SlideShare a Scribd company logo

Poodle

Download as PPTX, PDF
S
Samit Anwer

Null Meet Talk 18/3/2017

Engineering
1 of 11
POODLE This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz Presented By: Samit Anwer
Padding Oracle On Downgraded Legacy Encryption • If attacker interferes with a handshake offering TLS 1.0 or later, clients will downgrade to SSL 3.0 • Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher (AES/DES) in CBC mode • We will be taking a running example of AES in CBC mode of operation • Assumption: • the attacker can modify network transmissions between client and server
• Attacker sends link to victim (http://evil.com) • When victim visits the link, the Javascript embedded on evil.com starts making cookie bearing requests to https://example.com A HTTP request looks like: POST /path Cookie: name=value...rnrn body • The attacker can MITM the encrypted traffic and attacker controls data in “path” and “body”. Attack Scenario
POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn Pi Pn P1 CiC1 Cn Ci = EK(Pi Ꚛ Ci-1) C0 = IV Cipher Block Chaining Encryption EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF AES block size is 16 bytes DES block size is 8 bytes
Cipher Block Chaining Decryption Pi = DK(Ci) Ꚛ Ci-1 C0 = IV C1 CnCi P1 Pi Pn C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF Back
POST /path Cookie: sessionid=value...rnrnbody ‖ 20byte MAC ‖ padding Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC The attacker controls the request path & request body & hence can forge requests such that: 1. The padding fills an entire block (encrypted into Cn). 2. The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which gets encrypted into Ci). • The attacker replaces Cn by any earlier ciphertext block Ci • the ciphertext will be accepted if DK(Ci) ⊕ Cn-1 happens to have 15 as its final byte, • otherwise, it will be rejected  giving rise to a padding oracle attack The attack Ci Cn
Attack Contd. Assuming L=16 (AES) and ciphertext gets accepted: From (a): 15 = DK(Ci) [15] ⊕ Cn-1[15] , which can be written as => DK(Ci) [15] = 15 ⊕ Cn-1[15] --------- (1) We know: Pi = DK(Ci) ⊕ Ci-1 and hence Pi[15] = DK(Ci) [15] ⊕ Ci-1[15] --------- (2) By replacing DK(Ci) [15] from (1) in (2) we get Pi[15] = 15 ⊕ Cn-1[15] ⊕ Ci-1[15] Unknown entity Known entity C1 Cn /CiCn-1 P1 Pn-1 Pn From CBC decryption (here) we know: Pi = DK(Ci) Ꚛ Ci-1  Pn = DK(Cn) Ꚛ Cn-1  Pn[15] = DK(Cn)[15] Ꚛ Cn-1[15] ----- (a) C1 C2 Ci Cn-1 Cn/Ci DK(Cn /Ci)
Overall Effort • 256 SSL 3.0 requests per byte Recommendation • disabling the SSL 3.0 protocol in the client or in the server or both • TLS_FALLBACK_SCSV • when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection Problem with SSL 3.0 in CBC mode: The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
Demo Overview src: https://patzke.org/implementing-the-poodle-attack.html
Attack Steps: • Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. • Justify the URL and POST length such that the last block of the ciphertext is padding. • Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet.
References • This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf • Attack of the week: POODLE, https://blog.cryptographyengineering.com/2014/10/15/attack-of- week-poodle/ • Implementing the POODLE Attack, https://patzke.org/implementing-the-poodle-attack.html

Recommended

Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBusiness Link Krakow
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...HackIT Ukraine
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Fast HTTP string processing algorithms
Fast HTTP string processing algorithmsFast HTTP string processing algorithms
Fast HTTP string processing algorithmsAlexander Krizhanovsky
 
Packet flow on openstack
Packet flow on openstackPacket flow on openstack
Packet flow on openstackAchhar Kalia
 
Creating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationCreating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationRavi Babu
 
Secure LXC Networking
Secure LXC NetworkingSecure LXC Networking
Secure LXC NetworkingMarian Marinov
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017Xoxzo Inc.
 

