Padding Oracle — crypto-lab

CBC Mode and PKCS#7 Padding

AES-CBC decrypts each block as P[i] = AES⁻¹(C[i]) ⊕ C[i−1]. The last block must end with valid PKCS#7 padding. An implementation that tells you whether padding is valid — even just via an error code — is a padding oracle.

CBC Decryption Flow

The padding check at the end is the oracle. An HTTP 200 vs 500, a TLS alert code, or even a measurable timing difference — all are sufficient to mount the full attack.

PKCS#7 Padding Rules

If n bytes of padding are needed, all n bytes must equal n. A full block of padding (n = 16) is always appended if plaintext fits exactly.

Valid Padding

Invalid Padding

The Oracle

HTTP HTTP 200 = Valid HTTP 500 = Invalid

TLS Handshake Alert = Valid Bad Record MAC = Invalid

Timing Faster response = Valid Slower response = Invalid

The oracle need not be explicit. Any distinguishable behavior (response time, error message content, error code) leaks one bit per query. That one bit, iterated, decrypts everything.

← Back to basics? crypto-lab-aes-modes CBC panel

Single Byte Recovery — The Core Attack

The padding oracle attack recovers one plaintext byte at a time. Starting with the last byte: probe all 256 values of C[n−1][15] until the oracle returns "valid 0x01 padding". Then: I[15] = probe ⊕ 0x01 and P[15] = I[15] ⊕ C[n−1][15].

Modify last byte of C[n−1] — try all 256 values (0x00–0xFF)

Submit modified (C[n−1]′, C[n]) to the oracle

Find the value that produces valid 0x01 padding: AES⁻¹(C[n]) ⊕ C[n−1]′ = 0x01

XOR with 0x01 to recover intermediate: I[15] = probe ⊕ 0x01

XOR I[15] with original C[n−1][15] to recover: P[15] = I[15] ⊕ C[n−1][15]

Live Attack

Plaintext to encrypt: Any text — will be AES-CBC encrypted with a random key.

Animation speed:

Click "Encrypt" to begin.

IV:

Ciphertext:

Byte Recovery Grid

Unknown Probing Intermediate found Recovered

Oracle queries: 0

Full Block Recovery

Extend single-byte recovery across all 16 bytes. For byte at position j (counting from right), set up padding 0x(16−j) by fixing up already-recovered bytes: C[n−1]′[k] = I[k] ⊕ padByte for all known k > j. Total: ~O(256 × 16) = 4096 oracle calls per block (worst case).

Live Block Recovery

Plaintext: "Attack at dawn!!" (exactly 16 bytes — one block). The full block will be recovered byte-by-byte.

Animation speed:

Click "Encrypt Target Block" to start.

Plaintext Bytes (P[n])

Intermediate (I = AES⁻¹(C[n]))

Oracle queries: 0

XOR: Intermediate ⊕ C[n−1] = Plaintext

Defenses and Why AEAD Wins

There are several ways to stop the padding oracle attack. Only AEAD eliminates the attack class entirely — the others reduce risk but require careful implementation.

Defense 1: Encrypt-then-MAC

Compute a MAC over the ciphertext (not the plaintext). Verify the MAC before attempting decryption. If the MAC is invalid, reject immediately — no decryption, no padding, no oracle.

Requires: Constant-time MAC comparison. Timing differences in comparison can still leak information.

Encrypt (CBC) MAC(ciphertext) Verify MAC first Then decrypt

Defense 2: Constant-Time Padding Validation

Process all padding bytes in constant time, regardless of where the first invalid byte is found. Return a single valid/invalid result only after examining the entire block.

Limitation: Eliminates timing oracle but not error-response oracles. If the system still returns different error codes, the oracle remains. Lucky Thirteen shows that even microsecond differences matter.

Defense 3: Use AEAD — The Definitive Fix Recommended

AEAD (Authenticated Encryption with Associated Data) integrates encryption and authentication into a single primitive. AES-GCM and ChaCha20-Poly1305 check the authentication tag before any decryption. No padding is used (stream mode). No oracle is possible because no information is revealed on failure.

Check auth tag (first!) Reject if invalid Decrypt (only if valid)

AES-GCM Live Demo: Tampering Rejected

Encrypt a message with AES-256-GCM (WebCrypto). Then tamper with the ciphertext and watch authentication fail immediately — with no plaintext revealed.

Why This Matters in 2026+

CBC is still in the wild. Legacy systems — payment processors, medical record systems, enterprise VPNs, and embedded devices — continue to use AES-CBC. Understanding the padding oracle attack is essential for:

Penetration testers auditing legacy protocol implementations
Developers evaluating whether to migrate away from CBC
Security architects designing cryptographically sound systems
Anyone in a role where "we've always done it this way" is the threat model

The fix is always the same: use AEAD.

Decision Guide: CBC+MAC vs AEAD

Scenario	CBC + Encrypt-then-MAC	AEAD (AES-GCM / ChaCha20-Poly1305)
New system design	Not recommended	✓ Use AEAD
Legacy protocol migration	Interim only — constant-time MAC required	✓ Target state
Constrained environment (no GCM hw)	Acceptable with care	✓ ChaCha20-Poly1305
TLS / network protocol	Never (Lucky Thirteen / POODLE)	✓ TLS 1.3 mandates AEAD

Padding Oracle CBC Chosen-Ciphertext Attack — Full Walkthrough