More information about the Gnupg-devel mailing list