Is every block padded with AES?

Clash Royale CLAN TAG#URR8PPP

up vote
1
down vote

favorite

I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?

Am I not understanding padding correctly?

padding-oracle

share|improve this question

asked 4 hours ago

Guy Sudai

83

New contributor

Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote

favorite

I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?

Am I not understanding padding correctly?

padding-oracle

share|improve this question

asked 4 hours ago

Guy Sudai

83

New contributor

Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

up vote
1
down vote

favorite

up vote
1
down vote

favorite

I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?

Am I not understanding padding correctly?

padding-oracle

share|improve this question

asked 4 hours ago

Guy Sudai

83

New contributor

Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?

Am I not understanding padding correctly?

padding-oracle

padding-oracle

share|improve this question

asked 4 hours ago

Guy Sudai

83

New contributor

Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

asked 4 hours ago

Guy Sudai

83

New contributor

Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

share|improve this question

asked 4 hours ago

Guy Sudai

83

New contributor

Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 4 hours ago

Guy Sudai

83

asked 4 hours ago

Guy Sudai

83

83

New contributor

Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Guy Sudai is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

add a comment | 

1 Answer
1

active

oldest

votes

up vote
3
down vote



accepted

Am I not understanding padding correctly?

You're not understanding the padding attack correctly.

Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.

In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.

So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.

Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.

Hence, this padding oracle attack can be used to decrypt any block, not only the last.

---

[1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...

share|improve this answer

answered 1 hour ago

poncho

86.3k2128217

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thanks for the good explanation!
  – Guy Sudai
  43 mins ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62756%2fis-every-block-padded-with-aes%23new-answer', 'question_page');

);

Post as a guest

Name Email

1 Answer
1

active

oldest

votes

1 Answer
1

active

oldest

votes

active

oldest

votes

active

oldest

votes

up vote
3
down vote



accepted

Am I not understanding padding correctly?

You're not understanding the padding attack correctly.

Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.

In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.

So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.

Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.

Hence, this padding oracle attack can be used to decrypt any block, not only the last.

---

[1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...

share|improve this answer

answered 1 hour ago

poncho

86.3k2128217

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thanks for the good explanation!
  – Guy Sudai
  43 mins ago
  

  
  
  
  

add a comment | 

up vote
3
down vote



accepted

Am I not understanding padding correctly?

You're not understanding the padding attack correctly.

Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.

In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.

So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.

Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.

Hence, this padding oracle attack can be used to decrypt any block, not only the last.

---

[1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...

share|improve this answer

answered 1 hour ago

poncho

86.3k2128217

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thanks for the good explanation!
  – Guy Sudai
  43 mins ago
  

  
  
  
  

add a comment | 

up vote
3
down vote



accepted

up vote
3
down vote



accepted

Am I not understanding padding correctly?

You're not understanding the padding attack correctly.

Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.

In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.

So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.

Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.

Hence, this padding oracle attack can be used to decrypt any block, not only the last.

---

[1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...

share|improve this answer

answered 1 hour ago

poncho

86.3k2128217

Am I not understanding padding correctly?

You're not understanding the padding attack correctly.

Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.

In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.

So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.

Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.

Hence, this padding oracle attack can be used to decrypt any block, not only the last.

---

[1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...

share|improve this answer

answered 1 hour ago

poncho

86.3k2128217

share|improve this answer

share|improve this answer

answered 1 hour ago

poncho

86.3k2128217

answered 1 hour ago

poncho

86.3k2128217

answered 1 hour ago

poncho

86.3k2128217

86.3k2128217

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thanks for the good explanation!
  – Guy Sudai
  43 mins ago
  

  
  
  
  

add a comment | 

• 
  
  
  

  
  

  
  
  
  
  
  

  
  Thanks for the good explanation!
  – Guy Sudai
  43 mins ago
  

  
  
  
  

Thanks for the good explanation!
– Guy Sudai
43 mins ago

Thanks for the good explanation!
– Guy Sudai
43 mins ago

add a comment | 

Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.

Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.

Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.

 

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62756%2fis-every-block-padded-with-aes%23new-answer', 'question_page');

);

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name Email

Name Email

Name

Email

Name Email

Name

Email