Key Takeaways
- Padding Oracle: Decrypt ciphertext by observing error messages.
- CBC Bit Flipping: Modify ciphertext to change decrypted plaintext.
- Timing Attacks: Extract secrets by measuring response times.
- Use authenticated encryption (AES-GCM) to prevent these attacks.
You don't need to break AES to break encryption. Implementation flaws, side channels, and protocol weaknesses can completely undermine cryptographic security.
Padding Oracle Attack
When a server reveals whether decryption padding is valid, attackers can decrypt without the key:
# Server responses reveal padding validity
POST /decrypt HTTP/1.1
Body: [tampered_ciphertext]
Response A: "500 Internal Error - Invalid Padding" # Oracle!
Response B: "403 Forbidden - Access Denied" # Valid padding
# By flipping bits and observing responses,
# attacker can recover plaintext byte-by-byteCBC Bit Flipping
# Encrypted cookie: role=user;admin=0
# CBC: Ciphertext[i] XOR affects Plaintext[i+1]
# Attacker modifies ciphertext to change "admin=0" to "admin=1"
# C[15] = C[15] XOR ord('0') XOR ord('1')
# Result after decryption: role=????;admin=1
# First block corrupted, but admin=1 achieved!Timing Attack Example
# VULNERABLE: String comparison short-circuits
def check_signature(provided, expected):
return provided == expected # Returns false at first mismatch!
# Attacker measures response time:
# "AAAA" - 0.001ms (fails at A)
# "XAAA" - 0.002ms (X matches, fails at A)
# "XBAA" - 0.002ms (fails at B)
# "XSAA" - 0.003ms (XS matches!)
# Byte-by-byte recovery of secret!Prevention
- Use authenticated encryption: AES-GCM, ChaCha20-Poly1305
- Constant-time comparisons: crypto.timingSafeEqual()
- Don't reveal padding errors: Same error for all failures
- Encrypt-then-MAC: HMAC before decryption
Frequently Asked Questions
Is AES broken?
No! AES itself is secure. These attacks target the implementation (padding handling, timing), the mode (CBC without authentication), or the protocol—never the algorithm itself.
Deepen your crypto knowledge.
AES Encryption Guide