Padding Oracle Attacks - The critical bug in your home-brewed crypto protocol


When encrypting data, block ciphers operate on data blocks of fixed length. However, data that should be encrypted may not fit within the block limits. Consequently, when performing encryption routines the last data block is padded in an invertible way. A problem often overlooked in cryptographic applications is the error handling when encountering an incorrect padding in the decryption routine. Signalling if a padding error occurred in the decryption process may have dramatic consequences and led to issues within the TLS protocol and its implementations. Under modest assumptions, such information about the validity of the padding allow an attacker to decrypt the data. In this talk, we give an introduction to this kind of attacks, called padding oracle attacks. We share their inner workings and how to spot and exploit them.

Henning Kopp


As a child Henning wanted to become an inventor or hitchhike to Spain with a magic street show. Instead, he studied mathematics at TU Kaiserslautern, specializing in the area of number theory. His interest in cryptographic applications lead Henning Kopp to complete a PhD in the area of IT security. Currently, he is employed at SCHUTZWERK GmbH, where he performs various types of security assessments.

In his spare time, Henning enjoys creating music, sailing, and general tinkering.