“Hollywood StyleDecryption”on Block Cipher-CBCRizki Wicaksono / ilmuHacking.com
Rizki Wicaksono•  Penetration tester•  Programming, application security, cryptography•  S1 Teknik Informatika ITB, ECSP, ...
Hollywood Style PasswordCracking
Lets Watch SomeMovies
Resident Evil Breaking DoorKey Scene
Terminator 2 ATM PINCracking Scene
Wargame Launch CodeHacking Scene
The Matrix Beginning Scene
Bloodfist IV PasscodeBreaking Scene
Hollywood StyleDecryption withPadding Oracle Attack
Sample Real Attack
Morpheus: Let’s Go See theOracle
The Oracle
Padding Oracle: Valid/Invalid Pad
1 Bit Information Leakage
PKCS#7 Valid Padding
PKCS#7 Invalid Padding
Cipher Block Chaining
CBC Mode Encryption
CBC Mode Decryption
Malleability
Enough Talking, StartCracking!
Sample Case•  Decrypt this: 2D7850F447A90B87123B36A038A8682F•  Split into two 8 byte blocks:•  C1 = 2D7850F447A90B87•  C2 ...
Decrypt Last Byte
Ask the Oracle•  A xor B = 01. Find A and B!•  Ask the Oracle:•  A xor 0 = 01 ?•  A xor 1 = 01 ?•  ….•  A xor 255 = 01 ?• ...
Look for Valid Single Byte Pad
Valid Single Byte Pad Found!
Last Byte Decrypted
Last Byte = 0x86•  A xor B = 01. Find Aand B!•  Ask the Oracle:•  A xor 0x85 = 01 ?•  Oracle answer:•  Valid pad = Yes•  A...
Decrypt 7th Byte
Decrypt 7th Byte
Look for Valid 2 Byte Pad
Valid 2 Byte Pad Found!
7th Byte Decrypted
Decrypt 6th Byte
Decrypt 6th Byte
Valid 3 Byte Pad Found
6th Byte Decrypted
Decrypt 5th Byte
Decrypt 5th Byte
Valid 4 Byte Pad Found
5th Byte Decrypted
Decrypt 4th Byte
Decrypt 4th Byte
Look for Valid 5 Byte Pad
Valid 5 Byte Pad Found
4th Byte Decrypted
Full Block Decrypted
C2 Block Decrypted
Case
The Oracle
Decryptor
Decryption Demo
Encrypt Fake Message
Encrypt without Knowing theKey•  You can make cipher text say whatever you wantwhen decrypted•  Property of CBC mode
P2 depends on C1
“KILL IT”
“KILL IT”
Encryption Procedure•  Encrypt: “BESOK PAGI SERANGAN UMUMIWO JIMA”•  Split plaintext into blocks:•  P1 = ‘BESOK PA’•  P2 =...
Encryption Procedure•  Choose C5 all-zeros•  Use padding oracle attack to find Decrypt(Ci)•  C4 = Decrypt(C5) XOR P5•  C3 ...
Encryption Demo
AuthenticatedEncryption
Authenticate before Decrypt•  Why we need to authenticate/verify encrypted message beforedecrypting it ? It’s already encr...
Encryption and MAC•  Encryption provides confidentiality, it doesn’tprovide integrity and authenticity•  Don’t use encrypt...
Upcoming SlideShare
Loading in …5
×

Hollywood style decryption

1,432 views

Published on

Hollywood style decryption - Rizki Wicaksono

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,432
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
108
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Hollywood style decryption

