Top Banner
Introduction Finding Padding Oracles Basic PO attacks Advanced PO attacks Summary Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong Practical Padding Oracle Attacks
108

Practical Padding Oracle Attacks

Jan 01, 2017

Download

Documents

danghuong
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Practical Padding Oracle Attacks

J. Rizzo T. Duong

Black Hat Europe, 2010

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 2: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Outline

1 IntroductionReview of CBC ModePadding Oracle attacks

2 Finding Padding OraclesFind potential padding oraclesConfirm the existence of padding oracles

3 Basic PO attacksCracking CAPTCHADecrypting JSF view states

4 Advanced PO attacksUsing PO to encryptDistributed cross-site PO attacks

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 3: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Outline

1 IntroductionReview of CBC ModePadding Oracle attacks

2 Finding Padding OraclesFind potential padding oraclesConfirm the existence of padding oracles

3 Basic PO attacksCracking CAPTCHADecrypting JSF view states

4 Advanced PO attacksUsing PO to encryptDistributed cross-site PO attacks

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 4: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

CBC Mode

CBC mode is a mode of operation for a block cipher.Allows encryption of arbitrary length data.Encryption and decryption are defined by:

Ci = eK (Pi ⊕Ci−1)

Pi = dK (Ci )⊕Ci−1

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 5: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

CBC Mode

CBC mode is a mode of operation for a block cipher.Allows encryption of arbitrary length data.Encryption and decryption are defined by:

Ci = eK (Pi ⊕Ci−1)

Pi = dK (Ci )⊕Ci−1

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 6: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

CBC Mode

CBC mode is a mode of operation for a block cipher.Allows encryption of arbitrary length data.Encryption and decryption are defined by:

Ci = eK (Pi ⊕Ci−1)

Pi = dK (Ci )⊕Ci−1

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 7: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

CBC Mode

CBC mode is a mode of operation for a block cipher.Allows encryption of arbitrary length data.Encryption and decryption are defined by:

Ci = eK (Pi ⊕Ci−1)

Pi = dK (Ci )⊕Ci−1

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 8: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

CBC Mode Encryption and Decryption

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 9: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Bit Flipping in CBC Mode

Flipping bits in Ci−1 leads to controlled changes in Pi .Block Pi−1 is garbled.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 10: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding in CBC Mode

How should padding be added in CBC Mode?

Numerous possibilities including:

Append unique removable pattern (“10...0” or “012...b” or“bb....b”).Append or prepend length information in field of fixed size,pad remaining bits in fixed way (e.g. 0’s).

Padding can also be used to enhance security:

Disguise the length of plaintexts.Prevent traffic analysis, or guessing based on plaintext length.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 11: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding in CBC Mode

How should padding be added in CBC Mode?

Numerous possibilities including:

Append unique removable pattern (“10...0” or “012...b” or“bb....b”).Append or prepend length information in field of fixed size,pad remaining bits in fixed way (e.g. 0’s).

Padding can also be used to enhance security:

Disguise the length of plaintexts.Prevent traffic analysis, or guessing based on plaintext length.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 12: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding in CBC Mode

How should padding be added in CBC Mode?

Numerous possibilities including:

Append unique removable pattern (“10...0” or “012...b” or“bb....b”).Append or prepend length information in field of fixed size,pad remaining bits in fixed way (e.g. 0’s).

Padding can also be used to enhance security:

Disguise the length of plaintexts.Prevent traffic analysis, or guessing based on plaintext length.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 13: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding in CBC Mode

How should padding be added in CBC Mode?

Numerous possibilities including:

Append unique removable pattern (“10...0” or “012...b” or“bb....b”).Append or prepend length information in field of fixed size,pad remaining bits in fixed way (e.g. 0’s).

Padding can also be used to enhance security:

Disguise the length of plaintexts.Prevent traffic analysis, or guessing based on plaintext length.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 14: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding in CBC Mode

Can padding have a negative impact on security?

Vaudenay (Eurocrypt 2002) showed that padding oracles andbit flipping can be used to build decryption oracle for CBCmode.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 15: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding in CBC Mode

Can padding have a negative impact on security?

Vaudenay (Eurocrypt 2002) showed that padding oracles andbit flipping can be used to build decryption oracle for CBCmode.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 16: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Outline

1 IntroductionReview of CBC ModePadding Oracle attacks

2 Finding Padding OraclesFind potential padding oraclesConfirm the existence of padding oracles

3 Basic PO attacksCracking CAPTCHADecrypting JSF view states

4 Advanced PO attacksUsing PO to encryptDistributed cross-site PO attacks

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 17: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding Oracle attacks

Two assumptions:Adversary can intercept padded messages encrypted in CBCmode.Adversary has access to a padding oracle.

What is a padding oracle?Adversary submits a CBC mode ciphertext C to oracle ð.

Oracle decrypts under fixed key K and checks correctness ofpadding.

