[CodesInChaos]

An attacker who has write access to the database and gets feedback if a decryption was successful can still mount the standard padding oracle against CBC, because the first block acts as IV for the second block.

[zigzag312]

Thanks. So, AES-CBC + HMAC would prevent this, but AES-CBC does not.

How do the following methods compare when using constant IV?

AES-CBC + HMAC (encrypt then MAC) vs AES-GCM-SIV vs AES-SIV

[some_furry]

Be careful how you combine these components: https://soatok.blog/2021/07/30/canonicalization-attacks-agai...

(The linked article talks about CTR + HMAC, but CBC + HMAC is also affected.)