1. POODLE
This POODLE Bites: Exploiting The
SSL 3.0 Fallback
Bodo Möller, Thai Duong, Krzysztof Kotowicz
Presented By:
Samit Anwer
2. Padding Oracle On Downgraded Legacy
Encryption
• If attacker interferes with a handshake offering TLS 1.0 or later, clients will
downgrade to SSL 3.0
• Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher
(AES/DES) in CBC mode
• We will be taking a running example of AES in CBC mode of operation
• Assumption:
• the attacker can modify network transmissions between client and server
3. • Attacker sends link to victim (http://evil.com)
• When victim visits the link, the Javascript embedded on evil.com starts
making cookie bearing requests to https://example.com
A HTTP request looks like:
POST /path Cookie: name=value...rnrn body
• The attacker can MITM the encrypted traffic and attacker controls data in
“path” and “body”.
Attack Scenario
4. POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding
C1 C2 Ci Cn-1 Cn
P1 P2 Pi Pn-1 Pn
Pi Pn
P1
CiC1 Cn
Ci = EK(Pi Ꚛ Ci-1)
C0 = IV
Cipher Block Chaining Encryption
EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF
AES block size is 16 bytes
DES block size is 8 bytes
5. Cipher Block Chaining Decryption
Pi = DK(Ci) Ꚛ Ci-1
C0 = IV
C1 CnCi
P1 Pi Pn
C1 C2 Ci Cn-1 Cn
P1 P2 Pi Pn-1 Pn
POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding
EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF
Back
6. POST /path Cookie: sessionid=value...rnrnbody ‖ 20byte MAC ‖ padding
Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC
The attacker controls the request path & request body & hence can forge requests such that:
1. The padding fills an entire block (encrypted into Cn).
2. The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which
gets encrypted into Ci).
• The attacker replaces Cn by any earlier ciphertext block Ci
• the ciphertext will be accepted if DK(Ci) ⊕ Cn-1 happens to have 15 as its final byte,
• otherwise, it will be rejected giving rise to a padding oracle attack
The attack Ci Cn
7. Attack Contd.
Assuming L=16 (AES) and ciphertext gets accepted:
From (a): 15 = DK(Ci) [15] ⊕ Cn-1[15] , which can be written as
=> DK(Ci) [15] = 15 ⊕ Cn-1[15] --------- (1)
We know: Pi = DK(Ci) ⊕ Ci-1
and hence Pi[15] = DK(Ci) [15] ⊕ Ci-1[15] --------- (2)
By replacing DK(Ci) [15] from (1) in (2) we get
Pi[15] = 15 ⊕ Cn-1[15] ⊕ Ci-1[15]
Unknown entity
Known entity
C1
Cn /CiCn-1
P1 Pn-1 Pn
From CBC decryption
(here) we know:
Pi = DK(Ci) Ꚛ Ci-1
Pn = DK(Cn) Ꚛ Cn-1
Pn[15] = DK(Cn)[15] Ꚛ Cn-1[15] ----- (a)
C1 C2 Ci Cn-1 Cn/Ci
DK(Cn /Ci)
8. Overall Effort
• 256 SSL 3.0 requests per byte
Recommendation
• disabling the SSL 3.0 protocol in the client or in the server or both
• TLS_FALLBACK_SCSV
• when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in
ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol
version supported by the server. If the server supports a version higher than the one
indicated by the client, reject the connection
Problem with SSL 3.0 in CBC mode:
The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
10. Attack Steps:
• Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts.
• Justify the URL and POST length such that the last block of the ciphertext is
padding.
• Perform the copy operation on every generated TLS packet and calculate the
leaked byte if the server accepts the modified packet.
11. References
• This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai
Duong, Krzysztof Kotowicz
https://www.openssl.org/~bodo/ssl-poodle.pdf
• Attack of the week: POODLE,
https://blog.cryptographyengineering.com/2014/10/15/attack-of-
week-poodle/
• Implementing the POODLE Attack,
https://patzke.org/implementing-the-poodle-attack.html
Editor's Notes
An initialization vector (IV) or starting variable (SV)[5] is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.
Now observe that if there’s a full block of padding
and an attacker replaces Cn by any earlier ciphertext block Ci from the same encrypted stream, the ciphertext will still be accepted if DK(Ci) ⊕ Cn-1 happens to have L-1 as its final byte, but will in all likelihood be rejected otherwise, giving rise to a padding oracle attack