Upload
yurii-bilyk
View
314
Download
3
Embed Size (px)
Citation preview
Yurii Bilyk || 2014
SSL/P DLE:History repeats itself
AGENDA
XOR Function
Symmetric-Key Crypto Basics
Padding Oracle Attack details
POODLE Attack
LIVE. DIE. REPEAT.
History Repeats Itself
Secure Socket Layer (SSL/TLS)
Key Exchange: RSA, Diffie-Hellman, PSK
Authentication: RSA, DSA, ECDSA
Symmetric Cipher: RC4, IDEA, DES, 3DES, AES
Data Integrity: SHA, MD5, MD4 and MD2
SSL/TLS Vulnerabilities History
2002
2013
Padding Oracle Attack discovery
BEAST Attack discovery
CRIME & BREACH Attack discovery
Lucky 13 Attack discovery
POODLE Attack discovery2014
Heart Bleed
Issue in the realization of crypto protocol/system
***IT happens
Not issue in the cipher
Modern Cryptography
After Computer Era
One-Time Pad (OTP)
A plaintext is paired with random, secret key (or pad) which have the same length (or more) as message
Each bit or char of the plaintext is encrypted by combining it with the corresponding bit or char from the pad using modular addition
Unbreakable One-Time Pad (OTP)
Key is truly random
Key and at least as long as the plaintext
Key never reused in whole or in part, and kept completely secret
Symmetric-Key Cryptography
One shared key
Block ciphers
Stream ciphers
Stream Cipher
Flood Is Coming
Stream Ciphers
Key Stream is used (generated from Key)
Gamma (Key Stream) generator is pseudo random with some period (bigger is better)
Works really fast ( XOR Key Stream with MSG)
Bit-Flipping Attack
Attacker know part and of plaintext and place in encrypted(for ex. amount of money)
Can change this part w/o knowing key (nature of XOR)
Message Access Code (MAC)
Hash Functions (MD5, SHA, etc)
Encrypted data integrity check
Used not only in encryption integrity check (web form data validation, plaintext data, etc)
Block Cipher
Tetris Is Here
Block Ciphers
Fixed block size
Uses padding
Different modes (ECB, CBC, etc)
Electronic Codebook (ECB)
Each block processed individually
M y V e r y S e c r e t T e x t
L G l h 3 l a 1 X E K h X r A c
Plain Text
Encrypted
Electronic Codebook (ECB)
AES-256-ECB AES-256-CBCPlainText
Cipher Block Chaining (CBC)
Added initialization vector (IV)
More secure (by design)
Still vulnerable for padding attack
Cipher Block Chaining (CBC)
M y V e r y S e c r e t T e x t
L G l h 3 l a 1 X E K h X r A c
1 2 3 4 5 6 7 8
Plain Text
IV
Encrypted
Padding Types
Bit Padding (add 1 bit and zeros)
Byte Padding (add some bytes and length of padding, add number of bytes which equal to padding length, etc)
Mixed Padding (add 1 bit and then bytes, for ex. MD5 padding)
Byte Padding
A B C D 0x00 0x00 0x00 0x00
A B C D 0x04 0x04 0x04 0x04
A B C D 0xFF 0xFF 0xFF 0x03
Zero Bytes Padding
Padding Length Bytes
0xFF Bytes + Padding Length Byte
Remember I'm offering you the truth. Nothing More.
Padding Oracle
Padding Oracle
Oracle: something that can prove or refute your assumptions
Padding: building blocks to make things the same size
Together: are nightmare of cryptography
Padding Oracle Nightmare
You don’t need a KEY
Almost doesn’t depends on cipher algorithm (CBC mode)
Faster that brute force attack
XOR Magic
It’s just a magic
Exercise (Swap Variables)
int a = 5, b = 10
a = a b // a = 15
a = a b // a = 10 b = a b // b = 5
The Magic XOR Rules
A A = 0A 0 = AA B = B A(A B) C = A (B C)
Padding Oracle Attack: Details
M y M S G 3 3 3
L G l h 3 l a 1 X E K h X r A c
Plain M2
Encrypted C1 Encrypted C2
I K 7 u F Q s b
Intermediate I2
Padding Oracle Attack: Details
M2= C1 I2I2= M2 C1
We CAN change result Plaintext M2 by changing Encrypted C1 Message
Padding Oracle Attack: Last Byte
M y M S G 3 3 D
L G l h 3 l a A X E K h X r A B
I K 7 u F Q s C
C1[8] C2[8]
I2[8]
M2[8]
Padding Oracle Attack: Last Byte
1. Iterate byte PP from 0x00 to 0xFF (possible M2[8] byte)
2. Set A = C1[8] PP 0x013. Check Padding Oracle if we got correct padding (D = 0x01)
4. In case of correct padding we can calculate M2[8] last byte:• M2[8] = C1[8] C• Because C = D A• Then C = 0x01 C1[8] PP 0x01• We can simplify it to C = C1[8] PP
• In this case M2[8] = C1[8] C1[8] PP• And finally M2[8] = PP, voila!
Padding Oracle Attack: Tools
POET – Apache MyFaces form padding oracle expl. tool http://netifera.com/research/
PadBuster – ASP.NET (not only) padding oracle expl. tool https://github.com/GDSSecurity/PadBuster
Bletchley – python based cryptography expl. multitool https://code.google.com/p/bletchley/
• Use MAC in pair of encryption
• Don’t show Padding Errors to Attacker
• Use another cipher mode (CFB, etc)
How-to Mitigate?
POODLE? Are you kidding!?
Dogs are men’s best friends
POODLE: Basic Info
Old Good Padding Oracle
Present in ALL SSLv3 realizations (architecture issue)
Wrong MAC usage
POODLE: Possible Exploitation
1
2
3
Hacker uses MITM attack
User should send the same plaintext requests (eg. GET request via XSS)
Attacker want to steal cookie (know possible structure of the plaintext request)
• Disable SSLv3 on the server – web server, openssl, etc
• Disable SSLv3 support on the client – web browser, library, etc
• Really, disable this old buggy SSLv3!
How-to Mitigate?
Outline
• Padding Oracle attack is still alive
• Usage of OLD protocols could cause a lot of security issues
• Disable SSLv3 in your products/environment
Thanks!
Yurii [email protected]