Upcoming SlideShare
×

Hollywood style decryption

• 736 views

Hollywood style decryption - Rizki Wicaksono

Hollywood style decryption - Rizki Wicaksono

More in: Technology
• Comment goes here.
Are you sure you want to
Be the first to comment
Be the first to like this

Total Views
736
On Slideshare
0
From Embeds
0
Number of Embeds
1

Shares
87
0
Likes
0

No embeds

Report content

No notes for slide

Transcript

• 1. “Hollywood StyleDecryption”on Block Cipher-CBCRizki Wicaksono / ilmuHacking.com
• 2. Rizki Wicaksono•  Penetration tester•  Programming, application security, cryptography•  S1 Teknik Informatika ITB, ECSP, OSWP, ITIL-F•  ilmuHacking.com , facebook.com/ilmuHacking
• 4. Lets Watch SomeMovies
• 5. Resident Evil Breaking DoorKey Scene
• 6. Terminator 2 ATM PINCracking Scene
• 7. Wargame Launch CodeHacking Scene
• 8. The Matrix Beginning Scene
• 9. Bloodfist IV PasscodeBreaking Scene
• 10. Hollywood StyleDecryption withPadding Oracle Attack
• 11. Sample Real Attack
• 12. Morpheus: Let’s Go See theOracle
• 13. The Oracle
• 15. 1 Bit Information Leakage
• 18. Cipher Block Chaining
• 19. CBC Mode Encryption
• 20. CBC Mode Decryption
• 21. Malleability
• 22. Enough Talking, StartCracking!
• 23. Sample Case•  Decrypt this: 2D7850F447A90B87123B36A038A8682F•  Split into two 8 byte blocks:•  C1 = 2D7850F447A90B87•  C2 = 123B36A038A8682F•  Decrypt C2 first, send two block to oracle:•  One block + 123B36A038A8682F•  Decrypt one byte at a time (“hollywood style”) startingfrom the last byte
• 24. Decrypt Last Byte
• 25. Ask the Oracle•  A xor B = 01. Find A and B!•  Ask the Oracle:•  A xor 0 = 01 ?•  A xor 1 = 01 ?•  ….•  A xor 255 = 01 ?•  Oracle answer:•  Valid pad = Yes•  Invalid pad = No
• 26. Look for Valid Single Byte Pad
• 27. Valid Single Byte Pad Found!
• 28. Last Byte Decrypted
• 29. Last Byte = 0x86•  A xor B = 01. Find Aand B!•  Ask the Oracle:•  A xor 0x85 = 01 ?•  Oracle answer:•  Valid pad = Yes•  A must be 0x86
• 30. Decrypt 7th Byte
• 31. Decrypt 7th Byte
• 32. Look for Valid 2 Byte Pad
• 33. Valid 2 Byte Pad Found!
• 34. 7th Byte Decrypted
• 35. Decrypt 6th Byte
• 36. Decrypt 6th Byte
• 37. Valid 3 Byte Pad Found
• 38. 6th Byte Decrypted
• 39. Decrypt 5th Byte
• 40. Decrypt 5th Byte
• 41. Valid 4 Byte Pad Found
• 42. 5th Byte Decrypted
• 43. Decrypt 4th Byte
• 44. Decrypt 4th Byte
• 45. Look for Valid 5 Byte Pad
• 46. Valid 5 Byte Pad Found
• 47. 4th Byte Decrypted
• 48. Full Block Decrypted
• 49. C2 Block Decrypted
• 50. Case
• 51. The Oracle
• 52. Decryptor
• 53. Decryption Demo
• 54. Encrypt Fake Message
• 55. Encrypt without Knowing theKey•  You can make cipher text say whatever you wantwhen decrypted•  Property of CBC mode
• 56. P2 depends on C1
• 57. “KILL IT”
• 58. “KILL IT”
• 59. Encryption Procedure•  Encrypt: “BESOK PAGI SERANGAN UMUMIWO JIMA”•  Split plaintext into blocks:•  P1 = ‘BESOK PA’•  P2 = ‘GI SERAN’•  P3 = ‘GAN UMUM’•  P4 = ‘ IWO JIM’•  P5 = ‘A’+07+07+07+07+07+07+07
• 60. Encryption Procedure•  Choose C5 all-zeros•  Use padding oracle attack to find Decrypt(Ci)•  C4 = Decrypt(C5) XOR P5•  C3 = Decrypt(C4) XOR P4•  C2 = Decrypt(C3) XOR P3•  C1 = Decrypt(C2) XOR P2•  IV = Decrypt(C1) XOR P1
• 61. Encryption Demo
• 62. AuthenticatedEncryption
• 63. Authenticate before Decrypt•  Why we need to authenticate/verify encrypted message beforedecrypting it ? It’s already encrypted with shared secret key,after all.•  Imagine that only Alice and Bob know the key. If Bob coulddecrypt a cipher text with the secret key and get a clean andunderstandable plain text, then Bob know it only could beencrypted by Alice•  Many people have thought that, but they were wrong•  Without message authentication, active attacker could usepadding oracle attack to decrypt and also encrypt withoutknowing the key
• 64. Encryption and MAC•  Encryption provides confidentiality, it doesn’tprovide integrity and authenticity•  Don’t use encryption without messageauthentication•  Encrypt your message then calculate MAC•  Never decrypt message without checking MAC•  Decrypt only when ciphertext is MAC-authenticated