You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The unpadding function treats wrong and correct padding differently. Because the CBC mode is malleable an attacker can change the decrypted plaintext when modifying the IV (or the block before the targeted block). The order of blocks can be changed, too.
If an attacker is able to distinguish these two cases (e.g. via timing channels or length of returned array) of valid and invalid padding it is possible to decrypt ciphertexts without knowing the key.
The
unpaddingfunction treats wrong and correct padding differently. Because the CBC mode is malleable an attacker can change the decrypted plaintext when modifying the IV (or the block before the targeted block). The order of blocks can be changed, too.If an attacker is able to distinguish these two cases (e.g. via timing channels or length of returned array) of valid and invalid padding it is possible to decrypt ciphertexts without knowing the key.
For more information see TLS-Padding-Oracles from RUB or this question on crypto.stackexchange
There are options to make the CBC mode more secure against this kind of POA, but to mitigate this an authenticated encryption scheme should be used.
radvpn/crypto/cbc.go
Lines 90 to 96 in b5bb965
The text was updated successfully, but these errors were encountered: