Daniel Crowley - Speaking with Cryptographic Oracles


Published on

When using cryptography, leaking data about crypto operations can expose the system to powerful attacks. Even if you're using unbroken algorithms, you may expose yourself to attacks which can completely bypass your use of crypto.

Published in: Technology, Education
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The first step is to identify where encrypted user input occurs. From a black box perspective, we first need to identify all of the user inputs, then determine which of them may be encrypted,
  • Daniel Crowley - Speaking with Cryptographic Oracles

    1. 1. Speaking with Cryptographic Oracles<br />Daniel “unicornFurnace” Crowley<br />Application Security Consultant, Trustwave - Spiderlabs<br />
    2. 2. The Speaker and the Presentation<br />A quick introduction and a few distinctions<br />
    3. 3. The Speaker<br />Daniel Crowley<br />Web application security d00d<br />IANAC (I am not a cryptographer)<br />dcrowley@trustwave.com<br />@dan_crowley<br />
    4. 4. The Presentation Topic<br />Finding and exploiting:<br />Encryption Oracles<br />Decryption Oracles<br />Padding Oracles<br />With little to no cryptographic knowledge<br />More crypto knowledge, more useful attacks<br />
    5. 5. NOT the Presentation Topic<br />The Oracle<br />We are not being harvested for energy by robot overlords<br />Maybe<br />ORACLE<br />If you Google “<any crypto word> oracle” it’s all you find<br />Google, the Internet Oracle<br />While awesome, not what we’re talking about<br />
    6. 6. NOT the Presentation Topic<br />Crypto g00r00s like Adi Shamir<br />While also awesome and totally related, not the topic<br />New attacks on old crypto<br />Mistakes are easy enough to make in implementation<br />How Padding Oracle attacks work<br />Too much time to explain<br />Too many good resources<br />
    7. 7. DEFCON Drinking Game 0-day<br />APT iPad<br />APT China, cyber-war<br />Cloud mobile botnet<br />Cloud cloud Cyber-Twilight APT Sun Tzu<br />RSA HBGary botnet PCI SCADA in the cloud<br />Cyber-war?<br />LulzSec???<br />APT China cyber-war weeaboo, WikiLeaks mobile LulzSec.<br />
    8. 8. A Primer on Cryptographic Terms<br />Basic cryptographic terms, concepts and mistakes<br />
    9. 9. Very Basic Terms<br />Cipher<br />A system for scrambling and unscrambling data to protect it<br />Key<br />A variable used to permute the cipher<br />Initialization Vector (IV)<br />A second variable used to randomize the cipher<br />Plaintext <br />The data in readable form<br />Ciphertext<br />The data in unreadable form<br />Encryption<br />Turning something you can read into something you can’t<br />Decryption<br />Turning something you can’t read into something you can<br />
    10. 10. Stream and Block Ciphers<br />Block<br />Encrypt X characters at a time<br />X is the block size<br />Key is used to directly transform plaintext to ciphertext<br />Stream<br />Encrypt one character at a time<br />Key is used to generate pseudo-random numbers<br />Those numbers are used to transform plaintext to ciphertext<br />
    11. 11. Very Basic Mistakes<br />Using a keyless cipher<br />Completely insecure if cipher is ever discovered<br />Reusing keys and/or IVs<br />Makes Oracle attacks far more dangerous<br />IV reuse can seriously weaken stream ciphers<br />Think WEP<br />Leaking data from crypto operations<br />Foundation for Oracle attacks<br />Flickr Creative Commons - Rosino<br />
    12. 12. What is an Oracle?<br />A system which takes queries and provides answers<br />Queries might be<br />Plaintext<br />Ciphertext<br />Answers might be<br />Corresponding plaintext<br />Corresponding ciphertext<br />Info about operation<br />Sample from PRNG<br />Picture by D Sharon Pruitt – Creative Commons<br />
    13. 13. Seek the Oracle<br />How to identify cryptographic Oracles<br />From a black-box perspective<br />
    14. 14. Decryption Oracles: Identify Input<br />Identify where encrypted input occurs<br />Identify all points of user input<br />For Web apps: GET, POST, URL, Cookie, headers<br />Identify those which may be encrypted<br />Encrypted data is generally encoded<br />Base64<br />ASCII hex<br />URL encoding<br />Decoded data is likely encrypted if seemingly random<br />Modification of values may result in decryption-related errors<br />
    15. 15. Decryption Oracles: Find Decrypted Output<br />May be reflected<br />Normal output<br />Error<br />May be given in later response<br />May be inferred from modified output<br />May be stored and not shown<br />Additional vulnerabilities may reveal output<br />
    16. 16. Decryption Oracles: An Example<br />Scenario<br />Consider “GetPage.php?file=<encrypted_stuff>”<br />Opens a file to be included based on encrypted input<br />Allows for quick page additions<br />Prevents file inclusion attacks…?<br />Assumes properly encrypted input is sanitary<br />Errors are verbose<br />Usage<br />Feed the script some ciphertext<br />Record the “file” the error tells you wasn’t found<br />
    17. 17. Encryption Oracles: Find Encrypted Data<br />Often found in<br />Cookies<br />Hidden variables<br />Databases<br />File resident data<br />Flickr Creative Commons – Gideon van der Stelt<br />
    18. 18. Encryption Oracles: Determine Point of Entry<br />Frequently encrypted data<br />Client-side state variables<br />Passwords<br />Financial data<br />Anything sufficiently sensitive<br />Being encrypted is not enough<br />We need to be able to manipulate it<br />And see the ciphertext<br />