Oracle outputs VALID or INVALID according to correctness ofpadding:

ð(C ) =

{0, invalid1, valid

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 18: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding Oracle attacks

Two assumptions:Adversary can intercept padded messages encrypted in CBCmode.Adversary has access to a padding oracle.

What is a padding oracle?Adversary submits a CBC mode ciphertext C to oracle ð.

Oracle decrypts under fixed key K and checks correctness ofpadding.

Oracle outputs VALID or INVALID according to correctness ofpadding:

ð(C ) =

{0, invalid1, valid

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 19: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding Oracle attacks

Two assumptions:Adversary can intercept padded messages encrypted in CBCmode.Adversary has access to a padding oracle.

What is a padding oracle?Adversary submits a CBC mode ciphertext C to oracle ð.

Oracle decrypts under fixed key K and checks correctness ofpadding.

Oracle outputs VALID or INVALID according to correctness ofpadding:

ð(C ) =

{0, invalid1, valid

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 20: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding Oracle attacks

Two assumptions:Adversary can intercept padded messages encrypted in CBCmode.Adversary has access to a padding oracle.

What is a padding oracle?Adversary submits a CBC mode ciphertext C to oracle ð.

Oracle decrypts under fixed key K and checks correctness ofpadding.

Oracle outputs VALID or INVALID according to correctness ofpadding:

ð(C ) =

{0, invalid1, valid

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 21: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding Oracle attacks

Last word decryption algorithmpick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

if ð(r |y) = 0 then increment i and go back to previous step.

replace rb by rb⊕ i .

for n = b down to 21 take r = r1...rb−n(rb−1+1⊕1)rb−n+2...rb2 if ð(r |y) = 0 then stop and output (rb−n+1⊕n)...(rb⊕n)

output rb⊕1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 22: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding Oracle attacks

Last word decryption algorithmpick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

if ð(r |y) = 0 then increment i and go back to previous step.

replace rb by rb⊕ i .

for n = b down to 21 take r = r1...rb−n(rb−1+1⊕1)rb−n+2...rb2 if ð(r |y) = 0 then stop and output (rb−n+1⊕n)...(rb⊕n)

output rb⊕1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 23: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding Oracle attacks

Last word decryption algorithmpick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

if ð(r |y) = 0 then increment i and go back to previous step.

replace rb by rb⊕ i .

for n = b down to 21 take r = r1...rb−n(rb−1+1⊕1)rb−n+2...rb2 if ð(r |y) = 0 then stop and output (rb−n+1⊕n)...(rb⊕n)

output rb⊕1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 24: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding Oracle attacks

Last word decryption algorithmpick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

if ð(r |y) = 0 then increment i and go back to previous step.

replace rb by rb⊕ i .

for n = b down to 21 take r = r1...rb−n(rb−1+1⊕1)rb−n+2...rb2 if ð(r |y) = 0 then stop and output (rb−n+1⊕n)...(rb⊕n)

output rb⊕1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 25: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding Oracle attacks

Last word decryption algorithmpick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

if ð(r |y) = 0 then increment i and go back to previous step.

replace rb by rb⊕ i .

for n = b down to 21 take r = r1...rb−n(rb−1+1⊕1)rb−n+2...rb2 if ð(r |y) = 0 then stop and output (rb−n+1⊕n)...(rb⊕n)

output rb⊕1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 26: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Review of CBC ModePadding Oracle attacks

Padding Oracle attacks

Last word decryption algorithmpick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

if ð(r |y) = 0 then increment i and go back to previous step.

replace rb by rb⊕ i .

for n = b down to 21 take r = r1...rb−n(rb−1+1⊕1)rb−n+2...rb2 if ð(r |y) = 0 then stop and output (rb−n+1⊕n)...(rb⊕n)

output rb⊕1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 27: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Outline

1 IntroductionReview of CBC ModePadding Oracle attacks

2 Finding Padding OraclesFind potential padding oraclesConfirm the existence of padding oracles

3 Basic PO attacksCracking CAPTCHADecrypting JSF view states

4 Advanced PO attacksUsing PO to encryptDistributed cross-site PO attacks

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 28: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Finding potential padding oracles

Blackbox testing.

Google hacking.

Source code auditing.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 29: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Finding potential padding oracles

Blackbox testing.

Google hacking.

Source code auditing.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 30: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Finding potential padding oracles

Blackbox testing.

Google hacking.

Source code auditing.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 31: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Finding potential padding oracles

Blackbox testing.

Google hacking.

Source code auditing.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 32: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Outline

1 IntroductionReview of CBC ModePadding Oracle attacks

2 Finding Padding OraclesFind potential padding oraclesConfirm the existence of padding oracles

3 Basic PO attacksCracking CAPTCHADecrypting JSF view states

4 Advanced PO attacksUsing PO to encryptDistributed cross-site PO attacks

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 33: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oraclesDetermine the block size b

All padding oracle attacks need a correct b.

Most common block sizes are 8 and 16 bytes. Of course wecan use trial and error.

