1 / 35

Overview

Practical Crypto Attacks Against Web Applications Justin Clarke OWASP London Chapter Leader OWASP Global Connections Committee. Overview. IANAC Usage != security Pentesting ?. The Need for Cryptography.

neola
Download Presentation

Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Practical Crypto Attacks Against Web ApplicationsJustin ClarkeOWASP London Chapter LeaderOWASP Global Connections Committee

  2. Overview • IANAC • Usage != security • Pentesting?

  3. The Need for Cryptography • Confidentiality – Prevent the disclosure of information to unauthorized individuals or systems • Integrity – Ensure that data cannot be modified undetectably • Authenticity - Validate that a party is who they claim they are

  4. Scenarios • Symmetric Crypto Attacks • ECB Mode Usage • Padding-Based Attacks • Secure Random Number Generation (if we have time)

  5. Symmetric Crypto Attacks • Most block ciphers support multiple modes of operation • The most common modes are : • ECB – Electronic Code Book • CBC – Cipher Block Chaining • CFB - Cipher Feedback • OFB - Output Feedback • None provide integrity if used in isolation

  6. Why is ECB mode BAD?

  7. Why is ECB mode BAD? • Reason #1 ECB x • CONFIDENTIALITY

  8. Why is ECB mode BAD? • Reason #2 UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3

  9. Why is ECB mode BAD? • Reason #2 CIPHERTEXT UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3

  10. Why is ECB mode BAD? • Reason #2 CIPHERTEXT UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 CIPHERTEXT

  11. Why is ECB mode BAD? • Reason #2 CIPHERTEXT UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 CIPHERTEXT UID:23901,Role:39,Email:john@doe.com,NickName:JohnDoe230

  12. Why is ECB mode BAD? • Reason #2 CIPHERTEXT UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 CIPHERTEXT UID:23901,Role:39,Email:john@doe.com,NickName:JohnDoe230

  13. DEMO ECB Mode Attack

  14. What about CBC mode?

  15. What about CBC mode? CBC • CONFIDENTIALITY

  16. CBC Decryption • Original Ciphertext BLOCK 1 BLOCK 2 BLOCK 3

  17. CBC Decryption • Block Swapping will result in data corruption BLOCK 1 BLOCK 3 BLOCK 2

  18. Attacking CBC Encrypted Data • “Padding Oracle” Attack • Leverages byte flipping of ciphertext to generate invalid padding exceptions • Data can be decrypted (and encrypted too) without knowledge of the secret key

  19. How Padding Works

  20. How Padding Works • Assuming this scheme, then there are only 8 possible valid padding sequences: • 0x01 • 0x02, 0x02 • 0x03, 0x03, 0x03, • 0x04, 0x04, 0x04, 0x04 • 0x05, 0x05, 0x05, 0x05, 0x05, • 0x06, 0x06, 0x06, 0x06, 0x06, 0x06 • 0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07 • 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08

  21. Flipping Bytes in CBC Mode

  22. The Decryption Process • Is the key the correct size? • Invalid Key Exception • Is the value (bytes) an even block multiple? • Invalid Length Exception • Is the decrypted block properly padded? • Invalid Padding Exception • Return the value CRITICAL

  23. The Padding Oracle Attack

  24. The Padding Oracle Attack Call this “Byte X” Call this “Byte Y” • Basic Premise: • A change of Byte X (ciphertext) will change Byte Y (plaintext) • There is a one-to-one correlation between Byte X values and Byte Y values • Exception is thrown if plain-text does not end with a valid padding sequence

  25. The Padding Oracle Attack Byte X == 0x00 Byte Y == ??? • Exception? YES • Byte Y is not valid padding

  26. The Padding Oracle Attack Byte X == 0x01 Byte Y == ??? • Exception? YES • Byte Y is not valid padding

  27. The Padding Oracle Attack Byte X == 0x02 Byte Y == ??? • Exception? YES • Byte Y IS valid padding (must be 0x01)

  28. The Padding Oracle Attack • What does that tell us? • The altered byte value produced valid padding when XOR’ed with the intermediate value • IF A ^ B = C • THEN A ^ C = B • AND C ^ B = A

  29. The Padding Oracle Attack • What does that tell us? • If the padding byte was 0x01: • Our Byte (0x02) ^ Intermediate Byte (??) == 0x01 • Intermediate Byte == Our Byte (0x02) ^ 0x01 • The plain-text value is the intermediate value XOR’ed with the prior ciphertext byte

  30. DEMO Padding Oracle Attack

  31. What’s the solution? • As we’ve seen, encrypted data (while kept private) is still susceptible to tampering • We need to ensure PRIVACY and INTEGRITY Encryption Message

  32. What’s the solution? • Encrypt + Sign the Ciphertext • HMAC: Combines a cryptographic hash function with a secret key • Cannot be re-computed without the key • Verifies the integrity and authenticity of a message SIGNATURE Encryption Message

  33. Another Lesson Learned • Why not HMAC within the ciphertext? • Does not prevent against side channel attacks during decryption • Padding Oracle Attack in .NET Framework • Discovered September 2010 • Viewstate and Forms Authentication Cookies were affected even though an HMAC was included within the ciphertext • Tampering was only be detected after decryption

  34. So to Summarize… • Crypto is hard to get right • Lots of ways to make mistakes • When in doubt, ask an expert

  35. Justin Clarke justin.clarke@owasp.org justin@gdssecurity.com Twitter: @connectjunkie

More Related