Padding Oracle Attacks on the ISO CBC Mode Encryption Standard

  • Kenneth G. Paterson
  • Arnold Yau
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 2964)


In [8] Vaudenay presented an attack on block cipher CBC-mode encryption when a particular padding method is used. In this paper, we employ a similar approach to analyse the padding methods of the ISO CBC-mode encryption standard. We show that, for several of the padding methods referred to by this standard, we can exploit an oracle returning padding correctness information to efficiently extract plaintext bits. In particular, for one padding scheme, we can extract all plaintext bits with a near-optimal number of oracle queries. For a second scheme, we can efficiently extract plaintext bits from the last (or last-but-one) ciphertext block, and obtain plaintext bits from other blocks faster than exhaustive search.


padding oracle attack CBC-mode encryption ISO standard 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Black, J., Urtubia, H.: Side-Channel Attacks on Symmetric Encryption Schemes: The Case for Authenticated Encryption. In: Proceedings of the 11th USENIX Security Symposium, San Francisco, CA, USA, August 5-9, pp. 327–338 (2002)Google Scholar
  2. 2.
    Canvel, B., Hiltgen, A., Vaudenay, S., Vuagnoux, M.: Password Interception in a SSL/TLS Channel. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 583–599. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  3. 3.
    ISO/IEC 9797-1: Information technology — Security tehniques — Message Auhentication Codes (MACs) — Part 1: Mechanisms using a block cipher (1999)Google Scholar
  4. 4.
    ISO/IEC 10116 (2nd edn): Information technology — Security techniques — Modes of operation for an n-bit block cipher (1997)Google Scholar
  5. 5.
    ISO/IEC 3rd CD 10116 (3rd edn.): Information technology — Security techniques — Modes of operation for an n-bit block cipher (Commitee Draft). 2002. Google Scholar
  6. 6.
    ISO/IEC FDIS 10118-1: Information technology — Security techniques — Hashfunctions — Part 1: General, Final Draft (2000)Google Scholar
  7. 7.
    Klima, V., Rosa, T.: Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format. Cryptology ePrint Archive, Report 2003/098 (2003)Google Scholar
  8. 8.
    Vaudenay, S.: Security Flaws Induced by CBC Padding — Applications to SSL, IPSEC, WTLS.. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 534–545. Springer, Heidelberg (2002)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2004

Authors and Affiliations

  • Kenneth G. Paterson
    • 1
  • Arnold Yau
    • 1
  1. 1.Information Security Group, Royal HollowayUniversity of LondonEgham, SurreyUK

Personalised recommendations