• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Practical Crypto Attacks Against Web Applications
 

Practical Crypto Attacks Against Web Applications

on

  • 2,276 views

BSidesLondon 20th April 2011 - Justin Clarke (@connectjunkie) ...

BSidesLondon 20th April 2011 - Justin Clarke (@connectjunkie)
----------------------------------------------------------------------
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited.
--- for more about Justin
http://www.gdssecurity.com

Statistics

Views

Total Views
2,276
Views on SlideShare
2,276
Embed Views
0

Actions

Likes
5
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Practical Crypto Attacks Against Web Applications Practical Crypto Attacks Against Web Applications Presentation Transcript

    • Against Web Applications Justin Clarke
    • !  IANAC!  Usage != security!  Pentesting?2
    • !  Confidentiality – Prevent the disclosure of information to unauthorized individuals or systems!  Integrity – Ensure that data cannot be modified undetectably!  Authenticity - Validate that a party is who they claim they are3
    • !  Symmetric Crypto Attacks !  ECB Mode Usage !  Padding-Based Attacks!  Secure Random Number Generation4
    • !  Most block ciphers support multiple modes of operation!  The most common modes are : !  ECB – Electronic Code Book !  CBC – Cipher Block Chaining !  CFB - Cipher Feedback !  OFB - Output Feedback!  None provide integrity if used in isolation5
    • 6
    • !  Reason #1 ECB CONFIDENTIALITY7
    • !  Reason #2 UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:38
    • !  Reason #2 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 7 UID:2390 9,Email: john@doe .com,Nic kName:Jo hnDoe230 1,Role:3CIPHERTEX 9648dab1 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 69e75f87 T d7f285ac db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 cf74ab6d UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 9
    • !  Reason #2 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 7 UID:2390 9,Email: john@doe .com,Nic kName:Jo hnDoe230 1,Role:3CIPHERTEX 9648dab1 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 69e75f87 T d7f285ac db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 cf74ab6d UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 Block 1 Block 7 Block 2 Block 3 Block 4 Block 5 Block 6CIPHERTEX 9648dab1 69e75f87 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 T d7f285ac cf74ab6d db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 10
    • !  Reason #2 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 7 UID:2390 9,Email: john@doe .com,Nic kName:Jo hnDoe230 1,Role:3CIPHERTEX 9648dab1 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 69e75f87 T d7f285ac db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 cf74ab6d UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 Block 1 Block 7 Block 2 Block 3 Block 4 Block 5 Block 6CIPHERTEX 9648dab1 69e75f87 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 T d7f285ac cf74ab6d db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 UID:2390 1,Role:3 9,Email: john@doe .com,Nic kName:Jo hnDoe230 UID:23901,Role:39,Email:john@doe.com,NickName:JohnDoe230 11
    • !  Reason #2 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 7 UID:2390 9,Email: john@doe .com,Nic kName:Jo hnDoe230 1,Role:3CIPHERTEX 9648dab1 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 69e75f87 T d7f285ac db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 cf74ab6d UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 Block 1 Block 7 Block 2 Block 3 Block 4 Block 5 Block 6CIPHERTEX 9648dab1 69e75f87 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 T d7f285ac cf74ab6d db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 UID:2390 1,Role:3 9,Email: john@doe .com,Nic kName:Jo hnDoe230 UID:23901,Role:39,Email:john@doe.com,NickName:JohnDoe230 12
    • ECB Mode Attack
    • 14
    • CBC CONFIDENTIALITY15
    • !  Original Ciphertext BLOCK 1 BLOCK 2 BLOCK 316
    • !  Block Swapping will result in data corruption BLOCK 1 BLOCK 3 BLOCK 217
    • !  “Padding Oracle” Attack !  Leverages byte flipping of ciphertext to generate invalid padding exceptions !  Data can be decrypted (and encrypted too) without knowledge of the secret key18
    • 19
    • !  Assuming this scheme, then there are only 8 possible valid padding sequences: !  0x01 !  0x02, 0x02 !  0x03, 0x03, 0x03, !  0x04, 0x04, 0x04, 0x04 !  0x05, 0x05, 0x05, 0x05, 0x05, !  0x06, 0x06, 0x06, 0x06, 0x06, 0x06 !  0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07 !  0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x0820
    • 21
    • !  Is the key the correct size? !  Invalid Key Exception !  Is the value (bytes) an even block multiple? !  Invalid Length Exception !  Is the decrypted block properly padded? !  Invalid Padding Exception CRITICAL !  Return the value22
    • 23
