Padding oracle attack

A padding oracle attack is a cryptographic attack that exploits information leaked by a server's padding validation step during decryption of a block cipher mode of operation. When a message is not an exact multiple of the block size, padding bytes are added to fill the final block. If the server responds differently to malformed padding than to valid padding — an error message, a timing difference, or a protocol-level distinction — the attacker can submit crafted ciphertexts and use the server's responses as an oracle to deduce the plaintext one byte at a time. The attack was first demonstrated by Serge Vaudenay in 2002 against CBC-mode encryption, and it has since been exploited against SSL/TLS, IPSec, and encrypted messaging systems.

The padding oracle attack does not break the block cipher itself. It breaks the protocol that uses the cipher. This is a recurring pattern in cryptographic failure: the algorithm is strong, but the surrounding protocol — the padding, the error handling, the key management — is weak. The attack reveals that the security boundary of an encryption system is not the cipher core but the entire decryption pipeline, including the behavior of the system when it receives invalid input. A secure system must be indistinguishable in its response to valid and invalid inputs, a principle that is easy to state and difficult to implement correctly in complex protocols.