How to determine the block sizeif len(C )%16= 8, then stop and output 8.

take y = C [−16 :], i.e. y is the last sixteen bytes of C .

if ð(C |y) = 1, then stop and output 8.

output 16.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 34: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oraclesDetermine the block size b

All padding oracle attacks need a correct b.

Most common block sizes are 8 and 16 bytes. Of course wecan use trial and error.

How to determine the block sizeif len(C )%16= 8, then stop and output 8.

take y = C [−16 :], i.e. y is the last sixteen bytes of C .

if ð(C |y) = 1, then stop and output 8.

output 16.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 35: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oraclesDetermine the block size b

All padding oracle attacks need a correct b.

Most common block sizes are 8 and 16 bytes. Of course wecan use trial and error.

How to determine the block sizeif len(C )%16= 8, then stop and output 8.

take y = C [−16 :], i.e. y is the last sixteen bytes of C .

if ð(C |y) = 1, then stop and output 8.

output 16.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 36: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oraclesDetermine the block size b

All padding oracle attacks need a correct b.

Most common block sizes are 8 and 16 bytes. Of course wecan use trial and error.

How to determine the block sizeif len(C )%16= 8, then stop and output 8.

take y = C [−16 :], i.e. y is the last sixteen bytes of C .

if ð(C |y) = 1, then stop and output 8.

output 16.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 37: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oraclesDetermine the block size b

All padding oracle attacks need a correct b.

Most common block sizes are 8 and 16 bytes. Of course wecan use trial and error.

How to determine the block sizeif len(C )%16= 8, then stop and output 8.

take y = C [−16 :], i.e. y is the last sixteen bytes of C .

if ð(C |y) = 1, then stop and output 8.

output 16.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 38: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oraclesDetermine the block size b

All padding oracle attacks need a correct b.

Most common block sizes are 8 and 16 bytes. Of course wecan use trial and error.

How to determine the block sizeif len(C )%16= 8, then stop and output 8.

take y = C [−16 :], i.e. y is the last sixteen bytes of C .

if ð(C |y) = 1, then stop and output 8.

output 16.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 39: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oracles

We want the target to reveal as many different reactions tothe modified ciphertexts as possible.

The most important thing is to analyse and understand themeaning of these reactions. In short, you need to know whenthe padding is VALID, and when it’s INVALID.

POET a.k.a Padding Oracle Exploitation Tool will be releasedright after BH Europe 2010.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 40: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oracles

We want the target to reveal as many different reactions tothe modified ciphertexts as possible.

The most important thing is to analyse and understand themeaning of these reactions. In short, you need to know whenthe padding is VALID, and when it’s INVALID.

POET a.k.a Padding Oracle Exploitation Tool will be releasedright after BH Europe 2010.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 41: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oracles

We want the target to reveal as many different reactions tothe modified ciphertexts as possible.

The most important thing is to analyse and understand themeaning of these reactions. In short, you need to know whenthe padding is VALID, and when it’s INVALID.

POET a.k.a Padding Oracle Exploitation Tool will be releasedright after BH Europe 2010.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 42: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oracles

Want to write your own tool to detect Padding Oracle? Followthis guideline (which is based on the algorithm in slide 22):

determine the block size b.

pick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

Send r |y to the target, where y is a valid ciphertext block.Record the value of i , content length, and content type of theresponse. Increment i , and go back to step 2 until i > 255.

Now you have 256 responses. If all of them are the same, thenthe target is not easily showing you that it is vulnerable toPadding Oracle attack.

Otherwise, look at each value of i where the responses aredifferent from the rest. Examine carefully each response to seewhat happened.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 43: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oracles

Want to write your own tool to detect Padding Oracle? Followthis guideline (which is based on the algorithm in slide 22):

determine the block size b.

pick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

Send r |y to the target, where y is a valid ciphertext block.Record the value of i , content length, and content type of theresponse. Increment i , and go back to step 2 until i > 255.

Now you have 256 responses. If all of them are the same, thenthe target is not easily showing you that it is vulnerable toPadding Oracle attack.

Otherwise, look at each value of i where the responses aredifferent from the rest. Examine carefully each response to seewhat happened.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 44: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oracles

Want to write your own tool to detect Padding Oracle? Followthis guideline (which is based on the algorithm in slide 22):

determine the block size b.

pick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

Send r |y to the target, where y is a valid ciphertext block.Record the value of i , content length, and content type of theresponse. Increment i , and go back to step 2 until i > 255.

Now you have 256 responses. If all of them are the same, thenthe target is not easily showing you that it is vulnerable toPadding Oracle attack.

Otherwise, look at each value of i where the responses aredifferent from the rest. Examine carefully each response to seewhat happened.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 45: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oracles

Want to write your own tool to detect Padding Oracle? Followthis guideline (which is based on the algorithm in slide 22):

determine the block size b.

pick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

Send r |y to the target, where y is a valid ciphertext block.Record the value of i , content length, and content type of theresponse. Increment i , and go back to step 2 until i > 255.