  1. 1. “Hollywood StyleDecryption”on Block Cipher-CBCRizki Wicaksono / ilmuHacking.com
  2. 2. Rizki Wicaksono•  Penetration tester•  Programming, application security, cryptography•  S1 Teknik Informatika ITB, ECSP, OSWP, ITIL-F•  ilmuHacking.com , facebook.com/ilmuHacking
  3. 3. Hollywood Style PasswordCracking
  4. 4. Lets Watch SomeMovies
  5. 5. Resident Evil Breaking DoorKey Scene
  6. 6. Terminator 2 ATM PINCracking Scene
  7. 7. Wargame Launch CodeHacking Scene
  8. 8. The Matrix Beginning Scene
  9. 9. Bloodfist IV PasscodeBreaking Scene
  10. 10. Hollywood StyleDecryption withPadding Oracle Attack
  11. 11. Sample Real Attack
  12. 12. Morpheus: Let’s Go See theOracle
  13. 13. The Oracle
  14. 14. Padding Oracle: Valid/Invalid Pad
  15. 15. 1 Bit Information Leakage
  16. 16. PKCS#7 Valid Padding
  17. 17. PKCS#7 Invalid Padding
  18. 18. Cipher Block Chaining
  19. 19. CBC Mode Encryption
  20. 20. CBC Mode Decryption
  21. 21. Malleability
  22. 22. Enough Talking, StartCracking!
  23. 23. Sample Case•  Decrypt this: 2D7850F447A90B87123B36A038A8682F•  Split into two 8 byte blocks:•  C1 = 2D7850F447A90B87•  C2 = 123B36A038A8682F•  Decrypt C2 first, send two block to oracle:•  One block + 123B36A038A8682F•  Decrypt one byte at a time (“hollywood style”) startingfrom the last byte
  24. 24. Decrypt Last Byte
  25. 25. Ask the Oracle•  A xor B = 01. Find A and B!•  Ask the Oracle:•  A xor 0 = 01 ?•  A xor 1 = 01 ?•  ….•  A xor 255 = 01 ?•  Oracle answer:•  Valid pad = Yes•  Invalid pad = No
  26. 26. Look for Valid Single Byte Pad
  27. 27. Valid Single Byte Pad Found!
  28. 28. Last Byte Decrypted
  29. 29. Last Byte = 0x86•  A xor B = 01. Find Aand B!•  Ask the Oracle:•  A xor 0x85 = 01 ?•  Oracle answer:•  Valid pad = Yes•  A must be 0x86
  30. 30. Decrypt 7th Byte
  31. 31. Decrypt 7th Byte
  32. 32. Look for Valid 2 Byte Pad
  33. 33. Valid 2 Byte Pad Found!
  34. 34. 7th Byte Decrypted
  35. 35. Decrypt 6th Byte
  36. 36. Decrypt 6th Byte
  37. 37. Valid 3 Byte Pad Found
  38. 38. 6th Byte Decrypted
  39. 39. Decrypt 5th Byte
  40. 40. Decrypt 5th Byte
  41. 41. Valid 4 Byte Pad Found
  42. 42. 5th Byte Decrypted
  43. 43. Decrypt 4th Byte
  44. 44. Decrypt 4th Byte
  45. 45. Look for Valid 5 Byte Pad
  46. 46. Valid 5 Byte Pad Found
  47. 47. 4th Byte Decrypted
  48. 48. Full Block Decrypted
  49. 49. C2 Block Decrypted
  50. 50. Case
  51. 51. The Oracle
  52. 52. Decryptor
  53. 53. Decryption Demo
  54. 54. Encrypt Fake Message
  55. 55. Encrypt without Knowing theKey•  You can make cipher text say whatever you wantwhen decrypted•  Property of CBC mode
  56. 56. P2 depends on C1
  57. 57. “KILL IT”
  58. 58. “KILL IT”
  59. 59. Encryption Procedure•  Encrypt: “BESOK PAGI SERANGAN UMUMIWO JIMA”•  Split plaintext into blocks:•  P1 = ‘BESOK PA’•  P2 = ‘GI SERAN’•  P3 = ‘GAN UMUM’•  P4 = ‘ IWO JIM’•  P5 = ‘A’+07+07+07+07+07+07+07
  60. 60. Encryption Procedure•  Choose C5 all-zeros•  Use padding oracle attack to find Decrypt(Ci)•  C4 = Decrypt(C5) XOR P5•  C3 = Decrypt(C4) XOR P4•  C2 = Decrypt(C3) XOR P3•  C1 = Decrypt(C2) XOR P2•  IV = Decrypt(C1) XOR P1
  61. 61. Encryption Demo
  62. 62. AuthenticatedEncryption
  63. 63. Authenticate before Decrypt•  Why we need to authenticate/verify encrypted message beforedecrypting it ? It’s already encrypted with shared secret key,after all.•  Imagine that only Alice and Bob know the key. If Bob coulddecrypt a cipher text with the secret key and get a clean andunderstandable plain text, then Bob know it only could beencrypted by Alice•  Many people have thought that, but they were wrong•  Without message authentication, active attacker could usepadding oracle attack to decrypt and also encrypt withoutknowing the key
  64. 64. Encryption and MAC•  Encryption provides confidentiality, it doesn’tprovide integrity and authenticity•  Don’t use encryption without messageauthentication•  Encrypt your message then calculate MAC•  Never decrypt message without checking MAC•  Decrypt only when ciphertext is MAC-authenticated

×