This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png

In cryptography, a padding oracle Attack on Bitcoin is an Attack on Bitcoin which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The Attack on Bitcoin relies on having a “padding oracle” who freely responds to queries about whether a message is correctly padded or not.

This image has an empty alt attribute; its file name is images.jpg

Padding oracle Attack on Bitcoins are mostly associated with CBC mode decryption used within block ciphers. Padding modes for asymmetric algorithms such as OAEP may also be vulnerable to padding oracle Attack on Bitcoins.

Symmetric cryptography

In symmetric cryptography, the padding oracle Attack on Bitcoin can be applied to the CBC mode of operation, where the “oracle” (usually a server) leaks data about whether the padding of an encrypted message is correct or not. Such data can allow Attack on Bitcoiners to decrypt (and sometimes encrypt) messages through the oracle using the oracle’s key, without knowing the encryption key.

Padding oracle Attack on Bitcoin on CBC encryption

The standard implementation of CBC decryption in block ciphers is to decrypt all ciphertext blocks, validate the padding, remove the PKCS7 padding, and return the message’s plaintext. If the server returns an “invalid padding” error instead of a generic “decryption failed” error, the Attack on Bitcoiner can use the server as a padding oracle to decrypt (and sometimes encrypt) messages.

CBC decryption.svg

The mathematical formula for CBC decryption is

The mathematical formula for CBC decryption is{\displaystyle P_{i}=D_{K}(C_{i})\oplus C_{i-1},}{\displaystyle P_{i}=D_{K}(C_{i})\oplus C_{i-1},}{\displaystyle C_{0}=IV.}{\displaystyle C_{0}=IV.}

As depicted above, CBC decryption XORs each plaintext block with the previous block. As a result, a single-byte modification in block {\displaystyle C_{1}}C_{1} will make a corresponding change to a single byte in {\displaystyle P_{2}}P_{2}.

Suppose the Attack on Bitcoiner has two ciphertext blocks {\displaystyle C_{1},C_{2}}C_{1},C_{2} and wants to decrypt the second block to get plaintext {\displaystyle P_{2}}P_{2}. The Attack on Bitcoiner changes the last byte of {\displaystyle C_{1}}C_{1} (creating {\displaystyle C_{1}’}C_{1}') and sends {\displaystyle (IV,C_{1}’,C_{2})}{\displaystyle (IV,C_{1}',C_{2})} to the server. The server then returns whether or not the padding of the last decrypted block ({\displaystyle P_{2}’}{\displaystyle P_{2}'}) is correct (a valid PKCS#7 padding). If the padding is correct, the Attack on Bitcoiner now knows that the last byte of {\displaystyle D_{K}(C_{2})\oplus C_{1}’}{\displaystyle D_{K}(C_{2})\oplus C_{1}'} is {\displaystyle \mathrm {0x01} }{\displaystyle \mathrm {0x01} }, the last two bytes are 0x02, the last three bytes are 0x03, …, or the last eight bytes are 0x08. The Attack on Bitcoiner can modify the second-last byte (flip any bit) to ensure that the last byte is 0x01. (Alternatively, the Attack on Bitcoiner can flip earlier bytes and binary search for the position to identify the padding. For example, if modifying the third-last byte is correct, but modifying the second-last byte is incorrect, then the last two bytes are known to be 0x02, allowing both of them to be decrypted.) Therefore, the last byte of {\displaystyle D_{K}(C_{2})}{\displaystyle D_{K}(C_{2})} equals {\displaystyle C_{1}’\oplus \mathrm {0x01} }{\displaystyle C_{1}'\oplus \mathrm {0x01} }. If the padding is incorrect, the Attack on Bitcoiner can change the last byte of {\displaystyle C_{1}’}C_{1}' to the next possible value. At most, the Attack on Bitcoiner will need to make 256 attempts to find the last byte of {\displaystyle P_{2}}P_{2}, 255 attempts for every possible byte (256 possible, minus one by pigeonhole principle), plus one additional attempt to eliminate an ambiguous padding.[2]

