Against Web Applications      Justin Clarke
!    IANAC!    Usage != security!    Pentesting?2
!    Confidentiality – Prevent the disclosure of     information to unauthorized individuals or     systems!    Integrity ...
!    Symmetric Crypto Attacks     !  ECB Mode Usage     !  Padding-Based Attacks!    Secure Random Number Generation4
!    Most block ciphers support multiple modes of     operation!    The most common modes are :     !  ECB – Electronic Co...
6
!    Reason #1                    ECB                 CONFIDENTIALITY7
!    Reason #2     UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:38
!    Reason #2             Block 1    Block 2    Block 3    Block 4    Block 5    Block 6    Block 7             UID:2390 ...
!    Reason #2             Block 1    Block 2    Block 3    Block 4    Block 5    Block 6    Block 7             UID:2390 ...
!    Reason #2             Block 1    Block 2    Block 3    Block 4    Block 5    Block 6    Block 7             UID:2390 ...
!    Reason #2             Block 1    Block 2    Block 3    Block 4    Block 5    Block 6    Block 7             UID:2390 ...
ECB Mode Attack
14
CBC     CONFIDENTIALITY15
!    Original Ciphertext                BLOCK 1     BLOCK 2   BLOCK 316
!    Block Swapping will result in data corruption                 BLOCK 1      BLOCK 3       BLOCK 217
!    “Padding Oracle” Attack      !  Leverages byte flipping of ciphertext to generate         invalid padding exceptions ...
19
!    Assuming this scheme, then there are only 8      possible valid padding sequences:      !  0x01      !  0x02,   0x02 ...
21
!    Is the key the correct size?      !  Invalid Key Exception !    Is the value (bytes) an even block multiple?      !  ...
23
Call this “Byte X”                                                        Call this “Byte Y”Basic Premise:•  A change of B...
Byte X == 0x00                                 Byte Y == ???Exception? YES•  Byte Y is not valid padding25
Byte X == 0x01                                 Byte Y == ???Exception? YES•  Byte Y is not valid padding26
Byte X == 0x02                                      Byte Y == ???Exception? YES•  Byte Y IS valid padding (must be 0x01)27
!    What does that tell us?      !  The altered byte value produced valid padding when         XOR’ed with the intermedia...
!    What does that tell us?      !  If the padding byte was 0x01:         !  Our Byte (0x02) ^ Intermediate Byte (??) == ...
Padding Oracle Attack
!    As we’ve seen, encrypted data (while kept      private) is still susceptible to tampering                       Messa...
!    Encrypt + Sign the Ciphertext                        Message                                              SIGNATURE  ...
!    Why not HMAC within the ciphertext?      !  Does not prevent against side channel attacks         during decryption !...
!    When do you need a random number?      !  Password Generator, Encryption Keys, Session         Identifiers, etc… !   ...
!    Two common attacks against RNG’s      !  Non-random Seed Values      !  Formula used to produce random numbers35
!     What do you think this code will produce?     // Generate First Series     byte[] bytes1 = new byte[100];     Random...
!    Output from the previous code        First Series:           97 129 149        54    22   208   120   105    68   177...
!    If you don’t seed the random number      generator, it will automatically be seeded      !  With what?      “By defau...
!    What if this code was in ResetPassword.aspx? StringBuilder password = new StringBuilder(); // Define all upper and lo...
!    Seed Race Condition Attack (Seed Racing)      !  Based on a research experiment conducted in 2008      !  67,000 HTTP...
!    Is Java.Random any better?      !  Uses a Linear Congruential Formula for         generating random data (LCG)       ...
42
!"#$%&(()*&     +$,-(.&%(&        ./01&43
44
!2#((3*4&5&      6(7$&6(8&        9:/001&45
!    Crypto is hard to get right      !  Lots of ways to make mistakes !    When in doubt, ask an expert46
Upcoming SlideShare
Loading in …5
×

Practical Crypto Attacks Against Web Applications

3,181 views

Published on

BSidesLondon 20th April 2011 - Justin Clarke (@connectjunkie)
----------------------------------------------------------------------
This talk is intended to provide a high level overview of some of the areas where cryptographic operations such as encryption and hashing can provide far less security than was planned, and concrete examples of how these were found and exploited.
--- for more about Justin
http://www.gdssecurity.com

Published in: Technology
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,181
On SlideShare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