Recommended

Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBusiness Link Krakow
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...HackIT Ukraine
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Fast HTTP string processing algorithms
Fast HTTP string processing algorithmsFast HTTP string processing algorithms
Fast HTTP string processing algorithmsAlexander Krizhanovsky
 
Packet flow on openstack
Packet flow on openstackPacket flow on openstack
Packet flow on openstackAchhar Kalia
 
Creating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationCreating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationRavi Babu
 
Secure LXC Networking
Secure LXC NetworkingSecure LXC Networking
Secure LXC NetworkingMarian Marinov
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017Xoxzo Inc.
 
Glomosim
GlomosimGlomosim
Glomosimbarodia_1437
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門Xoxzo Inc.
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromqDongmin Yu
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained상문 오
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentMarco Tusa
 
Glomosim introduction
Glomosim introductionGlomosim introduction
Glomosim introductionKathirvel Ayyaswamy
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical PartEduardo Triana
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocketLev Walkin
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* LoggingESUG
 
Blocks, procs && lambdas
Blocks, procs && lambdasBlocks, procs && lambdas
Blocks, procs && lambdasVidmantas Kabošis
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army ToolChandrapal Badshah
 
Tcpsockets
TcpsocketsTcpsockets
Tcpsocketsmcjayaprasanna8
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...NETWAYS
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsingCapIpad
 
Tcpdump
TcpdumpTcpdump
TcpdumpMohamed Gamel
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags tablehughpearse
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurpraveenaS25
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2Kit Chan
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 
Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Subash SN
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 

More Related Content

What's hot

初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門Xoxzo Inc.
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromqDongmin Yu
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained상문 오
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentMarco Tusa
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical PartEduardo Triana
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocketLev Walkin
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* LoggingESUG
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...NETWAYS
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsingCapIpad
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags tablehughpearse
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurpraveenaS25
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2Kit Chan
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 

What's hot (20)

Glomosim
GlomosimGlomosim
Glomosim
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromq
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deployment
 
Glomosim introduction
Glomosim introductionGlomosim introduction
Glomosim introduction
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical Part
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocket
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* Logging
 
Blocks, procs && lambdas
Blocks, procs && lambdasBlocks, procs && lambdas
Blocks, procs && lambdas
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
Tcpsockets
TcpsocketsTcpsockets
Tcpsockets
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsing
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags table
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 

Viewers also liked

Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Subash SN
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. Shubham Mittal
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Presentacion inclusion
Presentacion inclusionPresentacion inclusion
Presentacion inclusionJulio Jimenez
 
The theater of taormina
The theater of taorminaThe theater of taormina
The theater of taorminarobydellem
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Yen-Kuan Wu
 
Gävle kopia
Gävle kopiaGävle kopia
Gävle kopiaEdwjen
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
La entrada de la cueva original
La entrada de la cueva originalLa entrada de la cueva original
La entrada de la cueva originalencararroyo
 
Null picture forensics using ghiro appliance
Null picture forensics using ghiro applianceNull picture forensics using ghiro appliance
Null picture forensics using ghiro applianceinvad3rsam
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellAditya Kamat
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekOWASP Delhi
 
2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_enle van hoa
 
Santa Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet ClubSanta Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet ClubFive Elements
 
Estabilidad Laboral
Estabilidad Laboral Estabilidad Laboral
Estabilidad Laboral miguel mendez
 

Viewers also liked (19)

Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet.
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 
Role of Technology in Recruitment
Role of Technology in Recruitment Role of Technology in Recruitment
Role of Technology in Recruitment
 
Aprendizaje
AprendizajeAprendizaje
Aprendizaje
 
Presentacion inclusion
Presentacion inclusionPresentacion inclusion
Presentacion inclusion
 
The theater of taormina
The theater of taorminaThe theater of taormina
The theater of taormina
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
 
Gävle kopia
Gävle kopiaGävle kopia
Gävle kopia
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
La entrada de la cueva original
La entrada de la cueva originalLa entrada de la cueva original
La entrada de la cueva original
 
Null picture forensics using ghiro appliance
Null picture forensics using ghiro applianceNull picture forensics using ghiro appliance
Null picture forensics using ghiro appliance
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shell
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
 
