Poodle stands for Padding Oracle On Downgraded Legacy Encryption is an attack on SSL v3.0 which brings end of SSL. If you have got any doubts with the presentation, feel free to contact me via email.
2. Introduction
• Secure Socket Layer (SSL) protocol was discovered to provide secure
transmission between two parties. This protocol became industry
standard and was widely adopted by Vendors in their products to give
a secure channel for data transmission.
• However from time to time this various vulnerabilities like Man in the
middle attack (MITM), POODLE attack etc. were discovered in SSL
protocol resulting in different versions of this protocol termed as 1.0,
2.0, and 3.0. Due to this a new standard has been developed named
as TLS and it also has its various version namely TLS 1.0, TLS 1.1, TLS
1.2.
3. Introduction – Contd.
• Since SSL was widely adopted so it would not have been economical to
replace all SSL products with TLS. Thus TLS have been made backward
compatible with SSL to provide smooth user experience.
• Even if both client and server are TLS compatible, many clients offer a
protocol downgrade dance to avoid any interoperability bugs. Due to this
behaviour a new Vulnerability termed as POODLE (Padding Oracle on
Downgraded Legacy Encryption) was discovered.
• Due to this vulnerability, attacker can steal bearer tokens such as HTTP
cookies.
4. What is POODLE Attack ?
• As stated in the previous slides, many TLS clients offer a protocol
downgrade dance to avoid any interoperability bugs.
• This means that whenever a handshake starts, highest protocol
version supported by client is presented.
• If server is not compatible with the protocol version presented by
client, then handshake fails and later the handshake is successful by
server informing the best TLS/SSL version it can support.
• Here is the point.
5. Contd.
• If the network between client and server is controlled by an attacker
then it can impersonate for both entities and can cause the
connection to fall back to SSL 3.0. So the initial vector for this attack is
the protocol downgrade dance supported by clients.
• Once the channel between the entities is moved down to SSL 3.0 then
this vulnerability can be exploited.
• Vulnerability exploited is the known Padding Oracle attack.
• Since SSL authenticate before encryption, this design flaw in SSL has
made this vulnerability possible. Oracle padding attack is done against
the CBC mode ciphers in the SSLv3.
7. Padding
• Padding adds those extra few bits which are necessary before
encryption to make a meaningful block.
• Here we are interested to know the padding scheme PKCS#5 as it is
used in the CBC Mode.
• In PKCS#5, the final block of plaintext is padded with N bytes of value
N.
9. Padding Oracle Attack
• In Cryptography, an “oracle” is a system that performs cryptographic
actions by taking in certain input.
• Hence a “padding oracle” is a type of system that takes in encrypted
data from the user, decrypts it and verifies whether the padding is
correct or not.
• Let us now try to understand that how this attack is performed.
10. Padding Oracle Attack
• Consider the below URL.
• https://www.example.com/home.asp?UID=8A219A434525535FF324
D4G56FC9534
• Let us assume that some information is sent in this UID parameter
(say username) in encrypted form using the CBC mode and PKCS #5
standard. So the application decrypts this value and returns the
results based on that value.
11. Padding Oracle Attack
• Three Scenarios are possible
• Case 1) Valid cipher text – Valid and normal page
• Case 2) Invalid cipher text [with improper padding] – Invalid page
[such as 404 – Not Found]
• Case 3) Valid cipher text but invalid padding [error]
12. Padding Oracle Attack
• Case 1:
• Say you sent the value UID=8A219A434525535FF324D4G56FC95348 and it
decrypts to a valid user “Shreyas”. Then the application would send a normal
response.
• Case 2:
• Say you sent the value UID=998877PA434525535FF324D4G56FC95348 and it
decrypts to “aswjkaja” (invalid user). The application might respond back with
a 404 message saying no such page exists.
13. Padding Oracle Attack
• Case 3:
• Say you sent the value UID=66IXS7IA434525535FF324D4G56FC95348 and it
decrypts to “Ravi” (valid user) but with invalid padding. The application would
return some exception.
• Thus, if you can send different cipher texts and find out if they
decrypt to different values with valid padding or not then you can
decrypt any given cipher text.
14. Padding Oracle Attack
• In CBC decryption, each cipher text is passed through the cipher, then
XORed with the previous cipher text block to give the plaintext.
• So if you take our above example, the cipher blocks would be first
created as shown below.
• https://www.example.com/home.asp?UID=8A219A43|4525535F|F32
4D4G5|6FC9534
• Cipher blocks: 8A219A43| 4525535F| F324D4G5| 6FC95348
16. Padding Oracle Attack
• If the request with initial block of all zeros is sent, it would most
probably result in 500, since it might not decrypt to any valid value.
• https://www.example.com/home.asp?UID=00000000|4525535F|F32
4D4G5|6FC95348
17. Padding Oracle Attack
• But now send the same request by initializing the value of this initial
block by 1.
• https://www.example.com/home.asp?UID=00000001|4525535F|F32
4D4G5|6FC95348
18. Padding Oracle Attack
• Although the server returns the error message but still the last value
of the decrypted cipher text has changed since you sent 0x01 in the
request.
• Thus we keep on repeating this step up to FF, we will once hit a value
that produces a valid padding sequence.
• Only one value out of 256 different possibilities will produce a correct
padding byte.
• When you hit this value, you should end up with a different response
than the other 255 requests.
20. Padding Oracle Attack
• From this, we can now calculate the intermediate value at this
position, since we know that when XORed with 0x3C, it produces
0x01.
• If [ Intermediate Value ] ^ 0x3C = 0x01
• That implies, 0x3C ^ 0x01 = Intermediate Value
• Hence, Intermediate Value = 0x3D
• Using this technique, we can work our way backwards through the
entire block until every byte of the intermediate value is
cracked, thus getting the decrypted value one at a time.
21. Padding Oracle Attack on SSL 3.0
• Let us take one example to understand how Padding Oracle Attack is
performed on SSL 3.0.
• Suppose a request contains sensitive data like HTTP Cookies in one of
the blocks.
• That block is replaced by the last block of the request which is the
padding block.
• Than the Padding Oracle Attack is carried out and thus the sensitive
data can be revealed because of this vulnerability.
22. You can check whether your
browser is vulnerable to
POODLE Attack.
Go to the following website to check.
https://www.poodletest.com
28. Protection against POODLE Attack
• The only way to avoid this attack as of now is to disable or avoid using
SSL 3.0 and upgrade to TLS.
• FOR TLS clients and servers: TLS clients that do protocol downgrade
dance should include the TLS_FALLBACK_SCSV in
ClientHello.cipher_suites in any fall back handshakes.
• This value will indicate that a possible downgrade attack is underway
and the connection will be refused. TLS on seeing
TLS_FALLBACK_SCSV in ClientHello.cipher_suites will check the
SSL/TLS version stated by client and if TLS server has a highest version
then that connection will be terminated.
29. TLS_FALLBACK_SCSV
• TLS Fallback Signaling Cipher Suite Value (SCSV) prevents the downgrade
attack.
• TLS_FALLBACK_SCSV {0x56, 0x00}
• This is a signalling cipher suite value, i.e., it does not actually correspond to
a suite of cryptosystems, and it can never be selected by the server in the
handshake.
• If this message appears in the ClientHello.cipher_suite message and the
highest protocol version supported by the server is higher than that of the
client than the server must respond with inappropriate_fallback alert. This
is a fetal error.