This document discusses the history of vulnerabilities in SSL/TLS, including padding oracle attacks and the POODLE attack. It provides details on how padding oracle attacks work by exploiting weaknesses in CBC mode encryption and how SSLv3 is vulnerable. It recommends completely disabling SSLv3 to prevent POODLE attacks, as the protocol allows plaintext recovery through padding oracle exploitation when MAC is incorrectly used.

1. Yurii Bilyk || 2014
SSL/P DLE:
History repeats itself

2. AGENDA
XOR Function
Symmetric-Key Crypto Basics
Padding Oracle Attack details
POODLE Attack

3. LIVE. DIE. REPEAT.
History Repeats Itself

4. Secure Socket Layer (SSL/TLS)
Key Exchange: RSA, Diffie-Hellman, PSK
Authentication: RSA, DSA, ECDSA
Symmetric Cipher: RC4, IDEA, DES, 3DES, AES
Data Integrity: SHA, MD5, MD4 and MD2

5. SSL/TLS Vulnerabilities History
2002
2013
Padding Oracle Attack discovery
BEAST Attack discovery
CRIME & BREACH Attack discovery
Lucky 13 Attack discovery
POODLE Attack discovery
2014

6. Heart Bleed
Issue in the realization of crypto
protocol/system
***IT happens
Not issue in the cipher

7. Modern Cryptography
After Computer Era

8. One-Time Pad (OTP)
A plaintext is paired with random,
secret key (or pad) which have the
same length (or more) as message
Each bit or char of the plaintext is
encrypted by combining it with the
corresponding bit or char from the pad
using modular addition

9. Unbreakable One-Time Pad (OTP)
Key is truly random
Key and at least as long as the
plaintext
Key never reused in whole or in
part, and kept completely secret

10. Symmetric-Key Cryptography
One shared key
Block ciphers
Stream ciphers

11. Stream Cipher
Flood Is Coming

12. Stream Ciphers
Key Stream is used (generated from Key)
Gamma (Key Stream) generator is pseudo
random with some period (bigger is better)
Works really fast ( XOR Key Stream with MSG)

13. Bit-Flipping Attack
Attacker know part and of
plaintext and place in encrypted
(for ex. amount of money)
Can change this part w/o
knowing key (nature of XOR)

14. Message Access Code (MAC)
Hash Functions (MD5, SHA, etc)
Encrypted data integrity check
Used not only in encryption
integrity check (web form data
validation, plaintext data, etc)

15. Block Cipher
Tetris Is Here

16. Block Ciphers
Fixed block size
Uses padding
Different modes (ECB, CBC, etc)

17. Electronic Codebook (ECB)
Each block processed individually
M y V e r y S e c r e t T e x t
L G l h 3 l a 1 X E K h X r A c
Plain Text
Encrypted

18. Electronic Codebook (ECB)
AES-256-ECB AES-256-CBCPlainText

19. Cipher Block Chaining (CBC)
Added initialization vector (IV)
More secure (by design)
Still vulnerable for padding attack

20. Cipher Block Chaining (CBC)
M y V e r y S e c r e t T e x t
L G l h 3 l a 1 X E K h X r A c
1 2 3 4 5 6 7 8
Plain Text
IV
Encrypted

21. Padding Types
Bit Padding (add 1 bit and zeros)
Byte Padding (add some bytes and
length of padding, add number of bytes
which equal to padding length, etc)
Mixed Padding (add 1 bit and then
bytes, for ex. MD5 padding)

22. Byte Padding
A B C D 0x00 0x00 0x00 0x00
A B C D 0x04 0x04 0x04 0x04
A B C D 0xFF 0xFF 0xFF 0x03
Zero Bytes Padding
Padding Length Bytes
0xFF Bytes + Padding Length Byte

23. Remember I'm offering you the truth. Nothing More.
Padding Oracle

24. Padding Oracle
Oracle: something that can prove
or refute your assumptions
Padding: building blocks to make
things the same size
Together: are nightmare of
cryptography

25. Padding Oracle Nightmare
You don’t need a KEY
Almost doesn’t depends on
cipher algorithm (CBC mode)
Faster that brute force attack

26. XOR Magic
It’s just a magic

27. Exercise (Swap Variables)
int a = 5, b = 10
a = a b // a = 15
a = a b // a = 10
b = a b // b = 5

28. The Magic XOR Rules
A A = 0
A 0 = A
A B = B A
(A B) C = A (B C)

29. Padding Oracle Attack: Details
M y M S G 3 3 3
L G l h 3 l a 1 X E K h X r A c
Plain M2
Encrypted C1 Encrypted C2
I K 7 u F Q s b
Intermediate I2

30. Padding Oracle Attack: Details
M2=C1 I2
I2=M2 C1
We CAN change result Plaintext M2 by
changing Encrypted C1 Message

31. Padding Oracle Attack: Last Byte
M y M S G 3 3 D
L G l h 3 l a A X E K h X r A B
I K 7 u F Q s C
C1[8] C2[8]
I2[8]
M2[8]

32. Padding Oracle Attack: Last Byte
1. Iterate byte PP from 0x00 to 0xFF (possible M2[8] byte)
2. Set A = C1[8] PP 0x01
3. Check Padding Oracle if we got correct padding (D = 0x01)
4. In case of correct padding we can calculate M2[8] last byte:
• M2[8] = C1[8] C
• Because C = D A
• Then C = 0x01 C1[8] PP 0x01
• We can simplify it to C = C1[8] PP
• In this case M2[8] = C1[8] C1[8] PP
• And finally M2[8] = PP, voila!

33. Padding Oracle Attack: Tools
POET – Apache MyFaces form padding oracle expl. tool
http://netifera.com/research/
PadBuster – ASP.NET (not only) padding oracle expl. tool
https://github.com/GDSSecurity/PadBuster
Bletchley – python based cryptography expl. multitool
https://code.google.com/p/bletchley/

34. • Use MAC in pair of encryption
• Don’t show Padding Errors to Attacker
• Use another cipher mode (CFB, etc)
How-to Mitigate?

35. POODLE? Are you kidding!?
Dogs are men’s best friends

36. POODLE: Basic Info
Old Good Padding Oracle
Present in ALL SSLv3 realizations
(architecture issue)
Wrong MAC usage

37. POODLE: Possible Exploitation
1
2
3
Hacker uses MITM attack
User should send the same
plaintext requests
(eg. GET request via XSS)
Attacker want to steal cookie
(know possible structure of the
plaintext request)

38. • Disable SSLv3 on the server
– web server, openssl, etc
• Disable SSLv3 support on the client
– web browser, library, etc
• Really, disable this old buggy SSLv3!
How-to Mitigate?

39. Outline
• Padding Oracle attack is still alive
• Usage of OLD protocols could cause
a lot of security issues
• Disable SSLv3 in your
products/environment

40. Thanks!
Yurii Bilyk
yubilyk@gmail.com