Now you have 256 responses. If all of them are the same, thenthe target is not easily showing you that it is vulnerable toPadding Oracle attack.

Otherwise, look at each value of i where the responses aredifferent from the rest. Examine carefully each response to seewhat happened.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 46: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oracles

Want to write your own tool to detect Padding Oracle? Followthis guideline (which is based on the algorithm in slide 22):

determine the block size b.

pick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

Send r |y to the target, where y is a valid ciphertext block.Record the value of i , content length, and content type of theresponse. Increment i , and go back to step 2 until i > 255.

Now you have 256 responses. If all of them are the same, thenthe target is not easily showing you that it is vulnerable toPadding Oracle attack.

Otherwise, look at each value of i where the responses aredifferent from the rest. Examine carefully each response to seewhat happened.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 47: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Find potential padding oraclesConfirm the existence of padding oracles

Confirm the existence of padding oracles

Want to write your own tool to detect Padding Oracle? Followthis guideline (which is based on the algorithm in slide 22):

determine the block size b.

pick a few random words r1, ..., rb, and take i = 0.

pick r = r1r2...rb−1(rb⊕ i).

Send r |y to the target, where y is a valid ciphertext block.Record the value of i , content length, and content type of theresponse. Increment i , and go back to step 2 until i > 255.

Now you have 256 responses. If all of them are the same, thenthe target is not easily showing you that it is vulnerable toPadding Oracle attack.

Otherwise, look at each value of i where the responses aredifferent from the rest. Examine carefully each response to seewhat happened.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 48: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Outline

1 IntroductionReview of CBC ModePadding Oracle attacks

2 Finding Padding OraclesFind potential padding oraclesConfirm the existence of padding oracles

3 Basic PO attacksCracking CAPTCHADecrypting JSF view states

4 Advanced PO attacksUsing PO to encryptDistributed cross-site PO attacks

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 49: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHA

A broken CAPTCHA system

ERC = eK ,IV (rand()).

...<img src=”/captcha?token=ERC ” />...

ERC is stored as either a hidden field or a cookie in theCAPTCHA form.

Once a user submits, the server decrypts ERC , and comparesit with the code that the user has entered. If equal, the serveraccepts the request; it denies the request otherwise.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 50: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHA

A broken CAPTCHA system

ERC = eK ,IV (rand()).

...<img src=”/captcha?token=ERC ” />...

ERC is stored as either a hidden field or a cookie in theCAPTCHA form.

Once a user submits, the server decrypts ERC , and comparesit with the code that the user has entered. If equal, the serveraccepts the request; it denies the request otherwise.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 51: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHA

A broken CAPTCHA system

ERC = eK ,IV (rand()).

...<img src=”/captcha?token=ERC ” />...

ERC is stored as either a hidden field or a cookie in theCAPTCHA form.

Once a user submits, the server decrypts ERC , and comparesit with the code that the user has entered. If equal, the serveraccepts the request; it denies the request otherwise.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 52: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHA

A broken CAPTCHA system

ERC = eK ,IV (rand()).

...<img src=”/captcha?token=ERC ” />...

ERC is stored as either a hidden field or a cookie in theCAPTCHA form.

Once a user submits, the server decrypts ERC , and comparesit with the code that the user has entered. If equal, the serveraccepts the request; it denies the request otherwise.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 53: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHABypass the broken CAPTCHA system

Since the system decrypts any ERC sent to it, it is vulnerableto Padding Oracle attack.

The only remaining problem now is to know when padding isVALID, and when it’s not.

Fortunately, most CAPTCHA systems would send back anerror notification when they fail to decrypt ERC , i.e. paddingis INVALID.

In addition, when we modify ERC so that the padding isVALID, most systems would display an image with a brokencode.

Now we have a Padding Oracle, and we can use it to decryptany ERC , thus bypass the CAPTCHA completely.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 54: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHABypass the broken CAPTCHA system

Since the system decrypts any ERC sent to it, it is vulnerableto Padding Oracle attack.

The only remaining problem now is to know when padding isVALID, and when it’s not.

Fortunately, most CAPTCHA systems would send back anerror notification when they fail to decrypt ERC , i.e. paddingis INVALID.

In addition, when we modify ERC so that the padding isVALID, most systems would display an image with a brokencode.

Now we have a Padding Oracle, and we can use it to decryptany ERC , thus bypass the CAPTCHA completely.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 55: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHABypass the broken CAPTCHA system

Since the system decrypts any ERC sent to it, it is vulnerableto Padding Oracle attack.

The only remaining problem now is to know when padding isVALID, and when it’s not.

Fortunately, most CAPTCHA systems would send back anerror notification when they fail to decrypt ERC , i.e. paddingis INVALID.

In addition, when we modify ERC so that the padding isVALID, most systems would display an image with a brokencode.

Now we have a Padding Oracle, and we can use it to decryptany ERC , thus bypass the CAPTCHA completely.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 56: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHABypass the broken CAPTCHA system

Since the system decrypts any ERC sent to it, it is vulnerableto Padding Oracle attack.

