Is every block padded with AES?
Clash Royale CLAN TAG#URR8PPP
up vote
1
down vote
favorite
I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?
Am I not understanding padding correctly?
padding-oracle
New contributor
add a comment |Â
up vote
1
down vote
favorite
I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?
Am I not understanding padding correctly?
padding-oracle
New contributor
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?
Am I not understanding padding correctly?
padding-oracle
New contributor
I am looking at a tutorial on the Oracle Padding Attack, and I wondered, how do you find the rest of the blocks(not the last one), if there's only padding on 1 block?
Am I not understanding padding correctly?
padding-oracle
padding-oracle
New contributor
New contributor
New contributor
asked 4 hours ago
Guy Sudai
83
83
New contributor
New contributor
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
3
down vote
accepted
Am I not understanding padding correctly?
You're not understanding the padding attack correctly.
Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.
In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.
So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.
Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.
Hence, this padding oracle attack can be used to decrypt any block, not only the last.
[1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...
Thanks for the good explanation!
â Guy Sudai
43 mins ago
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
3
down vote
accepted
Am I not understanding padding correctly?
You're not understanding the padding attack correctly.
Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.
In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.
So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.
Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.
Hence, this padding oracle attack can be used to decrypt any block, not only the last.
[1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...
Thanks for the good explanation!
â Guy Sudai
43 mins ago
add a comment |Â
up vote
3
down vote
accepted
Am I not understanding padding correctly?
You're not understanding the padding attack correctly.
Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.
In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.
So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.
Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.
Hence, this padding oracle attack can be used to decrypt any block, not only the last.
[1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...
Thanks for the good explanation!
â Guy Sudai
43 mins ago
add a comment |Â
up vote
3
down vote
accepted
up vote
3
down vote
accepted
Am I not understanding padding correctly?
You're not understanding the padding attack correctly.
Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.
In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.
So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.
Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.
Hence, this padding oracle attack can be used to decrypt any block, not only the last.
[1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...
Am I not understanding padding correctly?
You're not understanding the padding attack correctly.
Yes, only the last block is (typically) padded in CBC mode, however that doesn't mean that we can only attack the last block; what that means is that we can only use the last block.
In CBC-mode, the decryption of the block $i$ is computed as $P_i = D_k( C_i ) oplus C_i-1$, where $D_k$ is the decryption using the unknown (to the attacker) key $k$. Now, the attacker can see $C_i, C_i-1$, and so if he can deduce the value $D_k( C_i )$, he then has found the value of the plaintext block $P_i$.
So, what the attacker does is construct ciphertexts where the $C_i$ appears as the last ciphertext block $C'_n$, and he tries various values for the next-to-last block [1] $C'_n-1$; he submits those ciphertexts, and sees if, after decryption, the had valid padding.
Whether they do (mostly) depends on the last decrypted plaintext block, which is $P'_n = D_k( C'_n ) oplus C'_n-1$; by trying various values of $C'_n-1$, he can deduce the value $D_k( C'_n )$.
Hence, this padding oracle attack can be used to decrypt any block, not only the last.
[1] The penultimate block, if you (like me) prefer to use the term 'penultimate' correctly...
answered 1 hour ago
poncho
86.3k2128217
86.3k2128217
Thanks for the good explanation!
â Guy Sudai
43 mins ago
add a comment |Â
Thanks for the good explanation!
â Guy Sudai
43 mins ago
Thanks for the good explanation!
â Guy Sudai
43 mins ago
Thanks for the good explanation!
â Guy Sudai
43 mins ago
add a comment |Â
Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.
Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.
Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.
Guy Sudai is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f62756%2fis-every-block-padded-with-aes%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password