什么叫Padding Oracle

发布时间:2026/7/5 2:19:57
什么叫Padding Oracle 在ScottGu的文章中也提到了Padding Oracle......, there is a vulnerability in ASP.NET which acts as a padding oracle。首先得承认padding和Oracle的确太迷惑人了css数据库还挺挑战想象力的。本人也想不出太好的中文翻译就直译成了附加断言(oracle: 神谕、预言)还望各位指正。好了我们来看看Padding Oracle到底是什么。在ASP.NET中设计ViewState等加密字符串时在加密算法中当提交一个文本(ciphertext)去加密后加密函数将返回是否成功如返回valid或invalid。那么攻击者使用不同的值去提交并捕获返回的值对每次返回的值进行分析再纠正重新提交就这样解密出原文。那么需要多少次可以解密出到明文呢答案是128*NN是这段密文的字节数所以也就有了博友辰文章中提到的 这个过程100%成功而且只需要30分钟。当然不会是100%成功的原文是这样的The attack works under the assumption that the attackers can intercept padded messages encrypted in CBC mode, and have access to the aforementioned padding oracle. The result is that attackers can recover the plaintext corresponding to any block of ciphertext using an average of 128 * b oracle calls, where b is the number of bytes in a block.理解有失偏颇的提醒下。那么在博友辰的文章中还提到了这个问题不仅仅存在于asp.net,而且还有java等。这个背景在于在隐藏字段如ViewStatecookies请求参数中当加密成BASE64字符串时都涉及到这个漏洞而在一些Java框架如JavaServer Face中也设计了ViewState的东西所以才有了上面的结论。如何攻击其实此漏洞的利用在2002年的Eurocrypt会议中已经被提及过了可以去BlackHat网站下载PDF查看本人上文的许多分析也提炼自此文档。Then we decode each Base64 string found. If the result looks random, and its length is a multiple of common block cipher sizes, i.e. 8, 16 or 32 bytes, then there’s a good chance that it is a ciphertext. We also look for common separators, i.e. --, | or :, which are often used to separate IV, ciphertext, or MAC. Then we replace a byte in the last block of the ciphertext by a random value, then send it back to the target, and see what changes in the response. If there is an error message, then there’s a high chance that this is a Padding Oracle.此段很明了地说明了测试是否可破解的方法。每次替换掉最后一个字节并将新拼接的字符串提交加密再记录返回结果如果可以那么再进一步解密出原文。到这里我们大概对此漏洞有了一个清晰的认识欲深入分析请查看上面的PDF文档。再回过来看ScottGu公布的解决方案我的猜想是在错误页面中进行了随机的sleep使得攻击者无法获取准确的返回状态即无法获取应该返回的oracle。添加错误配置节当攻击者第一次尝试破解时被配置节强制跳转到错误页面在错误页面中如果发现提交过来的构造密码种子(我理解成了种子 :) )为1那么就将其对象强行Dispose掉那么攻击者也就没法继续下去了。在这一attack的原创者之一julianor的推特中说到The attack that was shown in the public relies on a feature in ASP.NET that allows files (typically javascript and css) to be downloaded, and which is secured with a key that is sent as part of the request. Unfortunately if you are able to forge a key you can use this feature to download the web.config file of an application (but not files outside of the application). We will obviously release a patch for this - until then the above workaround closes the attack vector.应该是针对WebResource.axd和ScriptResource.axd的。