Is every block padded with AES?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
1
down vote

favorite












I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?



Am I not understanding padding correctly?










share|improve this question







New contributor




Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.























    up vote
    1
    down vote

    favorite












    I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?



    Am I not understanding padding correctly?










    share|improve this question







    New contributor




    Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
    Check out our Code of Conduct.





















      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?



      Am I not understanding padding correctly?










      share|improve this question







      New contributor




      Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?



      Am I not understanding padding correctly?







      padding-oracle






      share|improve this question







      New contributor




      Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.











      share|improve this question







      New contributor




      Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      share|improve this question




      share|improve this question






      New contributor




      Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.









      asked 4 hours ago









      Guy Sudai

      83




      83




      New contributor




      Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.





      New contributor





      Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.






      Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
      Check out our Code of Conduct.




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          3
          down vote



          accepted











          Am I not understanding padding correctly?




          You're not understanding the padding attack correctly.



          Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.



          In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.



          So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.



          Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.



          Hence, this padding oracle attack can be used to decrypt any block, not only the last.




          [1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...






          share|improve this answer




















          • Thanks for the good explanation!
            – Guy Sudai
            43 mins ago










          Your Answer




          StackExchange.ifUsing("editor", function ()
          return StackExchange.using("mathjaxEditing", function ()
          StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
          StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
          );
          );
          , "mathjax-editing");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "281"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          noCode: true, onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );






          Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62756%2fis-every-block-padded-with-aes%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          3
          down vote



          accepted











          Am I not understanding padding correctly?




          You're not understanding the padding attack correctly.



          Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.



          In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.



          So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.



          Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.



          Hence, this padding oracle attack can be used to decrypt any block, not only the last.




          [1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...






          share|improve this answer




















          • Thanks for the good explanation!
            – Guy Sudai
            43 mins ago














          up vote
          3
          down vote



          accepted











          Am I not understanding padding correctly?




          You're not understanding the padding attack correctly.



          Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.



          In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.



          So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.



          Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.



          Hence, this padding oracle attack can be used to decrypt any block, not only the last.




          [1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...






          share|improve this answer




















          • Thanks for the good explanation!
            – Guy Sudai
            43 mins ago












          up vote
          3
          down vote



          accepted







          up vote
          3
          down vote



          accepted







          Am I not understanding padding correctly?




          You're not understanding the padding attack correctly.



          Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.



          In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.



          So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.



          Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.



          Hence, this padding oracle attack can be used to decrypt any block, not only the last.




          [1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...






          share|improve this answer













          Am I not understanding padding correctly?




          You're not understanding the padding attack correctly.



          Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.



          In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.



          So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.



          Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.



          Hence, this padding oracle attack can be used to decrypt any block, not only the last.




          [1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered 1 hour ago









          poncho

          86.3k2128217




          86.3k2128217











          • Thanks for the good explanation!
            – Guy Sudai
            43 mins ago
















          • Thanks for the good explanation!
            – Guy Sudai
            43 mins ago















          Thanks for the good explanation!
          – Guy Sudai
          43 mins ago




          Thanks for the good explanation!
          – Guy Sudai
          43 mins ago










          Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.









           

          draft saved


          draft discarded


















          Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.












          Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.











          Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.













           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62756%2fis-every-block-padded-with-aes%23new-answer', 'question_page');

          );

          Post as a guest













































































          Comments

          Popular posts from this blog

          What does second last employer means? [closed]

          Installing NextGIS Connect into QGIS 3?

          One-line joke