1 / 43

How to Submit a Fake Talk to a Con

How to Submit a Fake Talk to a Con. Not that Crowley guy. Step 1: Choose a Con. Small cons First year cons Cons run by guys with green hair. Step 2: Pick a talk. Doesn’t have to be your own Know your panelists EC-Council con? Use the word “cyber” as a noun AND a verb

thor
Download Presentation

How to Submit a Fake Talk to a Con

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How to Submit a Fake Talk to a Con Not that Crowley guy

  2. Step 1: Choose a Con • Small cons • First year cons • Cons run by guys with green hair

  3. Step 2: Pick a talk • Doesn’t have to be your own • Know your panelists • EC-Council con? • Use the word “cyber” as a noun AND a verb • Super technical con? • Steal a real talk from another recent con • Make sure it sounds all ninja • Crypto talks are good, nobody knows crypto

  4. Step 3: CFP • Is there a demo? • Yes • Is this about a new vulnerability? • Yes • Are you releasing a tool or exploit? • Yes • Are you just saying all the things I want to hear? • Yes

  5. Step 4: Get out of presenting • Need an excuse! • Family emergency • Overused • Nobody will call you on it • Can’t stay at the con afterwards • Fake lawsuit • Pretend some vendor is angry • Get talking slot replaced by some other chump • Got chutzpah? • Give the talk anyway • If people don’t get it they’ll blame themselves

  6. Step 5: Party! • Cons usually give speakers • Free food • Free booze • Free swag • Usually just t shirts • Girlies love speaker badges • Speakers get into more parties

  7. Step 6: Reveal joke • LOL I TROL JOO

  8. Speaking with Cryptographic Oracles Daniel “unicornFurnace” Crowley Application Security Consultant, Trustwave - Spiderlabs

  9. A quick introduction and a few distinctions The Speaker and the Presentation

  10. The Speaker • Daniel Crowley • Web application security d00d • IANAC (I am not a cryptographer) • dcrowley@trustwave.com • @dan_crowley

  11. The Presentation Topic • Finding and exploiting: • Encryption Oracles • Decryption Oracles • Padding Oracles • With little to no cryptographic knowledge • More crypto knowledge, more useful attacks

  12. NOT the Presentation Topic • The Oracle • We are not being harvested for energy by robot overlords • Maybe • ORACLE • If you Google “<any crypto word> oracle” it’s all you find • Crypto g00r00s like Adi Shamir • While also awesome and totally related, not the topic

  13. Basic cryptographic terms, concepts and mistakes A Primer on Cryptographic Terms

  14. Very Basic Terms • Key • A variable used to permute the cipher • Initialization Vector (IV) • A second variable used to randomize the cipher • Plaintext • The data in readable form • Ciphertext • The data in unreadable form

  15. Stream vs. Block Ciphers Block Stream Encrypt one character at a time Key is used to generate pseudo-random numbers Those numbers are used to transform plaintext to ciphertext • Encrypt X characters at a time • X is the block size • Key is used to directly transform plaintext to ciphertext

  16. Very Basic Mistakes Flickr Creative Commons - Rosino • Using a keyless cipher • Completely insecure if cipher is ever discovered • Reusing keys and/or IVs • Makes Oracle attacks far more dangerous • IV reuse can seriously weaken stream ciphers • Think WEP • Leaking data from crypto operations • Foundation for Oracle attacks

  17. What is an Oracle? Picture by D Sharon Pruitt – Creative Commons A system which takes queries and provides answers • Queries might be • Plaintext • Ciphertext • Answers might be • Corresponding plaintext • Corresponding ciphertext • Info about operation • Sample from PRNG

  18. How to identify cryptographic Oracles From a black-box perspective Seek the Oracle

  19. General Methodology • Look for ciphertext • Ciphertext as input • Possible decryption/padding oracle • Ciphertext as output • Possible encryption oracle

  20. General Methodology • Fiddle about • Ciphertext input: Potential decryption or padding oracle • Provide modified ciphertext • Provide no ciphertext • Provide ciphertext from another part of application • Ciphertext output: Potential encryption oracle • Modify input and monitor ciphertext

  21. Identifying Ciphertext • Encrypted data is generally encoded • Base64 • ASCII hex • URL encoding • Other non-standard encodings • Decimal • UUEncode • BaseX • Decoded data is likely encrypted if seemingly random • Modification of values may result in decryption-related errors

  22. Decryption Oracles • Decrypted output may be • Reflected • Normal output • Error • May be given in later response • May be inferred from modified output • May be stored and not shown • Additional vulnerabilities may reveal output

  23. Decryption Oracles: An Example • Scenario • Consider “GetPage.php?file=<encrypted_stuff>” • Opens a file to be included based on encrypted input • Allows for quick page additions • Prevents file inclusion attacks…? • Assumes properly encrypted input is sanitary • Errors are verbose • Usage • Feed the script some ciphertext • Record the “file” the error tells you wasn’t found

