Practical Padding Oracle Attacks on RSA
Riccardo Focardi

We revise attacks on the RSA cipher based on side-channels that leak partial information about the plaintext. We then describe PKCS#1 v1.5 padding for RSA and we show that the simple leakage of padding errors is enough to recover the whole plaintext, even when it is unpadded or padded under another scheme. This vulnerability is well-known since 1998 but the flawed PKCS#1 v1.5 padding is still broadly in use. We discuss recent optimizations of this padding oracle attack that make it effective on commercially available cryptographic devices.