Oracle Padding Attack

imiksa · October 25, 2023, 12:49pm

Penetration team raised below concern:

the adversary was able to find that the application uses Cipher Block Chaining (CBC) as its encryption mode, along with Public Key Cryptography Standards (PKCS5/PKCS7) padding. This configuration is known to be vulnerable to Padding Oracle attacks.

Recommendations:
It is recommended to use GCM (Galois Counter Mode)

Need help in removing the AES/CBC references

wodin · October 25, 2023, 3:43pm

It’s hard to say without more information.

Does your app do any encryption? Any idea what part of the code this feedback might be referring to? Is this for both Android and iOS versions of the app or just one of them?

Topic		Replies	Views
Best Practice On how to avoid reverse engineering apk build by expo eas Expo SDK	2	157	March 15, 2023
encryption with Crypto or Base64 Expo SDK	6	2498	September 6, 2019
Hashing algorithm with known collision used (Deprecated) Help: ExpoKit appauth , permissions	1	129	October 25, 2023
Trying to use AuthSession in Android fails (Deprecated) Help: ExpoKit	8	1054	December 16, 2019
HmacSHA512 usage How to / Third Party Tooling	0	273	July 27, 2020

Oracle Padding Attack

the adversary was able to find that the application uses Cipher Block Chaining (CBC) as its encryption mode, along with Public Key Cryptography Standards (PKCS5/PKCS7) padding. This configuration is known to be vulnerable to Padding Oracle attacks.

Recommendations: It is recommended to use GCM (Galois Counter Mode)

Related Topics

Recommendations:
It is recommended to use GCM (Galois Counter Mode)