padding oracle attack

Padding Oracle Attacks

Satish B
Satishb3@securitylearn.net

OWASP
20/08/2011

Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.

The OWASP Foundation
http://www.owasp.org

Cryptography Attack

OWASP 2

Agenda

Cryptography Basics
Padding oracle attack
Exploitation
Padding oracle in .NET
Tools
Remedy

OWASP 3

Cryptography Basics

Stream Ciphers :
Key supplied to encryption algorithm to get key stream
Plain text is XOR with key stream to generate cipher text
Ex: Rc4

1 0=1 P K=C

0 1=1 C P=K

Block Ciphers:
Operates on fixed length group of bits or bytes (64 or 128 bit blocks)
128 bits of plain text is converted into 128 bits of cipher text
Ex: AES

4
OWASP

Cryptography Basics

Block Cipher : Modes

ECB mode – Electronic code book mode

Encryption of the same plain text with the same key results in the same cipher
text, which is a considerable threat to security.

5
OWASP

Cryptography Basics

CBC – cipher block chaining

Ci = Ek (Pi xor Ci-1)
Encryption of the same plain text with the same key results in different cipher
text because of IV.
Each block of plaintext is XORed with the previous ciphertext block before
being encrypted.

6
OWASP

Cryptography Basics

Each block of ciphertext is decrypted and XORed with the previous ciphertext
block to obtain the plain text.
First block of ciphertext is decrypted and XORed with IV to obtain the plain
text.

7
OWASP

Cryptography Basics
Block Ciphers –
- Works on fixed size data
- Messages are in variety of length
- padding has introduced
- Final block padded before encryption

PKCS#5 standard - final block of plaintext is padded with N bytes of value N.

8
OWASP

Padding oracle attack
Initially discovered in 2002. Credits: http://netifera.com/research/
Got famous in 2010.

What is it ?
Possible to decrypt and encrypt data without key in CBC mode.

Typical Scenario:
 Brian logged into myapp.com
 Server created an encryption string specific to Brian and sent to him
 Accessing any page in the application sends the encrypted value to server
 Server decrypts and serves the content based on decrypted value

Ex:
http://myapp.com/home.jsp?UID=7B216A634951170FF851D6CC68FC953785
8795A28ED4AAC6

9
OWASP

Client data
value = BRIAN;12;1;

IV=7B216A634951170F
F851D6CC68FC9537 10
OWASP
858795A28ED4AAC6

Client data
858795A28ED4AAC6

11
OWASP


858795A28ED4AAC6

The application verifies whether the encrypted value is properly padded or not.

When the application passed an encrypted value it responds with one of three ways:
Valid ciphertext (with proper padding) – Normal response
Invalid ciphertext (improper padding) – Exception
Valid ciphertext and decrypts to an invalid value – Custom error

Wrong padding can result in:
 Error messages
 Stack Traces
 Time difference
 Different responses
12
OWASP

oracle refers to a mechanism in cryptography that can be used to determine whether
a test has passed or failed.

Pass and Fail conditions can be used to decrypt without key.

Decrypting without a key

Valid cipher
http://myapp/home.jsp?
UID=7B216A634951170F
F851D6CC68FC9537

Invalid cipher
UID=0000000000000000
F851D6CC68FC9537
13
OWASP

Invalid cipher
http://myapp/home.jsp?UID=0000000000000001F851D6CC68FC9537

14
OWASP


Invalid cipher
UID=0000000000000003
F851D6CC68FC9537

Intermediary Byte ^ 0×3C == 0×01,
Intermediary Byte == 0×3C ^ 0×01,
Intermediary Byte == 0×3D
15
OWASP


Valid cipher
http://myapp/home.jsp?UID=7B216A634951170FF851D6CC68FC9537

Plain text == Intermediary byte 0×3D ^ corresponding IV byte 0F = = 02

Now crack the 7th byte and so on …

In the end it gives Intermediate value
16
OWASP


Encrypting arbitrary values without key

XOR the plaintext value with intermediary value to get IV

Summary
Padding oracle
attack allows to
encrypt and
decrypt data
without the key.

17
OWASP

Padding oracle attack in .NET

Where is it applicable ?

 View state
 Session cookies
 Any encrypted data in hidden parameters
 WebResource.axd
- serves embedded resources
 ScriptResource.axd
- serves embedded resources and files

18
OWASP

Padding oracle attack in .NET
https://samplesite.com/WebResource.axd?d=llIAeUHrAWkUZEuvZB-98g2

valid cipher text decrypted to valid value
- proper response (200 ok)

valid cipher text decrypted to invalid value
- page not found or similar response (404)

Invalid cipher text
- padding error

If the application gives different errors in the above 3 cases, it is vulnerable
and easy to exploit.

19
OWASP

Tools

 Padbuster
https://www.gdssecurity.com/l/t/d.php?k=PadBuster

 Poet
http://netifera.com/research/

 Padbusterdotnet
http://www.mindedsecurity.com/fileshare/padBusterdotnet.zip

20
OWASP


Why Is this working?

 CBC mode only provides confidentiality.
 Confidentiality doe not ensure that the value is tampered or not.
 Integrity check has to be performed.

Solution

 Implemented integrity check by adding hash to the encrypted value

Before fix :
http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2

After fix:
http://website.com/application/WebResource.axd?d=jadfz0GadfahafMVYzFihd9Uh
21
adfadfdfdfe_aereradf349jkMjlrfgRr6moijfdn_Aretkjf093rpA2 OWASP

For more information on exploitation and usage of tools visit my site
http://www.securitylearn.net

References
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-
oracle.html
http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-
update-now-available.aspx
http://eglasius.blogspot.com/2010/09/aspnet-padding-oracle-how-it-
relates-to.html
http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-
attacks-with-padbuster/

22
OWASP

Questions?

23
OWASP

padding oracle attack

More Related Content

What's hot

Viewers also liked

Similar to padding oracle attack

More from Satish b

Recently uploaded

padding oracle attack