POODLE (Padding Oracle on Downgraded Legacy Encryption) is an attack that occurs when an attacker exploits the significant weakness in the SSL protocol of version 3 (SSLv3).
In SSL encryption, the first step is to compute a Message Authentication Code (MAC). MAC serves as a cryptographic checksum to ensure the integrity and the authenticity of the data that is being sent.
Also, MAC can be computed only by the parties who have access to the cryptographic keys. These parties can either be an intermediary or the recipient of the data. So if an attacker tries to access or modify the data, since they do not have the access to the cryptographic keys, they will not be able to obtain the MAC value. And hence any attempt to tamper or modify the data will be in vain.
After the MAC value is embedded into the data, the next step is to embed padding.
Padding is required because most of the encryption algorithms choose a standard length which is a multiple of a particular size, say, for example, Advanced Encryption Standard (AES), the length has to be a multiple of 16 bytes and for Data Encryption Standard (DES), the length has to be a multiple of 8 bytes. If the data doesn’t have a standard length, you can externally pad data until it reaches the required length.
The padding technique used in the SSL encryption is extremely simple. Here the padding comprises a sequence of random byte values. So a payload that is being sent will contain the data, MAC value and padding values.
In SSL encryption, it uses a method known as Cipher Block Chaining (CBC).
How does CBC work?
It takes the entire data and divides the data into blocks of a specific length. Each block is encrypted and is incorporated for the encryption of the next block. The new encrypted value of a block is incorporated or simply used for the encryption of the next block with the help of an XOR operation. This method is followed until the last block is encrypted.
During decryption, the process is done in the reverse order where the last block is decrypted first and the process continues until the first block is decrypted. After the decryption process is completed, the padding data is removed and the MAC value is verified with the help of preceding data.
If the verification of the MAC value fails, the sender drops the connection assuming that some malicious activity has occurred in the communication network.
Initially, the attacker eavesdrops on the client-server communication by a successful MITM (man-in-the-middle) attack. Then the attacker forces the server to downgrade from TLS to SSLv3. If that attempt fails, the attacker compels the server to an older version of TLS like TLS 1.1 or TLS 1.2. This attack is known as the Protocol downgrade attack.
The HTTP headers have a predictable format and spot the headers and encrypted data as the attacker was observing the communication for quite a long time. This makes it easier for an attacker to spoof the session cookies.
SSLv3 does not check the integrity of the padding if the length of the padding is correct. This is an advantage for the attacker where they can replace the padding with the session cookie block and it can be sent to the server in order to guess the last byte of the session cookie.
After downgrading the protocol, the attacker exploits the flaw in the padding validation algorithm. The attacker frequently asks the server whether the last byte of the cookie block is correct.
The receiver accepts the block if it is correct. Otherwise, the block will be rejected. If the server rejects the block, the last byte of the block will be modified and is sent again.
This process will be repeated until the cookie block is accepted. For sure, 1 in 256 requests will be accepted as the attacker is aware of the previous encrypted block, a simple XOR helps the attacker to uniquely discover the last byte of the cookie.
Configure the server to support only TLS 1.2 and above.
Disable all SSLv2 and SSLv3.