Practical Crypto Attacks Against Web Applications

  1. 1. Against Web Applications Justin Clarke
  2. 2. !  IANAC!  Usage != security!  Pentesting?2
  3. 3. !  Confidentiality – Prevent the disclosure of information to unauthorized individuals or systems!  Integrity – Ensure that data cannot be modified undetectably!  Authenticity - Validate that a party is who they claim they are3
  4. 4. !  Symmetric Crypto Attacks !  ECB Mode Usage !  Padding-Based Attacks!  Secure Random Number Generation4
  5. 5. !  Most block ciphers support multiple modes of operation!  The most common modes are : !  ECB – Electronic Code Book !  CBC – Cipher Block Chaining !  CFB - Cipher Feedback !  OFB - Output Feedback!  None provide integrity if used in isolation5
  6. 6. 6
  7. 7. !  Reason #1 ECB CONFIDENTIALITY7
  8. 8. !  Reason #2 UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:38
  9. 9. !  Reason #2 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 7 UID:2390 9,Email: john@doe .com,Nic kName:Jo hnDoe230 1,Role:3CIPHERTEX 9648dab1 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 69e75f87 T d7f285ac db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 cf74ab6d UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 9
  10. 10. !  Reason #2 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 7 UID:2390 9,Email: john@doe .com,Nic kName:Jo hnDoe230 1,Role:3CIPHERTEX 9648dab1 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 69e75f87 T d7f285ac db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 cf74ab6d UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 Block 1 Block 7 Block 2 Block 3 Block 4 Block 5 Block 6CIPHERTEX 9648dab1 69e75f87 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 T d7f285ac cf74ab6d db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 10
  11. 11. !  Reason #2 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 7 UID:2390 9,Email: john@doe .com,Nic kName:Jo hnDoe230 1,Role:3CIPHERTEX 9648dab1 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 69e75f87 T d7f285ac db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 cf74ab6d UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 Block 1 Block 7 Block 2 Block 3 Block 4 Block 5 Block 6CIPHERTEX 9648dab1 69e75f87 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 T d7f285ac cf74ab6d db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 UID:2390 1,Role:3 9,Email: john@doe .com,Nic kName:Jo hnDoe230 UID:23901,Role:39,Email:john@doe.com,NickName:JohnDoe230 11
  12. 12. !  Reason #2 Block 1 Block 2 Block 3 Block 4 Block 5 Block 6 Block 7 UID:2390 9,Email: john@doe .com,Nic kName:Jo hnDoe230 1,Role:3CIPHERTEX 9648dab1 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 69e75f87 T d7f285ac db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 cf74ab6d UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 Block 1 Block 7 Block 2 Block 3 Block 4 Block 5 Block 6CIPHERTEX 9648dab1 69e75f87 22a1eaee 0f5a7a2a 86adfcf6 6adb7872 96bdc238 T d7f285ac cf74ab6d db7aabbb 1f8de75f 17abcbcf 7ab9dd8e 5fa70ba2 UID:2390 1,Role:3 9,Email: john@doe .com,Nic kName:Jo hnDoe230 UID:23901,Role:39,Email:john@doe.com,NickName:JohnDoe230 12
  13. 13. ECB Mode Attack
  14. 14. 14
  15. 15. CBC CONFIDENTIALITY15
  16. 16. !  Original Ciphertext BLOCK 1 BLOCK 2 BLOCK 316
  17. 17. !  Block Swapping will result in data corruption BLOCK 1 BLOCK 3 BLOCK 217
  18. 18. !  “Padding Oracle” Attack !  Leverages byte flipping of ciphertext to generate invalid padding exceptions !  Data can be decrypted (and encrypted too) without knowledge of the secret key18
  19. 19. 19
  20. 20. !  Assuming this scheme, then there are only 8 possible valid padding sequences: !  0x01 !  0x02, 0x02 !  0x03, 0x03, 0x03, !  0x04, 0x04, 0x04, 0x04 !  0x05, 0x05, 0x05, 0x05, 0x05, !  0x06, 0x06, 0x06, 0x06, 0x06, 0x06 !  0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07 !  0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x0820
  21. 21. 21
  22. 22. !  Is the key the correct size? !  Invalid Key Exception !  Is the value (bytes) an even block multiple? !  Invalid Length Exception !  Is the decrypted block properly padded? !  Invalid Padding Exception CRITICAL !  Return the value22
  23. 23. 23
  24. 24. Call this “Byte X” Call this “Byte Y”Basic Premise:•  A change of Byte X (ciphertext) will change Byte Y (plaintext)•  There is a one-to-one correlation between Byte X values and Byte Y values•  Exception is thrown if plain-text does not end with a valid padding sequence24
  25. 25. Byte X == 0x00 Byte Y == ???Exception? YES•  Byte Y is not valid padding25
  26. 26. Byte X == 0x01 Byte Y == ???Exception? YES•  Byte Y is not valid padding26