    19. 19. Encryption Oracles: An Example<br />Scenario<br />Consider “auth” cookie, encrypted<br />Username + “:” + password_hash + “:” + timestamp<br />Assume usernames can’t contain “:” character<br />No delimiter injection <br />Timestamp to control expiration<br />Usage<br />Register with any username, log in<br />Copy cookie value and replace any encrypted input with it<br />Can’t use colons or control suffix<br />Might not matter<br />
    20. 20. Padding Oracles<br />Input must be encrypted<br />Must be a padded block cipher<br />Valid vs. invalid padding is distinguishable<br />This is the essence of a padding Oracle<br />Padding Oracles can be used as decryption Oracles<br />Using the CBC-R technique they are also encryption Oracles<br />May be limited in that the first block will be garbled<br />
    21. 21. Exploiting Cryptographic Oracles<br />Breaking bad crypto and bad crypto usage<br />
    22. 22. Converting One Oracle Into Another<br />Padding Oracles only tell you whether padding is valid<br />This information can be used to decrypt data<br />In some circumstances, it can also be used to encrypt<br />Decryption Oracles<br />Can be converted to encryption Oracles using brute force<br />Far more effective with stream ciphers<br />Encryption Oracles<br />Can be converted to decryption Oracles using brute force<br />Again, more effective with stream ciphers<br />
    23. 23. Attack 0: Crypto Recon<br />Check for static key, IV, and deterministic cipher<br />Encrypt the same plaintext twice<br />Check to see if they are identical<br />Check for stream vs. block ciphers<br />Encrypt plaintexts of various sizes<br />Compare plaintext size to ciphertext size<br />Check for ECB block cipher mode<br />Encrypt repeating plaintext blocks<br />Look for repetitive ciphertext<br />Check for stream cipher feedback<br /><ul><li>Encrypt some arbitrary plaintext
    24. 24. Change the first byte
    25. 25. Observe whether the following bytes change</li></li></ul><li>Attack 1: Bad Algorithms<br /><ul><li>Occasionally, people try to make their own algorithms
    26. 26. And they’re not cryptographers
    27. 27. And it doesn’t end well</li></ul>Real homespun crypto seen in the wild:<br />“hello” might become “KqIKefKPrPKPrPKuJXK”<br />
    28. 28. Attack 1: Bad Algorithms<br />Is there substitution?<br />Submit “AAAA” : Get “KLoKLoKLoKLoK”<br /><ul><li>There is!
    29. 29. We can already see patterns, too</li></ul>Is there transposition?<br />Submit “AABB” : Get “KLoKLoKaBeKaBeK”<br /><ul><li>No transposition
    30. 30. We can see more patterns
    31. 31. The “K” seems to be a delimeter
    32. 32. Substitution doesn’t change on position
    33. 33. One replacement per letter</li></li></ul><li>Attack 1: Bad Algorithms<br />Submit “BABA” : Get “KaBeKLoKaBeKLoK”<br /><ul><li>Exactly what we expected</li></ul>Submit “abcdefghi…XYZ0123456789” : Get entire key!<br /><ul><li>We now submit one of every character in sequence
    34. 34. The Oracle tells us what each maps to</li></li></ul><li>Attack 1 and a half: Revenge of Bad Algorithms<br />Others use a simple xor operation to encrypt data<br />Pxor K = C<br />C xor K = P<br />C xor P = K<br />Wikimedia Commons - Herpderper<br />
    35. 35. Attack 1.75: Bride of Bad Algorithms<br />For some simple ciphers like xor<br />Encryption = Decryption<br />THUS<br />Encryption Oracle = Decryption Oracle<br />THUS<br />Such ciphers are made completely useless by leaking output<br />THUS<br />For God’s sake stop using xor<br />
    36. 36. Attack 1: Bad Algorithms<br />DEMO<br />
    37. 37. Attack 2: Trusted Encrypted Input<br />People tend to reuse keys and IVs<br />If we can encrypt arbitrary data in one place<br />It may work in another<br />If devs don’t think you can mess with input<br />They probably won’t sanitize it<br />Encrypted inputs with MAC aren’t totally tamper-proof<br />
    38. 38. Attack 2: Trusted Encrypted Input<br />Encrypted password with MAC in cookie<br />Checked against database on each request needing auth<br />Find encryption Oracle with the same keys & IV<br />Use encryption Oracle to encrypt ‘ or 1=1--<br />Plug resulting value into cookie<br />Laugh all the way to the bank<br />
    39. 39. Attack 2: Trusted Encrypted Input<br />DEMO<br />
    40. 40. Attack 3: Let the client have it, it’s encrypted<br />Find a decryption Oracle<br />Find encrypted data<br />Decrypt that sucka<br />?????<br />PROFIT!!!<br />This attack also relies on key/IV reuse<br />
    41. 41. Attack 3: Let the client have it, it’s encrypted<br />DEMO<br />
    42. 42. What encryption?<br />If you can find<br />An encryption Oracle<br />A decryption Oracle<br />You can encrypt or decrypt any data<br />As long as keys and IVs are reused<br />Algorithm doesn’t matter<br />Padding doesn’t matter<br />Cipher mode doesn’t matter<br />All encryption which uses the same key and IV is now useless<br />
    43. 43. How Can I Fix My Code?<br />Avoid giving away information about crypto operations<br />Output<br />Not always plausible<br />Success/Failure<br />Suppress or generalize errors<br />Timing<br />Make code take the same time to finish no matter what happens<br />Authenticate your crypto<br />Encrypt-then-MAC<br />MAC-then-Encrypt still allows for padding oracle attacks<br />
    44. 44. Questions?<br />Daniel Crowley<br />Trustwave– SpiderLabs<br />@dan_crowley<br />dcrowley@trustwave.com<br />