Inadequate Padding

java.inadequate_padding

Severity

high

Resource

Predictability

Language

Java

Description

Inadequate encryption strength due to inadequate padding.

Padding is a crucial process in block cipher encryption, where data is modified to fit the required block size of the encryption algorithm. Inadequate or incorrect padding can lead to vulnerabilities such as padding oracle attacks, where attackers exploit the padding errors to decrypt data without knowing the encryption key.

Rationale

Certain padding schemes are known to have specific attacks, such as padding oracle attacks. For example, with RSA, the PKCS#1 v1.5 padding scheme is vulnerable to chosen ciphertext attack (discovered by D. Bleichenbacher). The Optimal Asymmetric Encryption Padding (OAEP, aka. PKCS#1 v2) padding scheme was designed to be resistant to such attack.

The zero padding scheme sometimes seen with symmetric block ciphers is also known to have vulnerabilities.

Some authenticated cipher modes of operation (e.g., GCM) often run in counter mode, and do not require padding. Other modes require padding with block ciphers.

The following is a summary of the most common padding schemes and their vulnerabilities:

Official Name	Standard/RFC	Aliases	Use Case	Known Weaknesses
PKCS#7	RFC 5652	PKCS5 (64-bit blocks)	Symmetric Encryption	Padding oracle attacks if decrypted before MAC validation
PKCS#1 v1.5	PKCS#1, RFC 2313/8017	–	Asymmetric Encryption (RSA)	Padding oracle and Bleichenbacher attacks
OAEP	PKCS#1 v2, RFC 2437/8017	RSA-OAEP	Asymmetric Encryption (RSA)	Original OAEP had IND-CCA1 security; fixed in RSA-OAEP
PSS	PKCS#1 v2.1, RFC 8017	RSA-PSS	Digital Signature (RSA)	Secure if implemented correctly
X9.23	ANSI X9.23	–	Symmetric Encryption	Padding oracle attacks (similar to PKCS#7)
TBC	(No standardized doc)	Trailing Bit Complement	Symmetric Encryption (rare)	Not widely analyzed; possible predictability
ISO-10126	ISO/IEC 10126	–	Symmetric Encryption	Padding oracle attacks (similar to PKCS#7)
ISO-7816	ISO/IEC 7816-4	–	Smart Card Protocols	Not typically used as general padding; context-specific
ISO-9797-1 Method 1	ISO/IEC 9797-1	Zero padding	MAC	Predictable padding risks if not combined with authentication
ISO-9797-1 Method 2	ISO/IEC 9797-1	Bit padding (1 + 0s)	MAC	More secure than Method 1 but still padding-dependent
ISO-9797-1 Method 3	ISO/IEC 9797-1	Length-prepended padding	MAC	Secure if length data is authenticated
AES-KW	RFC 3394	AES Key Wrap	Key Wrapping/Encryption	No padding; requires data length multiple of 64 bits; secure if implemented correctly
AES-KWP	RFC 5649	AES Key Wrap with Padding	Key Wrapping/Encryption	Allows any data length; uses padding; secure if implemented correctly
PSEP	DFJW04 paper	–	Signcryption	No major weaknesses reported in the framework

Official Name

Standard/RFC

Aliases

Use Case

Known Weaknesses

PKCS#7

RFC 5652

PKCS5 (64-bit blocks)

Symmetric Encryption

Padding oracle attacks if decrypted before MAC validation

PKCS#1 v1.5

PKCS#1, RFC 2313/8017

–

Asymmetric Encryption (RSA)

Padding oracle and Bleichenbacher attacks

OAEP

PKCS#1 v2, RFC 2437/8017

RSA-OAEP

Asymmetric Encryption (RSA)

Original OAEP had IND-CCA1 security; fixed in RSA-OAEP

PSS

PKCS#1 v2.1, RFC 8017

RSA-PSS

Digital Signature (RSA)

Secure if implemented correctly

X9.23

ANSI X9.23

–

Symmetric Encryption

Padding oracle attacks (similar to PKCS#7)