2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en
 
Santa Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet ClubSanta Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet Club
 
Estabilidad Laboral
Estabilidad Laboral Estabilidad Laboral
Estabilidad Laboral
 

Similar to Poodle

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flawNate Lawson
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUICshigeki_ohtsu
 
13_TCP_Attack.pptx
13_TCP_Attack.pptx13_TCP_Attack.pptx
13_TCP_Attack.pptxAlmaOraevi
 
Tcp congestion control
Tcp congestion controlTcp congestion control
Tcp congestion controlAbdo sayed
 
Tcp congestion control (1)
Tcp congestion control (1)Tcp congestion control (1)
Tcp congestion control (1)Abdo sayed
 
What every Java developer should know about network?
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?aragozin
 
Lecture 5
Lecture 5Lecture 5
Lecture 5ntpc08
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdfssuserf7cd2b
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1mps125
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IPvijai s
 
KandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion controlKandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion controlGOKULKANNANMMECLECTC
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Hamidreza Bolhasani
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)iman darabi
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computingYongraeJo
 

Similar to Poodle (20)

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flaw
 
NE #1.pptx
NE #1.pptxNE #1.pptx
NE #1.pptx
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
13_TCP_Attack.pptx
13_TCP_Attack.pptx13_TCP_Attack.pptx
13_TCP_Attack.pptx
 
TCP_Congestion_Control.ppt
TCP_Congestion_Control.pptTCP_Congestion_Control.ppt
TCP_Congestion_Control.ppt
 
Tcp congestion avoidance
Tcp congestion avoidanceTcp congestion avoidance
Tcp congestion avoidance
 
Tcp congestion control
Tcp congestion controlTcp congestion control
Tcp congestion control
 
Tcp congestion control (1)
Tcp congestion control (1)Tcp congestion control (1)
Tcp congestion control (1)
 
What every Java developer should know about network?
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IP
 
KandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion controlKandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion control
 
Data Link Layer
Data Link LayerData Link Layer
Data Link Layer
 
Part5-tcp-improvements.pptx
Part5-tcp-improvements.pptxPart5-tcp-improvements.pptx
Part5-tcp-improvements.pptx
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computing
 

Recently uploaded

complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...asadnawaz62
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)Dr SOUNDIRARAJ N
 
An introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxAn introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxPurva Nikam
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfAsst.prof M.Gokilavani
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerAnamika Sarkar
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catcherssdickerson1
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniquesugginaramesh
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfAsst.prof M.Gokilavani
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx959SahilShah
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Satyam Kumar
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncssuser2ae721
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girlsssuser7cb4ff
 

Recently uploaded (20)

Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...complete construction, environmental and economics information of biomass com...
complete construction, environmental and economics information of biomass com...
 
POWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examplesPOWER SYSTEMS-1 Complete notes examples
POWER SYSTEMS-1 Complete notes examples
 
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
UNIT III ANALOG ELECTRONICS (BASIC ELECTRONICS)
 
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
🔝9953056974🔝!!-YOUNG call girls in Rajendra Nagar Escort rvice Shot 2000 nigh...
 
An introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptxAn introduction to Semiconductor and its types.pptx
An introduction to Semiconductor and its types.pptx
 
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdfCCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
CCS355 Neural Network & Deep Learning Unit II Notes with Question bank .pdf
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube ExchangerStudy on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
Study on Air-Water & Water-Water Heat Exchange in a Finned Tube Exchanger
 
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor CatchersTechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
TechTAC® CFD Report Summary: A Comparison of Two Types of Tubing Anchor Catchers
 
Comparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization TechniquesComparative Analysis of Text Summarization Techniques
Comparative Analysis of Text Summarization Techniques
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
young call girls in Rajiv Chowk🔝 9953056974 🔝 Delhi escort Service
 
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdfCCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
CCS355 Neural Network & Deep Learning UNIT III notes and Question bank .pdf
 
Application of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptxApplication of Residue Theorem to evaluate real integrations.pptx
Application of Residue Theorem to evaluate real integrations.pptx
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .Churning of Butter, Factors affecting .
Churning of Butter, Factors affecting .
 
