Efficient Padding Oracle Attacks on Cryptographic Hardware

  • Romain Bardou
  • Riccardo Focardi
  • Yusuke Kawamoto
  • Lorenzo Simionato
  • Graham Steel
  • Joe-Kai Tsay
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7417)


We show how to exploit the encrypted key import functions of a variety of different cryptographic devices to reveal the imported key. The attacks are padding oracle attacks, where error messages resulting from incorrectly padded plaintexts are used as a side channel. In the asymmetric encryption case, we modify and improve Bleichenbacher’s attack on RSA PKCS#1v1.5 padding, giving new cryptanalysis that allows us to carry out the ‘million message attack’ in a mean of 49 000 and median of 14 500 oracle calls in the case of cracking an unknown valid ciphertext under a 1024 bit key (the original algorithm takes a mean of 215 000 and a median of 163 000 in the same case). We show how implementation details of certain devices admit an attack that requires only 9 400 operations on average (3 800 median). For the symmetric case, we adapt Vaudenay’s CBC attack, which is already highly efficient. We demonstrate the vulnerabilities on a number of commercially available cryptographic devices, including security tokens, smartcards and the Estonian electronic ID card. The attacks are efficient enough to be practical: we give timing details for all the devices found to be vulnerable, showing how our optimisations make a qualitative difference to the practicality of the attack. We give mathematical analysis of the effectiveness of the attacks, extensive empirical results, and a discussion of countermeasures.


  1. 1.
    Bardou, R., Focardi, R., Kawamoto, Y., Simionato, L., Steel, G., Joe-Kai-Tsay: The million message attack in 15 000 messages, or efficient padding oracle attacks on cryptographic hardware. Cryptology ePrint Archive (to appear, 2012), http://eprint.iacr.org/
  2. 2.
    Black, J., Urtubia, H.: Side-channel attacks on symmetric encryption schemes: The case for authenticated encryption. In: Boneh, D. (ed.) USENIX Security Symposium, pp. 327–338. USENIX (2002)Google Scholar
  3. 3.
    Bleichenbacher, D.: Chosen Ciphertext Attacks against Protocols Based on the RSA Encryption Standard PKCS #1. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 1–12. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  4. 4.
    Bond, M., French, G.: Hidden semantics: why? how? and what to do? Presentation at Fourth Analysis of Security APIs Workshop, ASA-4 (July 2010)Google Scholar
  5. 5.
    Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS 2010), Chicago, Illinois, USA. ACM Press (October 2010)Google Scholar
  6. 6.
    Clulow, J.: On the Security of PKCS #11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  7. 7.
    Degabriele, J.P., Paterson, K.G.: On the (in)security of ipsec in mac-then-encrypt configurations. In: Al-Shaer, E., Keromytis, A.D., Shmatikov, V. (eds.) ACM Conference on Computer and Communications Security, pp. 493–504. ACM (2010)Google Scholar
  8. 8.
    Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF 2008), Pittsburgh, PA, USA, pp. 331–344. IEEE Computer Society Press (June 2008)Google Scholar
  9. 9.
    Dworkin, M.: Recommendation for block cipher modes of operation: Modes and techniques. NIST Special Publication 800-38A (December 2001)Google Scholar
  10. 10.
    Estonian Certification Center. The estonian ID card and digital signature concept, principles and solutions (March 2003), http://www.id.ee/public/The_Estonian_ID_Card_and_Digital_Signature_Concept.pdf
  11. 11.
    Estonian Informatics Center. Estonian ID-software, https://installer.id.ee/?lang=eng
  12. 12.
    Housley, R.: Cryptographic Message Syntax (CMS). RFC 5652 (Standard) (September 2009)Google Scholar
  13. 13.
    ID Süsteemide AS. EstEID specification v2.01, http://www.id.ee/public/EstEID_Spetsifikatsioon_v2.01.pdf
  14. 14.
    Jager, T., Somorovsky, J.: How to break XML encryption. In: Proceedings of the 18th ACM Conference on Computer and Communications Security (CCS), pp. 413–422 (2011)Google Scholar
  15. 15.
    Manger, J.: A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 230–238. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Martens, T.: eID interoperability for PEGS, national profile estonia, European Commission’s IDABC programme (November 2007), http://ec.europa.eu/idabc/en/document/6485/5938
  17. 17.
    Mitchell, C.J.: Error Oracle Attacks on CBC Mode: Is There a Future for CBC Mode Encryption? In: Zhou, J., López, J., Deng, R.H., Bao, F. (eds.) ISC 2005. LNCS, vol. 3650, pp. 244–258. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    National Institute of Standards and Technology. NIST special publication 800-57, recommendation for key management (March 2007), http://csrc.nist.gov/publications/PubsSPs.html
  19. 19.
    Paterson, K.G., Watson, G.J.: Immunising CBC Mode Against Padding Oracle Attacks: A Formal Security Treatment. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 340–357. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  20. 20.
    Paterson, K.G., Yau, A.: Padding Oracle Attacks on the ISO CBC Mode Encryption Standard. In: Okamoto, T. (ed.) CT-RSA 2004. LNCS, vol. 2964, pp. 305–323. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  21. 21.
    Minutes from the April, 2003 PKCS workshop (2003), ftp://ftp.rsa.com/pub/pkcs/03workshop/minutes.txt
  22. 22.
    Rizzo, J., Duong, T.: Practical padding oracle attacks. In: Proceedings of the 4th USENIX Conference on Offensive Technologies, WOOT 2010, pp. 1–8. USENIX Association, Berkeley (2010)Google Scholar
  23. 23.
    Rogaway, P.: Evaluation of some blockcipher modes of operation (February 2011), http://www.cs.ucdavis.edu/~rogaway; Evaluation carried out for the Cryptography Research and Evaluation Committees (CRYPTREC) for the Government of Japan
  24. 24.
    RSA Security Inc., v2.1. PKCS #1: RSA Cryptography Standard (June 2002)Google Scholar
  25. 25.
    RSA Security Inc., v2.20. PKCS #11: Cryptographic Token Interface Standard (June 2004)Google Scholar
  26. 26.
    Klíma, V., Pokorný, O., Rosa, T.: Attacking RSA-Based Sessions in SSL/TLS. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 426–440. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  27. 27.
    Vaudenay, S.: Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS... In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© International Association for Cryptologic Research 2012 2012

Authors and Affiliations

  • Romain Bardou
    • 1
  • Riccardo Focardi
    • 2
  • Yusuke Kawamoto
    • 3
  • Lorenzo Simionato
    • 2
  • Graham Steel
    • 1
  • Joe-Kai Tsay
    • 4
  1. 1.INRIA Project ProSecCoParisFrance
  2. 2.DAIS, Università Ca’ FoscariVeneziaItaly
  3. 3.School of Computer ScienceUniversity of BirminghamBirminghamUK
  4. 4.Department of TelematicsNTNUTrondheimNorway

Personalised recommendations