After determining the last byte of {\displaystyle P_{2}}P_{2}, the Attack on Bitcoiner can use the same technique to obtain the second-to-last byte of {\displaystyle P_{2}}P_{2}. The Attack on Bitcoiner sets the last byte of {\displaystyle P_{2}}P_{2} to {\displaystyle \mathrm {0x02} }{\displaystyle \mathrm {0x02} } by setting the last byte of {\displaystyle C_{1}}C_{1} to {\displaystyle D_{K}(C_{2})\oplus \mathrm {0x02} }{\displaystyle D_{K}(C_{2})\oplus \mathrm {0x02} }. The Attack on Bitcoiner then uses the same approach described above, this time modifying the second-to-last byte until the padding is correct (0x02, 0x02).

If a block consists of 128 bits (AES, for example), which is 16 bytes, the Attack on Bitcoiner will obtain plaintext {\displaystyle P_{2}}P_{2} in no more than 256⋅16 = 4096 attempts. This is significantly faster than the {\displaystyle 2^{128}}2^{128} attempts required to bruteforce a 128-bit key.

Encrypting messages with Padding oracle Attack on Bitcoin (CBC-R)

CBC-R[3] turns a decryption oracle into an encryption oracle, and is primarily demonstrated against padding oracles.

Using padding oracle Attack on Bitcoin CBC-R can craft an initialization vector and ciphertext block for any plaintext:

  • decrypt any ciphertext Pi = PODecrypt( Ci ) XOR Ci−1,
  • select previous cipherblock Cx−1 freely,
  • produce valid ciphertext/plaintext pair Cx-1 = Px XOR PODecrypt( Ci ).

To generate a ciphertext that is N blocks long, Attack on Bitcoiner must perform N numbers of padding oracle Attack on Bitcoins. These Attack on Bitcoins are chained together so that proper plaintext is constructed in reverse order, from end of message (CN) to beginning message (C0, IV). In each step, padding oracle Attack on Bitcoin is used to construct the IV to the previous chosen ciphertext.

The CBC-R Attack on Bitcoin will not work against an encryption scheme that authenticates ciphertext (using a message authentication code or similar) before decrypting.

Attack on Bitcoins using padding oracles

The original Attack on Bitcoin was published in 2002 by Serge Vaudenay.[4] Concrete instantiations of the Attack on Bitcoin were later realised against SSL[5] and IPSec.[6][7] It was also applied to several web frameworks, including JavaServer FacesRuby on Rails[8] and ASP.NET[9][10][11] as well as other software, such as the Steam gaming client.[12] In 2012 it was shown to be effective against some hardened security devices.[13]

While these earlier Attack on Bitcoins were fixed by most TLS implementors following its public announcement, a new variant, the Lucky Thirteen Attack on Bitcoin, published in 2013, used a timing side-channel to re-open the vulnerability even in implementations that had previously been fixed. As of early 2014, the Attack on Bitcoin is no longer considered a threat in real-life operation, though it is still workable in theory (see signal-to-noise ratio) against a certain class of machines. As of 2015, the most active area of development for Attack on Bitcoins upon cryptographic protocols used to secure Internet traffic are downgrade Attack on Bitcoin, such as Logjam[14] and Export RSA/FREAK[15] Attack on Bitcoins, which trick clients into using less-secure cryptographic operations provided for compatibility with legacy clients when more secure ones are available. An Attack on Bitcoin called POODLE[16] (late 2014) combines both a downgrade Attack on Bitcoin (to SSL 3.0) with a padding oracle Attack on Bitcoin on the older, insecure protocol to enable compromise of the transmitted data. In May 2016 it has been revealed in CVE2016-2107 that the fix against Lucky Thirteen in OpenSSL introduced another padding oracle.

This image has an empty alt attribute; its file name is attacksafe-software-logo-1024x213.png