3

Almost all info related to padding oracle attacks on AES are described in the context of client/server scenarios but does it apply to local encrypted files as well?

For example, a file P is encrypted using AES-256 and CBC padding.
The random IV and C are then written to a new file.

If the attacker got hold of that file, could he then use whatever language he's using to try and decrypt that file and get exceptions that tell him whether he's dealing with padding errors or decryption errors?

If so, how could one protect against this? Wouldn't Encrypt-then-Mac be useless in this case?
Since the attacker can choose to ignore the MAC or am I completely missing something here?

Improve this question

1 Answer 1

Reset to default
2

Padding oracle attack are effective when the remote side (the server side) uses its private key to decipher and rise an exception when the padding is not correct.

In a local context, you do not know the private key. So you can try many keys and see if the padding is good or not, but this information is useless.

For example, you have the cipher XXXXXXXXXXXXXXXX and you try the key1 which give you the clear helloworld030303, interesting but the key2 give you hellobitches0202 which is correct too. How can you choose which clear is the correct one? You cannot, every correct string with correct padding could be the good candidate.

The "oracle" in "padding oracle attack" is the fact that you get answer from a source who uses the correct secret key (which is a unknown information for you) to perform operations (decipher) and give you information about the result. You can use this result to get indirect information about the secret key or the secret clear message

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.