0

Is padding oracle attack applicable to data stored on a DB in AES/CBC/PKCS5Padding?

Specifically I would like to be able to use Postgres with pgcrypto https://www.postgresql.org/docs/13/pgcrypto.html#id-1.11.7.34.9 (that currently not support GCM)

The idea is to achieve totally anonymized data, even in the case where an attacker obtain a dump of the db.

Currently I'm using AES/GCM/NoPadding on the application side, but having the opportunity to decrypt directly on database could be helpful.

Fabio Bonfante
  • 101
  • 4
  • 1
    Does this answer to your question? Is the Java function AES/CBC/PKCS5Padding vulnerable to padding oracle? also Is the Java function AES/CBC/PKCS5Padding vulnerable to padding oracle? – kelalaka May 05 '21 at 16:44
  • 2
    Does this answer your question? Is the Java function AES/CBC/PKCS5Padding vulnerable to padding oracle? – kelalaka May 05 '21 at 17:48
  • Thanks for the comments, I know that it's vulnerable to padding oracle, but I don't know if the padding oracle attack (or other kinds of attacks) are applicable in the described context. – Fabio Bonfante May 10 '21 at 08:05
  • I've updated this to fit as dupe. – kelalaka May 10 '21 at 08:07
  • I don't think it's a duplicate. Reading from your answer: "The problem with CBC mode is the padding. When there is a padding error, the server must respond a message back to you so that you can send the message back again or encrypt the message from the beginning."

    Having the data stored in db (even with a whole dump of it) I don't see if that "client-server" behavior is applicable, and if there are other known vulnerabilities (maybe unrelated to the padding problem) that I'm not aware of .

     – Fabio Bonfante May 10 '21 at 08:18
  • Did you see this, too; As we can see the attacker needs an oracle to execute the padding oracle attack. Data on-rest or encrypted databases has no oracle. Therefore they are not vulnerable to padding oracle attacks. Don't you see that the Database doesn't decrypt the data, the client gets the data and decrypt. If you fear that the server tries to padding oracle on the client, than this may be your least problem. – kelalaka May 10 '21 at 08:22
  • Sorry I miss the updated part. So in case an attacker obtain a dump of the encrypted data using AES/CBC/PKCS5Padding or AES/GCM/NoPadding has no difference for the padding oracle attack, right? Then, I've "just" to think if other part of the system can act as a 'oracle'..... – Fabio Bonfante May 10 '21 at 08:47
  • 1
    In this case, the CBC is Ind-CPA secure means that the attacker cannot even distinguish two messages of the same length. padding oracle requires a key and a response. On data rest, there is no key and no response. The attackers have to brute-force the key or the password that used in the key derivation algorithm. – kelalaka May 10 '21 at 08:58

0 Answers0