The only remaining problem now is to know when padding isVALID, and when it’s not.

Fortunately, most CAPTCHA systems would send back anerror notification when they fail to decrypt ERC , i.e. paddingis INVALID.

In addition, when we modify ERC so that the padding isVALID, most systems would display an image with a brokencode.

Now we have a Padding Oracle, and we can use it to decryptany ERC , thus bypass the CAPTCHA completely.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 57: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHABypass the broken CAPTCHA system

Since the system decrypts any ERC sent to it, it is vulnerableto Padding Oracle attack.

The only remaining problem now is to know when padding isVALID, and when it’s not.

Fortunately, most CAPTCHA systems would send back anerror notification when they fail to decrypt ERC , i.e. paddingis INVALID.

In addition, when we modify ERC so that the padding isVALID, most systems would display an image with a brokencode.

Now we have a Padding Oracle, and we can use it to decryptany ERC , thus bypass the CAPTCHA completely.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 58: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHACAPTCHA with secret IV

Since P0 = IV ⊕dð(C0), we need to know the IV to get P0.

If the IV is secret, we can’t know P0, thus can’t crackCAPTCHA systems whose P0 contains part of the randomcode.

The solution is: IV = Human⊕dð(C0), where Human denotesthat somebody reads P0 from the CAPTCHA image.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 59: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHACAPTCHA with secret IV

Since P0 = IV ⊕dð(C0), we need to know the IV to get P0.

If the IV is secret, we can’t know P0, thus can’t crackCAPTCHA systems whose P0 contains part of the randomcode.

The solution is: IV = Human⊕dð(C0), where Human denotesthat somebody reads P0 from the CAPTCHA image.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 60: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Cracking CAPTCHACAPTCHA with secret IV

Since P0 = IV ⊕dð(C0), we need to know the IV to get P0.

If the IV is secret, we can’t know P0, thus can’t crackCAPTCHA systems whose P0 contains part of the randomcode.

The solution is: IV = Human⊕dð(C0), where Human denotesthat somebody reads P0 from the CAPTCHA image.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 61: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Outline

1 IntroductionReview of CBC ModePadding Oracle attacks

2 Finding Padding OraclesFind potential padding oraclesConfirm the existence of padding oracles

3 Basic PO attacksCracking CAPTCHADecrypting JSF view states

4 Advanced PO attacksUsing PO to encryptDistributed cross-site PO attacks

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 62: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Decrypting JSF view statesIntroduction

JavaServer Faces (JSF) is a popular Java-based standard forbuilding server-side user interfaces.

Like ASP.NET, JSF stores the state of the view in a hiddenfield.

Although JSF specification advises that view state should beencrypted and tamper evident, but no implementation followsthat advice.

In other words, we can use Padding Oracle attacks to decryptthe view states of most JSF frameworks.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 63: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Decrypting JSF view statesIntroduction

JavaServer Faces (JSF) is a popular Java-based standard forbuilding server-side user interfaces.

Like ASP.NET, JSF stores the state of the view in a hiddenfield.

Although JSF specification advises that view state should beencrypted and tamper evident, but no implementation followsthat advice.

In other words, we can use Padding Oracle attacks to decryptthe view states of most JSF frameworks.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 64: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Decrypting JSF view statesIntroduction

JavaServer Faces (JSF) is a popular Java-based standard forbuilding server-side user interfaces.

Like ASP.NET, JSF stores the state of the view in a hiddenfield.

Although JSF specification advises that view state should beencrypted and tamper evident, but no implementation followsthat advice.

In other words, we can use Padding Oracle attacks to decryptthe view states of most JSF frameworks.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 65: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Decrypting JSF view statesIntroduction

JavaServer Faces (JSF) is a popular Java-based standard forbuilding server-side user interfaces.

Like ASP.NET, JSF stores the state of the view in a hiddenfield.

Although JSF specification advises that view state should beencrypted and tamper evident, but no implementation followsthat advice.

In other words, we can use Padding Oracle attacks to decryptthe view states of most JSF frameworks.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 66: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Decrypting JSF view statesPadding Oracle in JSF frameworks

By default, all JSF frameworks would display a very detailederror message if it fails to decrypt a view state.

Padding Oracle in default installations of JSF frameworksif we see javax.crypto.BadPaddingException, then it’sINVALID paddingit’s VALID padding otherwise.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 67: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Decrypting JSF view statesPadding Oracle in JSF frameworks

By default, all JSF frameworks would display a very detailederror message if it fails to decrypt a view state.

Padding Oracle in default installations of JSF frameworksif we see javax.crypto.BadPaddingException, then it’sINVALID paddingit’s VALID padding otherwise.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 68: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Decrypting JSF view statesApache MyFaces error-page

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 69: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Decrypting JSF view statesPadding Oracle in JSF frameworks

Most JSF frameworks allow developers to turn off errormessages. Then we can use the following simple trick:

Padding Oracle in JSF frameworks when error-page is turned offSay we want to decrypt block Ci of an encrypted view stateC0|C1|...|Cn−1, then we send C0|C1|...|Cn−1|Crandom|Ci to thetarget.