  27. 27. Byte X == 0x02 Byte Y == ???Exception? YES•  Byte Y IS valid padding (must be 0x01)27
  28. 28. !  What does that tell us? !  The altered byte value produced valid padding when XOR’ed with the intermediate value IF A ^ B = C THEN A ^ C = B AND C ^ B = A28
  29. 29. !  What does that tell us? !  If the padding byte was 0x01: !  Our Byte (0x02) ^ Intermediate Byte (??) == 0x01 !  Intermediate Byte == Our Byte (0x02) ^ 0x01 !  The plain-text value is the intermediate value XOR’ed with the prior ciphertext byte29
  30. 30. Padding Oracle Attack
  31. 31. !  As we’ve seen, encrypted data (while kept private) is still susceptible to tampering Message Encryption !  We need to ensure PRIVACY and INTEGRITY31
  32. 32. !  Encrypt + Sign the Ciphertext Message SIGNATURE Encryption !  HMAC: Combines a cryptographic hash function with a secret key !  Cannot be re-computed without the key !  Verifies the integrity and authenticity of a message32
  33. 33. !  Why not HMAC within the ciphertext? !  Does not prevent against side channel attacks during decryption !  Padding Oracle Attack in .NET Framework !  Discovered September 2010 !  Viewstate and Forms Authentication Cookies were affected even though an HMAC was included within the ciphertext !  Tampering was only be detected after decryption33
  34. 34. !  When do you need a random number? !  Password Generator, Encryption Keys, Session Identifiers, etc… !  How random is “random”? Pseudo Random Number Generator vs. Cryptographically Secure Random Number Generator34
  35. 35. !  Two common attacks against RNG’s !  Non-random Seed Values !  Formula used to produce random numbers35
  36. 36. !  What do you think this code will produce? // Generate First Series byte[] bytes1 = new byte[100]; Random rnd1 = new Random(); rnd1.NextBytes(bytes1); Console.WriteLine("First Series:"); for (int ctr = bytes1.GetLowerBound(0); ctr <= bytes1.GetUpperBound(0); ctr++) { Console.Write("{0, 5}", bytes1[ctr]); if ((ctr + 1) % 10 == 0) Console.WriteLine(); } // Generate Second Series byte[] bytes2 = new byte[100]; Random rnd2 = new Random(); rnd2.NextBytes(bytes2); Console.WriteLine("Second Series:"); for (int ctr = bytes2.GetLowerBound(0); ctr <= bytes2.GetUpperBound(0); ctr++) { Console.Write("{0, 5}", bytes2[ctr]); if ((ctr + 1) % 10 == 0) Console.WriteLine(); }36
  37. 37. !  Output from the previous code First Series: 97 129 149 54 22 208 120 105 68 177 113 214 30 172 74 218 116 230 89 18 12 112 130 105 116 180 190 200 187 120 7 198 233 158 58 51 50 170 98 23 21 1 113 74 146 245 34 255 96 24 232 255 23 9 167 240 255 44 194 98 18 175 173 204 169 171 236 127 114 23 167 202 132 65 253 11 254 56 214 127 145 191 104 163 143 7 174 224 247 73 52 6 231 255 5 101 83 165 160 231 Both series Second Series: are identical 97 129 149 54 22 208 120 105 68 177 113 214 30 172 74 218 116 230 89 18 12 112 130 105 116 180 190 200 187 120 7 198 233 158 58 51 50 170 98 23 21 1 113 74 146 245 34 255 96 24 232 255 23 9 167 240 255 44 194 98 18 175 173 204 169 171 236 127 114 23 167 202 132 65 253 11 254 56 214 127 145 191 104 163 143 7 174 224 247 73 52 6 231 255 5 101 83 165 160 23137
  38. 38. !  If you don’t seed the random number generator, it will automatically be seeded !  With what? “By default, the parameterless constructor of the Random class uses the system clock to generate its seed value” http://msdn.microsoft.com/en-us/library/system.random.aspx38
  39. 39. !  What if this code was in ResetPassword.aspx? StringBuilder password = new StringBuilder(); // Define all upper and lower chars with special chars char[] lCase = new char[] { a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y, z, A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, !, @, #, $, %, ^, &, *, (, ), -, _ }; int lCaseIndex = 0; Random rand = new Random(); // Randomly select 12 characters from the values above for (int cnt = 0; cnt < 12; cnt++) { lCaseIndex = rand.Next(0, lCase.Length - 1); password.Append(lCase[lCaseIndex]); } string newPassword = password.ToString();39
  40. 40. !  Seed Race Condition Attack (Seed Racing) !  Based on a research experiment conducted in 2008 !  67,000 HTTP requests to a server with a random password generator similar to the one shown !  Results: 208 unique passwords !  322 duplicated in one or more accounts40
  41. 41. !  Is Java.Random any better? !  Uses a Linear Congruential Formula for generating random data (LCG) One Dimensional LCG Plot41
  42. 42. 42
  43. 43. !"#$%&(()*& +$,-(.&%(& ./01&43
  44. 44. 44
  45. 45. !2#((3*4&5& 6(7$&6(8& 9:/001&45
  46. 46. !  Crypto is hard to get right !  Lots of ways to make mistakes !  When in doubt, ask an expert46

×