  24. Encryption Oracles Flickr Creative Commons – Gideon van der Stelt • Determine point of entry • Mostly guess-work • Names help • Frequently encrypted data • Client-side state variables • Passwords • Financial data • Anything sufficiently sensitive • Often found in • Cookies • Hidden variables • Databases • File resident data

  25. Encryption Oracles: An Example • Scenario • Consider “auth” cookie, encrypted • Username + “:” + password_hash + “:” + timestamp • Assume usernames can’t contain “:” character • No delimiter injection  • Timestamp to control expiration • Usage • Register with any username, log in • Copy cookie value and replace any encrypted input with it • Can’t use colons or control suffix • Might not matter

  26. Padding Oracles • Input must be encrypted • Must be a padded block cipher • Valid vs. invalid padding is distinguishable • This is the essence of a padding Oracle • Modify ciphertext input, look for errors • Padding Oracles can SOMETIMES be used as decryption Oracles • Using the CBC-R technique they are also encryption Oracles • May be limited in that the first block will be garbled

  27. Breaking bad crypto and bad crypto usage Exploiting Cryptographic Oracles

  28. Converting One Oracle Into Another • Padding Oracles only tell you whether padding is valid • This information can sometimes be used to decrypt or encrypt • Decryption Oracles • Can sometimes be converted to an encryption Oracle using brute force • Encryption Oracles • Can sometimes be converted to decryption Oracles • Easier if algorithm is deterministic

  29. Attack 0: Crypto Recon Examples • Check for static key, IV, and deterministic cipher • Encrypt the same plaintext twice • Check to see if they are identical • Check for stream vs. block ciphers • Encrypt plaintexts of various sizes • Compare plaintext size to ciphertext size • Check for ECB block cipher mode • Encrypt repeating plaintext blocks • Look for repetitive ciphertext

  30. Attack 1: Bad Algorithms • Occasionally, people try to make their own algorithms • And they’re not cryptographers • And it doesn’t end well • Real homespun crypto seen in the wild: • Each character is replaced with a “random” but unique selection of two or three characters • Characters are separated by the letter “K” • “hello” might become “KqIKefKPrPKPrPKuJXK”

  31. Attack 1: Bad Algorithms • Is there substitution? • Submit “AAAA” : Get “KLoKLoKLoKLoK” • There is! • We can already see patterns, too • Is there transposition? • Submit “AABB” : Get “KLoKLoKaBeKaBeK” • No transposition • We can see more patterns • The “K” seems to be a delimeter • Substitution doesn’t change on position • One replacement per letter

  32. Attack 1: Bad Algorithms • Submit “BABA” : Get “KaBeKLoKaBeKLoK” • Exactly what we expected • Submit “abcdefghi…XYZ0123456789” : Get entire key! • We now submit one of every character in sequence • The Oracle tells us what each maps to

  33. Attack 1 and a half: Revenge of Bad Algorithms • Others use a simple xor operation to encrypt data Pxor B = C C xor B = P C xor P = B Wikimedia Commons - Herpderper

  34. Attack 1.75: Bride of Bad Algorithms • For some simple ciphers like xor • Encryption = Decryption • THUS • Encryption Oracle = Decryption Oracle • THUS • Such ciphers are made completely useless by leaking output • THUS • For God’s sake stop using xor

  35. Attack 1: Bad Algorithms • DEMO

  36. Attack 2: Trusted Encrypted Input • People tend to reuse keys and IVs • If we can encrypt arbitrary data in one place • It may work in another • If devs don’t think you can mess with input • They probably won’t sanitize it • Encrypted inputs with MAC aren’t totally tamper-proof

  37. Attack 2: Trusted Encrypted Input • Encrypted password with MAC in cookie • Checked against database on each request needing auth • Find encryption Oracle with the same keys & IV • Use encryption Oracle to encrypt ‘ or 1=1-- • Plug resulting value into cookie • Laugh all the way to the bank

  38. Attack 2: Trusted Encrypted Input • DEMO

  39. Attack 3: Let the client have it, it’s encrypted • Find a decryption Oracle • Find encrypted data • Decrypt that sucka • ????? • PROFIT!!! • This attack also relies on key/IV reuse

  40. Attack 3: Let the client have it, it’s encrypted • DEMO

  41. What encryption? • If you can find • An encryption Oracle • A decryption Oracle • You can encrypt or decrypt any data • As long as keys and IVs are reused • Algorithm doesn’t matter • Padding doesn’t matter • Cipher mode doesn’t matter • All encryption which uses the same key and IV is now useless

  42. How Can I Fix My Code? • Avoid giving away information about crypto operations • Output • Not always plausible • Success/Failure • Suppress or generalize errors • Timing • Make code take the same time to finish no matter what happens • Don’t reuse keys and IVs • Authenticate your crypto • Encrypt then MAC

  43. Questions? • Daniel Crowley • Trustwave– SpiderLabs • @dan_crowley • dcrowley@trustwave.com

More Related