Since Java ignores those extra blocks while decrypting anddeserializing view states, it’s VALID padding if the targetreturns the same page as when the view state is unaltered.

And it’s probably INVALID padding if we see something else,e.g. a HTTP 500 error message.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 70: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Decrypting JSF view statesPadding Oracle in JSF frameworks

Most JSF frameworks allow developers to turn off errormessages. Then we can use the following simple trick:

Padding Oracle in JSF frameworks when error-page is turned offSay we want to decrypt block Ci of an encrypted view stateC0|C1|...|Cn−1, then we send C0|C1|...|Cn−1|Crandom|Ci to thetarget.

Since Java ignores those extra blocks while decrypting anddeserializing view states, it’s VALID padding if the targetreturns the same page as when the view state is unaltered.

And it’s probably INVALID padding if we see something else,e.g. a HTTP 500 error message.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 71: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Cracking CAPTCHADecrypting JSF view states

Decrypting JSF view statesPadding Oracle in JSF frameworks

Most JSF frameworks allow developers to turn off errormessages. Then we can use the following simple trick:

Padding Oracle in JSF frameworks when error-page is turned offSay we want to decrypt block Ci of an encrypted view stateC0|C1|...|Cn−1, then we send C0|C1|...|Cn−1|Crandom|Ci to thetarget.

Since Java ignores those extra blocks while decrypting anddeserializing view states, it’s VALID padding if the targetreturns the same page as when the view state is unaltered.

And it’s probably INVALID padding if we see something else,e.g. a HTTP 500 error message.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 72: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Outline

1 IntroductionReview of CBC ModePadding Oracle attacks

2 Finding Padding OraclesFind potential padding oraclesConfirm the existence of padding oracles

3 Basic PO attacksCracking CAPTCHADecrypting JSF view states

4 Advanced PO attacksUsing PO to encryptDistributed cross-site PO attacks

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 73: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptAn introduction to CBC-R

CBC-R turns a decryption oracle into an encryption oracle.

We all know that CBC decryption works as following:

Pi = dK (Ci )⊕Ci−1

C0 = IV

We can use a Padding Oracle to get dK (Ci ), and we controlCi−1. In other words, we can produce any Pi as we want.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 74: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptAn introduction to CBC-R

CBC-R turns a decryption oracle into an encryption oracle.

We all know that CBC decryption works as following:

Pi = dK (Ci )⊕Ci−1

C0 = IV

We can use a Padding Oracle to get dK (Ci ), and we controlCi−1. In other words, we can produce any Pi as we want.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 75: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptAn introduction to CBC-R

CBC-R turns a decryption oracle into an encryption oracle.

We all know that CBC decryption works as following:

Pi = dK (Ci )⊕Ci−1

C0 = IV

We can use a Padding Oracle to get dK (Ci ), and we controlCi−1. In other words, we can produce any Pi as we want.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 76: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptHow CBC-R works

CBC-R pseudocode

choose a plaintext message P0|...|Pn−1 that you want toencrypt.

pick a random Cn−1.

for i = n−1 down to 1: Ci−1 = Pi ⊕dð(Ci )

IV = P0⊕dð(C0)

output IV |C0|C1|...|Cn−1. This ciphertext would be decryptedto P0|...|Pn−1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 77: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptHow CBC-R works

CBC-R pseudocode

choose a plaintext message P0|...|Pn−1 that you want toencrypt.

pick a random Cn−1.

for i = n−1 down to 1: Ci−1 = Pi ⊕dð(Ci )

IV = P0⊕dð(C0)

output IV |C0|C1|...|Cn−1. This ciphertext would be decryptedto P0|...|Pn−1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 78: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptHow CBC-R works

CBC-R pseudocode

choose a plaintext message P0|...|Pn−1 that you want toencrypt.

pick a random Cn−1.

for i = n−1 down to 1: Ci−1 = Pi ⊕dð(Ci )

IV = P0⊕dð(C0)

output IV |C0|C1|...|Cn−1. This ciphertext would be decryptedto P0|...|Pn−1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 79: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptHow CBC-R works

CBC-R pseudocode

choose a plaintext message P0|...|Pn−1 that you want toencrypt.

pick a random Cn−1.

for i = n−1 down to 1: Ci−1 = Pi ⊕dð(Ci )

IV = P0⊕dð(C0)

output IV |C0|C1|...|Cn−1. This ciphertext would be decryptedto P0|...|Pn−1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 80: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptHow CBC-R works

CBC-R pseudocode

choose a plaintext message P0|...|Pn−1 that you want toencrypt.

pick a random Cn−1.

for i = n−1 down to 1: Ci−1 = Pi ⊕dð(Ci )

IV = P0⊕dð(C0)

output IV |C0|C1|...|Cn−1. This ciphertext would be decryptedto P0|...|Pn−1.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 81: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Without Controlling IV

CBC-R allows us to encrypt any message, but if we cannot setthe IV , then first plaintext block P0 will be random andmeaningless.