    • Call this “Byte X” Call this “Byte Y”Basic Premise:•  A change of Byte X (ciphertext) will change Byte Y (plaintext)•  There is a one-to-one correlation between Byte X values and Byte Y values•  Exception is thrown if plain-text does not end with a valid padding sequence24
    • Byte X == 0x00 Byte Y == ???Exception? YES•  Byte Y is not valid padding25
    • Byte X == 0x01 Byte Y == ???Exception? YES•  Byte Y is not valid padding26
    • Byte X == 0x02 Byte Y == ???Exception? YES•  Byte Y IS valid padding (must be 0x01)27
    • !  What does that tell us? !  The altered byte value produced valid padding when XOR’ed with the intermediate value IF A ^ B = C THEN A ^ C = B AND C ^ B = A28
    • !  What does that tell us? !  If the padding byte was 0x01: !  Our Byte (0x02) ^ Intermediate Byte (??) == 0x01 !  Intermediate Byte == Our Byte (0x02) ^ 0x01 !  The plain-text value is the intermediate value XOR’ed with the prior ciphertext byte29
    • Padding Oracle Attack
    • !  As we’ve seen, encrypted data (while kept private) is still susceptible to tampering Message Encryption !  We need to ensure PRIVACY and INTEGRITY31
    • !  Encrypt + Sign the Ciphertext Message SIGNATURE Encryption !  HMAC: Combines a cryptographic hash function with a secret key !  Cannot be re-computed without the key !  Verifies the integrity and authenticity of a message32
    • !  Why not HMAC within the ciphertext? !  Does not prevent against side channel attacks during decryption !  Padding Oracle Attack in .NET Framework !  Discovered September 2010 !  Viewstate and Forms Authentication Cookies were affected even though an HMAC was included within the ciphertext !  Tampering was only be detected after decryption33
    • !  When do you need a random number? !  Password Generator, Encryption Keys, Session Identifiers, etc… !  How random is “random”? Pseudo Random Number Generator vs. Cryptographically Secure Random Number Generator34
    • !  Two common attacks against RNG’s !  Non-random Seed Values !  Formula used to produce random numbers35
    • !  What do you think this code will produce? // Generate First Series byte[] bytes1 = new byte[100]; Random rnd1 = new Random(); rnd1.NextBytes(bytes1); Console.WriteLine("First Series:"); for (int ctr = bytes1.GetLowerBound(0); ctr <= bytes1.GetUpperBound(0); ctr++) { Console.Write("{0, 5}", bytes1[ctr]); if ((ctr + 1) % 10 == 0) Console.WriteLine(); } // Generate Second Series byte[] bytes2 = new byte[100]; Random rnd2 = new Random(); rnd2.NextBytes(bytes2); Console.WriteLine("Second Series:"); for (int ctr = bytes2.GetLowerBound(0); ctr <= bytes2.GetUpperBound(0); ctr++) { Console.Write("{0, 5}", bytes2[ctr]); if ((ctr + 1) % 10 == 0) Console.WriteLine(); }36
    • !  Output from the previous code First Series: 97 129 149 54 22 208 120 105 68 177 113 214 30 172 74 218 116 230 89 18 12 112 130 105 116 180 190 200 187 120 7 198 233 158 58 51 50 170 98 23 21 1 113 74 146 245 34 255 96 24 232 255 23 9 167 240 255 44 194 98 18 175 173 204 169 171 236 127 114 23 167 202 132 65 253 11 254 56 214 127 145 191 104 163 143 7 174 224 247 73 52 6 231 255 5 101 83 165 160 231 Both series Second Series: are identical 97 129 149 54 22 208 120 105 68 177 113 214 30 172 74 218 116 230 89 18 12 112 130 105 116 180 190 200 187 120 7 198 233 158 58 51 50 170 98 23 21 1 113 74 146 245 34 255 96 24 232 255 23 9 167 240 255 44 194 98 18 175 173 204 169 171 236 127 114 23 167 202 132 65 253 11 254 56 214 127 145 191 104 163 143 7 174 224 247 73 52 6 231 255 5 101 83 165 160 23137
    • !  If you don’t seed the random number generator, it will automatically be seeded !  With what? “By default, the parameterless constructor of the Random class uses the system clock to generate its seed value” http://msdn.microsoft.com/en-us/library/system.random.aspx38
    • !  What if this code was in ResetPassword.aspx? StringBuilder password = new StringBuilder(); // Define all upper and lower chars with special chars char[] lCase = new char[] { a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, !, @, #, $, %, ^, &, *, (, ), -, _ }; int lCaseIndex = 0; Random rand = new Random(); // Randomly select 12 characters from the values above for (int cnt = 0; cnt < 12; cnt++) { lCaseIndex = rand.Next(0, lCase.Length - 1); password.Append(lCase[lCaseIndex]); } string newPassword = password.ToString();39
    • !  Seed Race Condition Attack (Seed Racing) !  Based on a research experiment conducted in 2008 !  67,000 HTTP requests to a server with a random password generator similar to the one shown !  Results: 208 unique passwords !  322 duplicated in one or more accounts40
    • !  Is Java.Random any better? !  Uses a Linear Congruential Formula for generating random data (LCG) One Dimensional LCG Plot41
    • 42
    • !"#$%&(()*& +$,-(.&%(& ./01&43
    • 44
    • !2#((3*4&5& 6(7$&6(8& 9:/001&45
    • !  Crypto is hard to get right !  Lots of ways to make mistakes !  When in doubt, ask an expert46