Albon Wu

The padding oracle attack, step by step

March 22, 2025

A major con of CBC is the so-called padding oracle attack.

Padding is often performed with PKCS#7 padding. If the end of your message requires $b$ bytes to fill the last block, PKCS#7 will append $b$ bytes of value $b$ to make everything whole.

This means that the receiver of a ciphertext coming from a CBC mode can throw an "invalid padding" error if it looks at the ciphertext's last byte $b$ and sees some byte in the last $b$ that doesn't also equal $b$ .

The padding oracle attack exploits malleability: the ability of an attacker to modify the ciphertext to a cryptosystem in a way that meaningfully changes the decrypted plaintext. CBC is malleable because changing $c_{i - 1}$ changes $m_i = F_k^{-1}(c_i)\oplus c_{i - 1}$ .

As a result, a receiver that throws an invalid padding error (serves as a "padding oracle") in a CBC is prone to the padding oracle attack as follows:

Step 1: Recover the length of the padding.

Let $c = c_1\Vert c_2\Vert\cdots\Vert c_l$ . Change the first byte of $c_{l - 1}$ , which changes the first byte of $m_l$ , and send the modified $c$ to the oracle $\mathcal{O}$ .

If an error occurs, we know we changed a byte (the first in the last block) that was part of the padding. We conclude that $m_l$ consists entirely of padding. If no error occurs, the padding stayed intact despite our change, so change the next byte until we get an error. Once that happens, we know we have modified (hence, found) the first byte of padding.

Denote the distance of this byte to the end of the message by $b$ .

Part 2: Recover the last block.

We know the last $b$ bytes have value $b$ ; we'll try to guess the last character before the padding. Pick a "trial byte" $t'$ , a value used to determine the plaintext byte $t$ through oracle feedback. Let's query $\mathcal{O}$ on $c$ , replacing $c_{l - 1}$ with $c_{l - 1}'$ , where

c_{l - 1}' = c_{l - 1}\oplus (00\ldots 0t'\tilde{b}\tilde{b}\ldots\tilde{b})\qquad \tilde{b} = b\oplus (b + 1).

So we replace the last non-padding byte with our guess $t'$ and each padding byte with $b\oplus (b + 1)$ .

Why? Decrypting the modified $c$ gives

m_l'\coloneqq m_l\oplus (00\ldots 0t'\tilde{b}\tilde{b}\ldots\tilde{b}) = F_k^{-1}(c_i)\oplus c_{l - 1}'.

Recall that the last $b$ bytes of $m_l$ are $b$ . They evaluate to $b\oplus b\oplus (b + 1) = b + 1$ by definition of $\tilde{b}$ . Every other byte of $m_l$ , except the last non-padding byte (call it $t$ ), remains the same. That one becomes $t\oplus t'$ .

Now recall the PKCS#7 invariant: the last byte's value is the number of suffix bytes with that value. So if $m_l'$ has valid padding, its last $b + 1$ bytes must be $b + 1$ , including $t\oplus t'$ . Therefore, we can validate our guess $t'$ based on whether $\mathcal{O}$ gives a padding error. If it doesn't, then

t\oplus t' = b + 1\Rightarrow t = (b + 1)\oplus t'.

So we recover $t$ . Of course, this strategy is not specific to $b + 1$ . We continue with $b + 2, b + 3, \ldots$ , which gives us the bytes before $t$ and, therefore, the rest of block $l$ .

Part 3: Recover the rest of the blocks.

Recall that $b$ is at most the length of one block. To recover block $l - 1$ , then, drop the last ciphertext block and change the last byte of $c_{l - 1}$ until there is no padding error.

Now that our ciphertext properly decrypts, repeat Part 1 to find the new padding of $m_{l - 1}$ , and repeat Part 2 to recover its bytes.

Repeat this until every block of the ciphertext is recovered.