padding attack vs. PKCS7

James Muir muir.james.a at
Fri Jun 12 16:18:34 EDT 2009

travis+ml-cryptography at wrote:
> Towards the end of this rather offbeat blog post they describe a
> rather clever attack which is possible when the application provides
> error messages (i.e. is an error oracle) for PKCS7 padding in e.g. AES
> CBC-encrypted web authenticators that allows an adversary to attack
> the crypto one octet at a time.

I think this attack can be attributed to Klima and Rosa:

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format.
V. Klima and T. Rosa.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the cryptography mailing list