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsyncWhy does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
Why does (not) Kafka need fsync: Eliminating tail latency spikes caused by fsync
 
Call Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call GirlsCall Girls Narol 7397865700 Independent Call Girls
Call Girls Narol 7397865700 Independent Call Girls
 

Poodle

  • 1. POODLE This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz Presented By: Samit Anwer
  • 2. Padding Oracle On Downgraded Legacy Encryption • If attacker interferes with a handshake offering TLS 1.0 or later, clients will downgrade to SSL 3.0 • Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher (AES/DES) in CBC mode • We will be taking a running example of AES in CBC mode of operation • Assumption: • the attacker can modify network transmissions between client and server
  • 3. • Attacker sends link to victim (http://evil.com) • When victim visits the link, the Javascript embedded on evil.com starts making cookie bearing requests to https://example.com A HTTP request looks like: POST /path Cookie: name=value...rnrn body • The attacker can MITM the encrypted traffic and attacker controls data in “path” and “body”. Attack Scenario
  • 4. POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn Pi Pn P1 CiC1 Cn Ci = EK(Pi Ꚛ Ci-1) C0 = IV Cipher Block Chaining Encryption EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF AES block size is 16 bytes DES block size is 8 bytes
  • 5. Cipher Block Chaining Decryption Pi = DK(Ci) Ꚛ Ci-1 C0 = IV C1 CnCi P1 Pi Pn C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF Back
  • 6. POST /path Cookie: sessionid=value...rnrnbody ‖ 20byte MAC ‖ padding Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC The attacker controls the request path & request body & hence can forge requests such that: 1. The padding fills an entire block (encrypted into Cn). 2. The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which gets encrypted into Ci). • The attacker replaces Cn by any earlier ciphertext block Ci • the ciphertext will be accepted if DK(Ci) ⊕ Cn-1 happens to have 15 as its final byte, • otherwise, it will be rejected  giving rise to a padding oracle attack The attack Ci Cn
  • 7. Attack Contd. Assuming L=16 (AES) and ciphertext gets accepted: From (a): 15 = DK(Ci) [15] ⊕ Cn-1[15] , which can be written as => DK(Ci) [15] = 15 ⊕ Cn-1[15] --------- (1) We know: Pi = DK(Ci) ⊕ Ci-1 and hence Pi[15] = DK(Ci) [15] ⊕ Ci-1[15] --------- (2) By replacing DK(Ci) [15] from (1) in (2) we get Pi[15] = 15 ⊕ Cn-1[15] ⊕ Ci-1[15] Unknown entity Known entity C1 Cn /CiCn-1 P1 Pn-1 Pn From CBC decryption (here) we know: Pi = DK(Ci) Ꚛ Ci-1  Pn = DK(Cn) Ꚛ Cn-1  Pn[15] = DK(Cn)[15] Ꚛ Cn-1[15] ----- (a) C1 C2 Ci Cn-1 Cn/Ci DK(Cn /Ci)
  • 8. Overall Effort • 256 SSL 3.0 requests per byte Recommendation • disabling the SSL 3.0 protocol in the client or in the server or both • TLS_FALLBACK_SCSV • when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection Problem with SSL 3.0 in CBC mode: The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
  • 10. Attack Steps: • Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. • Justify the URL and POST length such that the last block of the ciphertext is padding. • Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet.
  • 11. References • This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf • Attack of the week: POODLE, https://blog.cryptographyengineering.com/2014/10/15/attack-of- week-poodle/ • Implementing the POODLE Attack, https://patzke.org/implementing-the-poodle-attack.html

Editor's Notes

  1. An initialization vector (IV) or starting variable (SV)[5] is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.
  2. Now observe that if there’s a full block of padding and an attacker replaces Cn by any earlier ciphertext block Ci from the same encrypted stream, the ciphertext will still be accepted if DK(Ci) ⊕ Cn-1 happens to have L-1 as its final byte, but will in all likelihood be rejected otherwise, giving rise to a padding oracle attack