The POODLE Attack on SSL – a Novel Padding Oracle

The POODLE attack on SSL is a new padding-oracle attack on SSL version 3.0. It’s ramifications are far reaching due to the way SSL version negotiation is carried out in SSL/TLS. The question of how padding-oracle attacks work, and how POODLE utilizes them, have been discussed in length. The original attack is described here, and I strongly recommend reading this excellent explanation of the attack by Daniel Franke. Adam Langley’s response regarding Google’s actions and Chrome is also an important read. At some later stage, I may also write about padding-oracle attacks in this blog, but for now I just want to point out a couple of novel and interesting properties of this attack (for those of you who already know what padding-oracle attacks do in general, and how POODLE utilizes them specifically).

In general, the most difficult part of implementing a padding-oracle attack is distinguishing a padding error from a different error. After their discovery, there were skeptics about how practical these attacks really are, since error messages are often returned encrypted, and so on. In some cases, like the Lucky13 attack, the different errors are distinguished using very subtle means like the amount of time taken to issue the error. In other cases, the different errors are distinguished based on the size or type of packet returned. In these cases, the attacks can theoretically be mitigated by making sure that all errors return the same message, and take the same time to be processed. This is very difficult to do in practice, but it is possible. (Of course, the correct thing to do is to do use an authenticated-encryption method, or to encrypt-then-MAC, but in many cases this breaks backward compatibility which is usually not an option).

The discoverers of POODLE came across a gold mine: a padding-oracle attack with a trivial distinguisher! To make it worse, there is no way of preventing the oracle from working. This means that it’s impossible to fix SSL version 3.0. That’s great news for attackers, and really really bad news for us. So, how does this gold mine work?

The main observation is that SSL version 3.0 looks only at the last byte of the padding, and everything proceeding it is legal. This means that if you add a full block of padding, then this can be replaced with any other block. If upon decryption the last byte is correct, then it will be accepted. Now, an attacker can take a full ciphertext (that is block aligned and so has a full block of padding) and just copy a block from the middle that has secret information in its last byte to the end. Here comes the amazing part. If the last byte turns out to decrypt to the correct value (which happens 1 in about 256 times), then the last block is removed and the entire message is valid. Notice the amazing thing: in this case, there is no error message whatsoever. However, if the last byte is not correct, then some error message must be issued. Since in the “good case” there is no error message at all, it’s impossible to prevent an attacker from distinguishing the “good case” from the “bad case”. If the last byte is not correct, the attacker doesn’t play around with the bytes of the second-last block like in regular padding-oracle attacks (since this would render the MAC incorrect). Instead, it just resends the cookie again (of course, copying the appropriate encrypted block to the end instead of the original padding block). The encryption is new with a new key, and so with independent probability of about 1 in 256, the last byte will turn out to be correct. This method enables an attacker to learn only the last byte in a block, which seems weaker than usual padding-oracle attacks. However, by aligning the request correctly, each byte of a password (for example) can be made to be at the end of a block, one at a time. Note that this attack would not work if SSL version 3.0 insisted on checking the entire block of padding, since the chance that the entire block is correct is almost zero.

In summary, the novelty of POODLE is in finding a padding oracle for which a padding error can be easily distinguished, since when the padding is correct there is no other error. To make it much worse, the padding oracle cannot be prevented since when the last byte is correct, the packet is completely valid according to the SSL v3.0 specification. This is the reason why POODLE is said to completely break SSL v3.0, and the usual mitigation tactics don’t work.

Prof. Yehuda Lindell

Prof. Yehuda Lindell

Yehuda Lindell is a professor of Computer Science at Bar-Ilan University, and a cryptographer with expertise in secure multiparty computation (MPC) that forms the technological core of Unbound’s solutions. Yehuda served as the Chief Scientist of Unbound from its inception until February 2019, when he took over the role as CEO.

Subscribe to BLOG

shares