I need to encrypt messages using PublicKeyCrypto and send it to the server, where the message should be decrypted. I'm aware of the Padding Oracle Attack and want to apply a server side integrity check of the incoming cipher messages. In AES there is the so called CCM mode, which performs the integrity checks implicitely. Is there something else for RSA decryption?
I'm using the 'javax.crypto.Cipher' library.
With pure asymmetric encryption there is no way to ensure integrity and authenticity, since anyone who knows your public key can encrypt any message for you. For that you would need either a symmetric key to use for a MAC (in which case you could use it/derivatives for symmetric encryption too) or a signature from the sender. And in the latter case the advice is to sign-then-encrypt, which doesn't help with any padding concerns.
There's no simple way to avoid leaking information through a padding attack, like with encrypt-then-MAC for symmetric encryption, if the padding algorithm is vulnerable to one. Instead, your implementation should not leak information about whether the padding is correct. OAEP is more resistant than older padding algorithms, but even it must be correctly implemented.
However, since you are using a high level cryptographic library, the low level details are not something you should have to worry about. The writers of that library should have taken care of those. Just choose the correct algorithm, i.e. OAEP. (I don't know details about any Java libraries' security record, though.)
You can use the RSA key encapsulation to establish a random symmetric key. Then (in the same protocol message) use this key to protect the data payload (i.e. using some AE/AEAD mode you mentioned).
The RSA key encapsulation should be Padding Oracle Attack resistant (as it does not use any padding).
Another advantage is that your payload length is not restricted as in the pure RSA case.
This scheme provides payload confidentiality (an attacker without server private key can not read the payload) and integrity (the payload is received exactly as intended by the client or is dropped by the server as invalid), but does not provide any sender authenticity (anyone knowing the server public key can generate valid messages with arbitrary payloads).
Sender authenticity might be addressed by signing the payloads.
Desclaimer: I am no crypto expert, so please do validate my thoughts.