TBC

(No standardized doc)

Trailing Bit Complement

Symmetric Encryption (rare)

Not widely analyzed; possible predictability

ISO-10126

ISO/IEC 10126

–

Symmetric Encryption

Padding oracle attacks (similar to PKCS#7)

ISO-7816

ISO/IEC 7816-4

–

Smart Card Protocols

Not typically used as general padding; context-specific

ISO-9797-1 Method 1

ISO/IEC 9797-1

Zero padding

MAC

Predictable padding risks if not combined with authentication

ISO-9797-1 Method 2

ISO/IEC 9797-1

Bit padding (1 + 0s)

MAC

More secure than Method 1 but still padding-dependent

ISO-9797-1 Method 3

ISO/IEC 9797-1

Length-prepended padding

MAC

Secure if length data is authenticated

AES-KW

RFC 3394

AES Key Wrap

Key Wrapping/Encryption

No padding; requires data length multiple of 64 bits; secure if implemented correctly

AES-KWP

RFC 5649

AES Key Wrap with Padding

Key Wrapping/Encryption

Allows any data length; uses padding; secure if implemented correctly

PSEP

DFJW04 paper

–

Signcryption

No major weaknesses reported in the framework

In Java, when using the Java Cryptography Architecture (JCA) for encryption, it is essential to correctly specify and apply padding schemes to ensure data integrity and confidentiality. A common mistake is using block ciphers without specifying proper padding, which could lead to vulnerabilities:

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;

public class InsecurePaddingExample {
    public static void main(String[] args) throws Exception {
        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
        SecretKey secretKey = keyGen.generateKey();

        Cipher cipher = Cipher.getInstance("AES"); // Missing explicit padding specification
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);

        byte[] plainText = "Sensitive Data".getBytes();
        byte[] cipherText = cipher.doFinal(plainText);
        // This implementation may lead to vulnerabilities due to unspecified padding
    }
}

In this example, the encryption operation lacks an explicit padding scheme, leaving it potentially vulnerable.

Remediation

To remediate inadequate padding vulnerabilities, follow these best practices within Java applications:

Specify Proper Padding Schemes: Always use encryption algorithms with a specified padding scheme. Prefer standard padding such as PKCS5Padding when using block ciphers.

import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;

public class SecurePaddingExample {
    public static void main(String[] args) throws Exception {
        KeyGenerator keyGen = KeyGenerator.getInstance("AES");
        SecretKey secretKey = keyGen.generateKey();

        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding"); // Explicit padding specification
        cipher.init(Cipher.ENCRYPT_MODE, secretKey);

        byte[] plainText = "Sensitive Data".getBytes();
        byte[] cipherText = cipher.doFinal(plainText);
        // Secure due to explicitly defined padding scheme
    }
}

Employ Secure Modes of Encryption: Use secure modes of operation such as CBC (Cipher Block Chaining) along with padding, rather than ECB (Electronic Codebook), which is more predictable and less secure.
Stay Updated with Cryptographic Best Practices: Continuously monitor and adapt to industry best practices for cryptography to ensure encryption implementations remain secure.
Conduct Comprehensive Security Testing: Perform regular cryptographic security assessments and penetration testing to identify and address potential vulnerabilities in encryption processes.

By following these guidelines, developers can ensure that their encryption implementations in Java effectively protect data against padding-related vulnerabilities and other cryptographic threats.

Configuration

The rule has the following configurable parameters:

allowedPaddings, that indicates the list of allowed paddings.
forbiddenPaddings, that indicates the list of forbidden paddings.

If the normalized padding scheme is in the allowedPaddings list, the detector considers the padding as acceptable. If the normalized padding scheme is in the forbiddenPaddings list, the detector considers the padding as insecure and emits a vulnerability. If it does not match any of the lists, the detector logs a warning but does not emit a vulnerability.

References

CWE-325 : Missing Cryptographic Step.
CWE-780 : Use of RSA Algorithm without OAEP.