Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Padding Oracle Attacks Satish B Securitylearn.wordpress@gmail .com 20/08/2011
Padding Oracle Attacks
Feb 02, 2016
Padding Oracle Attacks. Satish B Securitylearn.wordpress@gmail.com. 20/08/2011. Cryptography Attack. Agenda. Cryptography Basics Padding oracle attack Exploitation Padding oracle in .NET Tools Remedy. Cryptography Basics. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Padding oracle attackCopyright © The OWASP Foundation Permission is
granted to copy, distribute and/or modify this document under the
terms of the OWASP License.
The OWASP Foundation
Key supplied to encryption algorithm to get key stream
Plain text is XOR with key stream to generate cipher text
Ex: Rc4
Block Ciphers:
Operates on fixed length group of bits or bytes (64 or 128 bit blocks)
128 bits of plain text is converted into 128 bits of cipher text
Ex: AES
ECB mode – Electronic code book mode
Encryption of the same plain text with the same key results in the same cipher text, which is a considerable threat to security.
OWASP
CBC – cipher block chaining
Encryption of the same plain text with the same key results in different cipher text because of IV.
Each block of plaintext is XORed with the previous ciphertext block before being encrypted.
Ci = Ek (Pi xor Ci-1)
OWASP
Cryptography Basics
Each block of ciphertext is decrypted and XORed with the previous ciphertext block to obtain the plain text.
First block of ciphertext is decrypted and XORed with IV to obtain the plain text.
OWASP
- Messages are in variety of length
- padding has introduced
- Final block padded before encryption
PKCS#5 standard - final block of plaintext is padded with N bytes of value N.
OWASP
Got famous in 2010.
What is it ?
Possible to decrypt and encrypt data without key in CBC mode.
Typical Scenario:
Brian logged into myapp.com
Server created an encryption string specific to Brian and sent to him
Accessing any page in the application sends the encrypted value to server
Server decrypts and serves the content based on decrypted value
Ex:
858795A28ED4AAC6
The application verifies whether the encrypted value is properly padded or not.
When the application passed an encrypted value it responds with one of three ways:
Valid ciphertext (with proper padding) – Normal response
Invalid ciphertext (improper padding) – Exception
Valid ciphertext and decrypts to an invalid value – Custom error
Wrong padding can result in:
Error messages
Stack Traces
Time difference
Different responses
Padding oracle attack
oracle refers to a mechanism in cryptography that can be used to determine whether
a test has passed or failed.
Pass and Fail conditions can be used to decrypt without key.
Decrypting without a key
Intermediary Byte == 0×3D
Valid cipher
http://myapp/home.jsp?UID=7B216A634951170FF851D6CC68FC9537
Plain text == Intermediary byte 0×3D ^ corresponding IV byte 0F = = 02
Now crack the 7th byte and so on …
In the end it gives Intermediate value
OWASP
XOR the plaintext value with intermediary value to get IV
Summary
Padding oracle attack allows to encrypt and decrypt data without the key.
OWASP
Where is it applicable ?
WebResource.axd
OWASP
- proper response (200 ok)
Invalid cipher text
- padding error
If the application gives different errors in the above 3 cases, it is vulnerable and easy to exploit.
OWASP
CBC mode only provides confidentiality.
Confidentiality doe not ensure that the value is tampered or not.
Integrity check has to be performed.
Solution
Implemented integrity check by adding hash to the encrypted value
*
For more information on exploitation and usage of tools visit my site
The OWASP Foundation
Key supplied to encryption algorithm to get key stream
Plain text is XOR with key stream to generate cipher text
Ex: Rc4
Block Ciphers:
Operates on fixed length group of bits or bytes (64 or 128 bit blocks)
128 bits of plain text is converted into 128 bits of cipher text
Ex: AES
ECB mode – Electronic code book mode
Encryption of the same plain text with the same key results in the same cipher text, which is a considerable threat to security.
OWASP
CBC – cipher block chaining
Encryption of the same plain text with the same key results in different cipher text because of IV.
Each block of plaintext is XORed with the previous ciphertext block before being encrypted.
Ci = Ek (Pi xor Ci-1)
OWASP
Cryptography Basics
Each block of ciphertext is decrypted and XORed with the previous ciphertext block to obtain the plain text.
First block of ciphertext is decrypted and XORed with IV to obtain the plain text.
OWASP
- Messages are in variety of length
- padding has introduced
- Final block padded before encryption
PKCS#5 standard - final block of plaintext is padded with N bytes of value N.
OWASP
Got famous in 2010.
What is it ?
Possible to decrypt and encrypt data without key in CBC mode.
Typical Scenario:
Brian logged into myapp.com
Server created an encryption string specific to Brian and sent to him
Accessing any page in the application sends the encrypted value to server
Server decrypts and serves the content based on decrypted value
Ex:
858795A28ED4AAC6
The application verifies whether the encrypted value is properly padded or not.
When the application passed an encrypted value it responds with one of three ways:
Valid ciphertext (with proper padding) – Normal response
Invalid ciphertext (improper padding) – Exception
Valid ciphertext and decrypts to an invalid value – Custom error
Wrong padding can result in:
Error messages
Stack Traces
Time difference
Different responses
Padding oracle attack
oracle refers to a mechanism in cryptography that can be used to determine whether
a test has passed or failed.
Pass and Fail conditions can be used to decrypt without key.
Decrypting without a key
Intermediary Byte == 0×3D
Valid cipher
http://myapp/home.jsp?UID=7B216A634951170FF851D6CC68FC9537
Plain text == Intermediary byte 0×3D ^ corresponding IV byte 0F = = 02
Now crack the 7th byte and so on …
In the end it gives Intermediate value
OWASP
XOR the plaintext value with intermediary value to get IV
Summary
Padding oracle attack allows to encrypt and decrypt data without the key.
OWASP
Where is it applicable ?
WebResource.axd
OWASP
- proper response (200 ok)
Invalid cipher text
- padding error
If the application gives different errors in the above 3 cases, it is vulnerable and easy to exploit.
OWASP
CBC mode only provides confidentiality.
Confidentiality doe not ensure that the value is tampered or not.
Integrity check has to be performed.
Solution
Implemented integrity check by adding hash to the encrypted value
*
For more information on exploitation and usage of tools visit my site
Related Documents