If the victim expects the decrypted message to start with astandard header, then it will ignore the forged messageconstructed by CBC-R.

We have not found generic way to overcome this limitation.However, we have found workarounds for particular cases.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 82: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Without Controlling IV

CBC-R allows us to encrypt any message, but if we cannot setthe IV , then first plaintext block P0 will be random andmeaningless.

If the victim expects the decrypted message to start with astandard header, then it will ignore the forged messageconstructed by CBC-R.

We have not found generic way to overcome this limitation.However, we have found workarounds for particular cases.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 83: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Without Controlling IV

CBC-R allows us to encrypt any message, but if we cannot setthe IV , then first plaintext block P0 will be random andmeaningless.

If the victim expects the decrypted message to start with astandard header, then it will ignore the forged messageconstructed by CBC-R.

We have not found generic way to overcome this limitation.However, we have found workarounds for particular cases.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 84: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Without Controlling IV

Using captured ciphertexts as prefix

Pvalid = dK (Ccaptured |IVCBC−R |PCBC−R).

The block at the position of IVCBC−R is still garbled.

We can make the garbled block becomes part of some stringthat doesn’t affect the semantic of the message such ascomment or textbox label.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 85: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Without Controlling IV

Using captured ciphertexts as prefix

Pvalid = dK (Ccaptured |IVCBC−R |PCBC−R).

The block at the position of IVCBC−R is still garbled.

We can make the garbled block becomes part of some stringthat doesn’t affect the semantic of the message such ascomment or textbox label.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 86: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Without Controlling IV

Using captured ciphertexts as prefix

Pvalid = dK (Ccaptured |IVCBC−R |PCBC−R).

The block at the position of IVCBC−R is still garbled.

We can make the garbled block becomes part of some stringthat doesn’t affect the semantic of the message such ascomment or textbox label.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 87: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Without Controlling IV

Brute-forcing C0

CBC-R can produce many different ciphertexts that decryptedto the same plaintext block chain Pn−1, ...,P1. The onlydifference is the first plaintext block which is computed asfollowing:

P0 = dK (C0)⊕ IV

A valid header means that the first few bytes of P0 mustmatch some magic numbers. There are also systems thataccept a message if the first byte of its P0 matches its size.

If this is the case, and if the message is short enough, we cantry our luck by brute-forcing C0.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 88: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Without Controlling IV

Brute-forcing C0

CBC-R can produce many different ciphertexts that decryptedto the same plaintext block chain Pn−1, ...,P1. The onlydifference is the first plaintext block which is computed asfollowing:

P0 = dK (C0)⊕ IV

A valid header means that the first few bytes of P0 mustmatch some magic numbers. There are also systems thataccept a message if the first byte of its P0 matches its size.

If this is the case, and if the message is short enough, we cantry our luck by brute-forcing C0.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 89: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Without Controlling IV

Brute-forcing C0

CBC-R can produce many different ciphertexts that decryptedto the same plaintext block chain Pn−1, ...,P1. The onlydifference is the first plaintext block which is computed asfollowing:

P0 = dK (C0)⊕ IV

A valid header means that the first few bytes of P0 mustmatch some magic numbers. There are also systems thataccept a message if the first byte of its P0 matches its size.

If this is the case, and if the message is short enough, we cantry our luck by brute-forcing C0.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 90: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Applications

sudo make me a CAPCHA

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 91: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Applications

sudo make me a CAPCHA

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 92: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Applications

Creating malicious JSF view statesWhich view states to create?

How to solve the garbled block problem?

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 93: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Using PO to encryptCBC-R Applications

Creating malicious JSF view statesWhich view states to create?

How to solve the garbled block problem?

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 94: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Outline

1 IntroductionReview of CBC ModePadding Oracle attacks

2 Finding Padding OraclesFind potential padding oraclesConfirm the existence of padding oracles

3 Basic PO attacksCracking CAPTCHADecrypting JSF view states

4 Advanced PO attacksUsing PO to encryptDistributed cross-site PO attacks

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 95: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Distributed cross-site PO attacks

All attackers need to exploit Padding Oracle is a single bit ofinformation.

Cross-domain information leakage bugs in web browsers canhelp.

One example: <img> + onerror()/onload() events.

if the image is loaded, then it’s VALID padding; otherwise, it’sINVALID padding.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 96: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Distributed cross-site PO attacks

All attackers need to exploit Padding Oracle is a single bit ofinformation.

Cross-domain information leakage bugs in web browsers canhelp.

One example: <img> + onerror()/onload() events.

if the image is loaded, then it’s VALID padding; otherwise, it’sINVALID padding.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 97: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Distributed cross-site PO attacks

All attackers need to exploit Padding Oracle is a single bit ofinformation.

Cross-domain information leakage bugs in web browsers canhelp.

