Upcoming SlideShare
×

# Hollywood style decryption

1,432 views

Published on

Hollywood style decryption - Rizki Wicaksono

Published in: Technology
0 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

• Be the first to like this

Views
Total views
1,432
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
108
0
Likes
0
Embeds 0
No embeds

No notes for slide

### Hollywood style decryption

1. 1. “Hollywood StyleDecryption”on Block Cipher-CBCRizki Wicaksono / ilmuHacking.com
2. 2. Rizki Wicaksono•  Penetration tester•  Programming, application security, cryptography•  S1 Teknik Informatika ITB, ECSP, OSWP, ITIL-F•  ilmuHacking.com , facebook.com/ilmuHacking
4. 4. Lets Watch SomeMovies
5. 5. Resident Evil Breaking DoorKey Scene
6. 6. Terminator 2 ATM PINCracking Scene
7. 7. Wargame Launch CodeHacking Scene
8. 8. The Matrix Beginning Scene
9. 9. Bloodfist IV PasscodeBreaking Scene
10. 10. Hollywood StyleDecryption withPadding Oracle Attack
11. 11. Sample Real Attack
12. 12. Morpheus: Let’s Go See theOracle
13. 13. The Oracle
15. 15. 1 Bit Information Leakage
18. 18. Cipher Block Chaining
19. 19. CBC Mode Encryption
20. 20. CBC Mode Decryption
21. 21. Malleability
22. 22. Enough Talking, StartCracking!
23. 23. Sample Case•  Decrypt this: 2D7850F447A90B87123B36A038A8682F•  Split into two 8 byte blocks:•  C1 = 2D7850F447A90B87•  C2 = 123B36A038A8682F•  Decrypt C2 first, send two block to oracle:•  One block + 123B36A038A8682F•  Decrypt one byte at a time (“hollywood style”) startingfrom the last byte
24. 24. Decrypt Last Byte
25. 25. Ask the Oracle•  A xor B = 01. Find A and B!•  Ask the Oracle:•  A xor 0 = 01 ?•  A xor 1 = 01 ?•  ….•  A xor 255 = 01 ?•  Oracle answer:•  Valid pad = Yes•  Invalid pad = No
26. 26. Look for Valid Single Byte Pad
27. 27. Valid Single Byte Pad Found!
28. 28. Last Byte Decrypted
29. 29. Last Byte = 0x86•  A xor B = 01. Find Aand B!•  Ask the Oracle:•  A xor 0x85 = 01 ?•  Oracle answer:•  Valid pad = Yes•  A must be 0x86
30. 30. Decrypt 7th Byte
31. 31. Decrypt 7th Byte
32. 32. Look for Valid 2 Byte Pad
33. 33. Valid 2 Byte Pad Found!
34. 34. 7th Byte Decrypted
35. 35. Decrypt 6th Byte
36. 36. Decrypt 6th Byte
37. 37. Valid 3 Byte Pad Found
38. 38. 6th Byte Decrypted
39. 39. Decrypt 5th Byte
40. 40. Decrypt 5th Byte
41. 41. Valid 4 Byte Pad Found
42. 42. 5th Byte Decrypted
43. 43. Decrypt 4th Byte
44. 44. Decrypt 4th Byte
45. 45. Look for Valid 5 Byte Pad
46. 46. Valid 5 Byte Pad Found
47. 47. 4th Byte Decrypted
48. 48. Full Block Decrypted
49. 49. C2 Block Decrypted
50. 50. Case
51. 51. The Oracle
52. 52. Decryptor
53. 53. Decryption Demo
54. 54. Encrypt Fake Message
55. 55. Encrypt without Knowing theKey•  You can make cipher text say whatever you wantwhen decrypted•  Property of CBC mode
56. 56. P2 depends on C1
57. 57. “KILL IT”
58. 58. “KILL IT”
59. 59. Encryption Procedure•  Encrypt: “BESOK PAGI SERANGAN UMUMIWO JIMA”•  Split plaintext into blocks:•  P1 = ‘BESOK PA’•  P2 = ‘GI SERAN’•  P3 = ‘GAN UMUM’•  P4 = ‘ IWO JIM’•  P5 = ‘A’+07+07+07+07+07+07+07
60. 60. Encryption Procedure•  Choose C5 all-zeros•  Use padding oracle attack to find Decrypt(Ci)•  C4 = Decrypt(C5) XOR P5•  C3 = Decrypt(C4) XOR P4•  C2 = Decrypt(C3) XOR P3•  C1 = Decrypt(C2) XOR P2•  IV = Decrypt(C1) XOR P1
61. 61. Encryption Demo
62. 62. AuthenticatedEncryption
63. 63. Authenticate before Decrypt•  Why we need to authenticate/verify encrypted message beforedecrypting it ? It’s already encrypted with shared secret key,after all.•  Imagine that only Alice and Bob know the key. If Bob coulddecrypt a cipher text with the secret key and get a clean andunderstandable plain text, then Bob know it only could beencrypted by Alice•  Many people have thought that, but they were wrong•  Without message authentication, active attacker could usepadding oracle attack to decrypt and also encrypt withoutknowing the key
64. 64. Encryption and MAC•  Encryption provides confidentiality, it doesn’tprovide integrity and authenticity•  Don’t use encryption without messageauthentication•  Encrypt your message then calculate MAC•  Never decrypt message without checking MAC•  Decrypt only when ciphertext is MAC-authenticated