Padding Oracle Attacks. Satish B [email protected] 20/08/2011. Cryptography Attack. Agenda. Cryptography Basics Padding oracle attack Exploitation Padding oracle in .NET Tools Remedy. Cryptography Basics.
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Stream Ciphers : Key supplied to encryption algorithm to get key stream Plain text is XOR with key stream to generate cipher text
1 0 = 1 P K = C
0 1 = 1 C P = K
Block Ciphers: Operates on fixed length group of bits or bytes (64 or 128 bit blocks) 128 bits of plain text is converted into 128 bits of cipher text Ex: AES
Block Cipher : Modes
ECB mode – Electronic code book mode
Encryption of the same plain text with the same key results in the same cipher text, which is a considerable threat to security.
CBC – cipher block chaining
Ci = Ek (Pi xor Ci-1)
Encryption of the same plain text with the same key results in different cipher text because of IV.
Each block of plaintext is XORed with the previous ciphertext block before being encrypted.
Each block of ciphertext is decrypted and XORed with the previous ciphertext block to obtain the plain text.
First block of ciphertext is decrypted and XORed with IV to obtain the plain text.
Block Ciphers – - Works on fixed size data
- Messages are in variety of length
- padding has introduced
- Final block padded before encryption
PKCS#5 standard - final block of plaintext is padded with N bytes of value N.
Client datavalue = BRIAN;12;1;
The application verifies whether the encrypted value is properly padded or not. When the application passed an encrypted value it responds with one of three ways:
Valid ciphertext (with proper padding) – Normal response Invalid ciphertext (improper padding) – Exception Valid ciphertext and decrypts to an invalid value – Custom error
oracle refers to a mechanism in cryptography that can be used to determine whether
a test has passed or failed.Pass and Fail conditions can be used to decrypt without key.
Decrypting without a keyValid cipher http://myapp/home.jsp? UID=7B216A634951170FF851D6CC68FC9537
Intermediary Byte ^ 0×3C == 0×01,Intermediary Byte == 0×3C ^ 0×01,Intermediary Byte == 0×3D
Plain text == Intermediarybyte 0×3D ^ corresponding IV byte 0F = = 02
Now crack the 7th byte and so on …
In the end it gives Intermediate value
Encrypting arbitrary values without key
XOR the plaintext value with intermediary value to get IV
Padding oracle attack allows to encrypt and decrypt data without the key.
valid cipher text decrypted to valid value
- proper response (200 ok)
valid cipher text decrypted to invalid value
- page not found or similar response (404)
Invalid cipher text
- padding error
If the application gives different errors in the above 3 cases, it is vulnerable and easy to exploit.
Why Is this working?
Before fix :http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2After fix:
For more information on exploitation and usage of tools visit my site