One example: <img> + onerror()/onload() events.

if the image is loaded, then it’s VALID padding; otherwise, it’sINVALID padding.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 98: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Distributed cross-site PO attacks

All attackers need to exploit Padding Oracle is a single bit ofinformation.

Cross-domain information leakage bugs in web browsers canhelp.

One example: <img> + onerror()/onload() events.

if the image is loaded, then it’s VALID padding; otherwise, it’sINVALID padding.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 99: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Distributed cross-site PO attacks

We have decrypted all CAPTCHA on a web site using onlyJavaScript hosted locally.

One can inject JavaScript code into popular web sites, andturn this into a distriubuted attack.

It is possible to distributively build a code book.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 100: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Distributed cross-site PO attacks

We have decrypted all CAPTCHA on a web site using onlyJavaScript hosted locally.

One can inject JavaScript code into popular web sites, andturn this into a distriubuted attack.

It is possible to distributively build a code book.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 101: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Using PO to encryptDistributed cross-site PO attacks

Distributed cross-site PO attacks

We have decrypted all CAPTCHA on a web site using onlyJavaScript hosted locally.

One can inject JavaScript code into popular web sites, andturn this into a distriubuted attack.

It is possible to distributively build a code book.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 102: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Summary

Padding oracle attacks allow one to decrypt ciphertext withoutknowing the key.

We can use padding oracle attacks to crack CAPTCHA, anddecrypt JSF view state, etc.

CBC-R turns a decryption oracle into an encryption oracle, andallow us to create malicious JSF view states.

Distributed cross-site padding oracle attacks allow one todistributively build a code book to map all ciphertexts tocorresponding plaintexts.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 103: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Summary

Padding oracle attacks allow one to decrypt ciphertext withoutknowing the key.

We can use padding oracle attacks to crack CAPTCHA, anddecrypt JSF view state, etc.

CBC-R turns a decryption oracle into an encryption oracle, andallow us to create malicious JSF view states.

Distributed cross-site padding oracle attacks allow one todistributively build a code book to map all ciphertexts tocorresponding plaintexts.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 104: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Summary

Padding oracle attacks allow one to decrypt ciphertext withoutknowing the key.

We can use padding oracle attacks to crack CAPTCHA, anddecrypt JSF view state, etc.

CBC-R turns a decryption oracle into an encryption oracle, andallow us to create malicious JSF view states.

Distributed cross-site padding oracle attacks allow one todistributively build a code book to map all ciphertexts tocorresponding plaintexts.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 105: Practical Padding Oracle Attacks

IntroductionFinding Padding Oracles

Basic PO attacksAdvanced PO attacks

Summary

Summary

Padding oracle attacks allow one to decrypt ciphertext withoutknowing the key.

We can use padding oracle attacks to crack CAPTCHA, anddecrypt JSF view state, etc.

CBC-R turns a decryption oracle into an encryption oracle, andallow us to create malicious JSF view states.

Distributed cross-site padding oracle attacks allow one todistributively build a code book to map all ciphertexts tocorresponding plaintexts.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 106: Practical Padding Oracle Attacks

Appendix For Further Reading

For Further Reading I

Black and H. Urtubia. Side-Channel Attacks on SymmetricEncryption Schemes: The Case for Authenticated Encryption.In Proceedings of the 11th USENIX Security Symposium, SanFrancisco, CA, USA, August 5-9, 2002, pages 327–338.USENIX, 2002.

K.G. Paterson and A. Yau. Padding Oracle Attacks on the ISOCBC Mode Padding Standard. In T. Okamoto, editor, Topics inCryptology — CT-RSA 2004, volume 2964 of Lecture Notes inComputer Science, pages 305–323. Springer-Verlag, 2004.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 107: Practical Padding Oracle Attacks

Appendix For Further Reading

For Further Reading II

S. Vaudenay. Security Flaws Induced by CBC Padding —Applications to SSL, IPSEC, WTLS...In L. Knudsen, editor,Advances in Cryptology — EUROCRYPT 2002, volume 2332of Lecture Notes in Computer Science, pages 534–545.Springer-Verlag, 2002.

B. Canvel, A. Hiltgen, S. Vaudenay, and M. Vuagnoux.Password Interception in a SSL/TLS Channel. In Proc.CRYPTO 2003, D. Boneh (ed.), LNCS Vol. 2729, pp.583–599, 2003.

V. Klima and T. Rosa. Side Channel Attacks on CBCEncrypted Messages in the PKCS#7 Format. CryptologyePrint Archive, Report 2003/098, 2003.

J. Rizzo, T. Duong Practical Padding Oracle Attacks

Page 108: Practical Padding Oracle Attacks

Appendix For Further Reading

For Further Reading III

A. K. L. Yau, K. G. Paterson, and C. J. Mitchell. PaddingOracle Attacks on CBC- Mode Encryption with Secret andRandom IVs. In H. Gilbert and H. Handschuh, editors,Proceedings of FSE 2005, volume 3557 of LNCS, pages299–319. Springer- Verlag, 2005.

J. Rizzo, T. Duong Practical Padding Oracle Attacks