padding oracle attacks
Download
Skip this Video
Download Presentation
Padding Oracle Attacks

Loading in 2 Seconds...

play fullscreen
1 / 23

Padding Oracle Attacks - PowerPoint PPT Presentation


  • 193 Views
  • Uploaded on

Padding Oracle Attacks. Satish B [email protected] 20/08/2011. Cryptography Attack. Agenda. Cryptography Basics Padding oracle attack Exploitation Padding oracle in .NET Tools Remedy. Cryptography Basics.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Padding Oracle Attacks' - boyd


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
agenda
Agenda
  • Cryptography Basics
  • Padding oracle attack
  • Exploitation
  • Padding oracle in .NET
  • Tools
  • Remedy
cryptography basics
Cryptography Basics

Stream Ciphers : Key supplied to encryption algorithm to get key stream Plain text is XOR with key stream to generate cipher text

Ex: Rc4

1 0 = 1 P K = C

0 1 = 1 C P = K

Block Ciphers: Operates on fixed length group of bits or bytes (64 or 128 bit blocks) 128 bits of plain text is converted into 128 bits of cipher text Ex: AES

cryptography basics1
Cryptography Basics

Block Cipher : Modes

ECB mode – Electronic code book mode

Encryption of the same plain text with the same key results in the same cipher text, which is a considerable threat to security.

cryptography basics2
Cryptography Basics

CBC – cipher block chaining

Ci = Ek (Pi xor Ci-1)

Encryption of the same plain text with the same key results in different cipher text because of IV.

Each block of plaintext is XORed with the previous ciphertext block before being encrypted.

cryptography basics3
Cryptography Basics

Each block of ciphertext is decrypted and XORed with the previous ciphertext block to obtain the plain text.

First block of ciphertext is decrypted and XORed with IV to obtain the plain text.

cryptography basics4
Cryptography Basics

Block Ciphers – - Works on fixed size data

- Messages are in variety of length

- padding has introduced

- Final block padded before encryption

PKCS#5 standard - final block of plaintext is padded with N bytes of value N.

padding oracle attack
Padding oracle attack
  • Initially discovered in 2002. Credits: http://netifera.com/research/
  • Got famous in 2010.
  • What is it ?
  • Possible to decrypt and encrypt data without key in CBC mode.
  • Typical Scenario:
    • Brian logged into myapp.com
    • Server created an encryption string specific to Brian and sent to him
    • Accessing any page in the application sends the encrypted value to server
    • Server decrypts and serves the content based on decrypted value
  • Ex:http://myapp.com/home.jsp?UID=7B216A634951170FF851D6CC68FC953785
  • 8795A28ED4AAC6
padding oracle attack1
Padding oracle attack

Server

Client datavalue = BRIAN;12;1;

Encryption

IV=7B216A634951170F

F851D6CC68FC9537

858795A28ED4AAC6

padding oracle attack2
Padding oracle attack

Server

Client datahttp://myapp.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6

Decryption

padding oracle attack3
Padding oracle attack

http://myapp.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6

The application verifies whether the encrypted value is properly padded or not. When the application passed an encrypted value it responds with one of three ways:

Valid ciphertext (with proper padding) – Normal response Invalid ciphertext (improper padding) – Exception Valid ciphertext and decrypts to an invalid value – Custom error

  • Wrong padding can result in:
        • Error messages
        • Stack Traces
        • Time difference
        • Different responses
padding oracle attack4
Padding oracle attack

oracle refers to a mechanism in cryptography that can be used to determine whether

a test has passed or failed.Pass and Fail conditions can be used to decrypt without key.

Decrypting without a keyValid cipher http://myapp/home.jsp? UID=7B216A634951170FF851D6CC68FC9537

Invalid cipherhttp://myapp/home.jsp?UID=0000000000000000F851D6CC68FC9537

padding oracle attack5
Padding oracle attack

Invalid cipher

http://myapp/home.jsp?UID=0000000000000001F851D6CC68FC9537

padding oracle attack6
Padding oracle attack

Invalid cipherhttp://myapp/home.jsp?UID=0000000000000003F851D6CC68FC9537

Intermediary Byte ^ 0×3C == 0×01,Intermediary Byte == 0×3C ^ 0×01,Intermediary Byte == 0×3D

padding oracle attack7
Padding oracle attack

Valid cipher

http://myapp/home.jsp?UID=7B216A634951170FF851D6CC68FC9537

Plain text == Intermediarybyte 0×3D ^ corresponding IV byte 0F = = 02

Now crack the 7th byte and so on …

In the end it gives Intermediate value

padding oracle attack8
Padding oracle attack

Encrypting arbitrary values without key

XOR the plaintext value with intermediary value to get IV

Summary

Padding oracle attack allows to encrypt and decrypt data without the key.

padding oracle attack in net
Padding oracle attack in .NET
  • Where is it applicable ?
  • View state
  • Session cookies
  • Any encrypted data in hidden parameters
  • WebResource.axd - serves embedded resources
  • ScriptResource.axd - serves embedded resources and files
padding oracle attack in net1
Padding oracle attack in .NET

https://samplesite.com/WebResource.axd?d=llIAeUHrAWkUZEuvZB-98g2

valid cipher text decrypted to valid value

- proper response (200 ok)

valid cipher text decrypted to invalid value

- page not found or similar response (404)

Invalid cipher text

- padding error

If the application gives different errors in the above 3 cases, it is vulnerable and easy to exploit.

tools
Tools
  • Padbuster

https://www.gdssecurity.com/l/t/d.php?k=PadBuster

  • Poet

http://netifera.com/research/

  • Padbusterdotnet

http://www.mindedsecurity.com/fileshare/padBusterdotnet.zip

padding oracle attack9
Padding oracle attack

Why Is this working?

  • CBC mode only provides confidentiality.
  • Confidentiality doe not ensure that the value is tampered or not.
  • Integrity check has to be performed.

Solution

  • Implemented integrity check by adding hash to the encrypted value

Before fix :http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2After fix:

http://website.com/application/WebResource.axd?d=jadfz0GadfahafMVYzFihd9Uh

adfadfdfdfe_aereradf349jkMjlrfgRr6moijfdn_Aretkjf093rpA2

slide22

For more information on exploitation and usage of tools visit my site

http://Securitylearn.wordpress.com

References

http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html

http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx

http://eglasius.blogspot.com/2010/09/aspnet-padding-oracle-how-it-relates-to.html

http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/

ad