AES in CBC Mode Is totally unsecure if no defense is provided for padding oracle attack, right?

Question

Based on a lot of reading here on crypto.stackexchange.com and around the web, it seems like AES in CBC Mode is totally unsecure if no defense is provided for oracle padding attack. And it’s not just AES, any crypto algorithm that uses CBC mode is totally unsecure if no defense is provided for padding oracle attacks. There are even step by step videos of how to recover plain text from CBC mode ciphers. https://www.youtube.com/watch?v=aH4DENMN_O4

All of this kinda blows my mind though given that Wikipedia says that the original padding oracle attack was published in 2002 https://en.wikipedia.org/wiki/Padding_oracle_attack If that is the case, how can it be that AES256CBC is often touted as strong modern encryption without mentioning that implementations lacking proper HMAC validation (Encrypt-Then-MAC), or some other padding oracle defense, are actually not secure at all? It kinda blows my mind if I’m understanding this correctly. Am I understanding this correctly?

Answer 1

The cryptographic community moves very slowly. Take MD5 security for example. A design flaw was first published in 1996 and a collision (with more design flaws) found in 2004. Yet in 2012, authors of the Flame malware were able to use an MD5 collision to forge a Windows code-signing certificate. And we still hear of password-hash dumps that use MD5 today.

how can it be that AES256CBC is often touted as strong modern encryption without mentioning that implementations lacking proper HMAC validation (Encrypt-Then-MAC), or some other padding oracle defense, are actually not secure at all?

This is definitely the way the community is going. I haven't done the analysis, but I'd guess that most TLS/SSL connections these days are using integrity protection (either HMAC or an AEAD mode). Integrity protection is one of the first things that gets mentioned to people on Crypto.SE too when they propose something that doesn't use it.

Something to remember is that padding-oracle attack is an online attack and very noisy. So there are a lot of use cases of cryptography where it simply does not apply. I agree with your sentiment, however. Authenticated encryption should be the default. We are getting there, but it is taking time.