Exploiting error messages to decrypt CBC ciphertext
This attack was discovered in 2002 and has been used against SSL, ASP.NET, and many other systems. Never implement your own crypto without authenticated encryption (like AES-GCM)!
In CBC mode, PKCS#7 padding is added to make plaintext a multiple of block size. Valid padding ends with:
...01 | ...02 02 | ...03 03 03 | ...04 04 04 04 | etc.
A "padding oracle" is any system that tells you whether decrypted padding is valid. By manipulating ciphertext bytes and observing responses, we can decrypt one byte at a time without knowing the key!
Modern systems should use AEAD (Authenticated Encryption with Associated Data) modes like:
• AES-GCM: Combines encryption with authentication tag
• ChaCha20-Poly1305: Stream cipher with MAC
These modes detect tampering before decryption, eliminating padding oracles entirely.