crypto weakness in popular web a pplications
DESCRIPTION
OWASP AppSec Beijing/Asia 2011. Crypto weakness in popular Web A pplications. Hanqin Wu Aliyun.com [email protected]. About Me. 2001 Founder of “Ph4nt0m” 2005 join alibaba corp. 2008 join aliyun.com t.qq.com/aullik5 Blog : hi.baidu.com/aullik5 Book:《 完美防线 》. Crypto in pentesting. - PowerPoint PPT PresentationTRANSCRIPT
The OWASP Foundationhttp://www.owasp.org
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
OWASP AppSecBeijing/Asia 2011
Crypto weakness in popular Web Applications
Hanqin WuAliyun.com
2
About Me2001 Founder of “Ph4nt0m”2005 join alibaba corp.2008 join aliyun.com
t.qq.com/aullik5Blog : hi.baidu.com/aullik5Book: 《完美防线》
3
Crypto in pentestingctk=moVQoAbeoXAtdR3BHGRFVA&chk=50f059614bb
2977a9dda630cd727277a-50067753
ID=5bfb08d687b3dee5:T=1303616991:S=ALNI_MZ46CtBJfBaUSGkdUlJmLEyTfwgPQ
http://passport.baidu.com/center?auth=ead603c8bb7d4ea68f2812a497aa7f5c40c6eb
438b3da9e1d8b5b3de6a82f30b7a3b
4
Cipher analysis : encoding
Base64 :
Hex :ead603c8bb7d4e…… = \xea\xd6\x04\xc8\xbb\x7d\x4e……
5
Cipher analysis : cipher length
Stream cipher: arbitrary lengthBlock cipher :
6
Cipher analysis : cipher mode
ECB-mode : change 1 byte in plaintext 1 block changed in ciphertextCBC-mode : change 1 byte in plaintext whole ciphertext changed
7
In developer’s mind
1.Third-party crypto library2.performance3.security – only key length
8
Failures1.Using hash algorithm instead of
crypto2.No “salts” when using hash
algorithm3.Using “time” instead of random
num.4.Lack of knowledage about crypto5.……
9
Crypto introduce
Block cipher
Stream cipher
10
Basic in cryptoIV : init vector
mode : ECB 、 CBC 、 CFB 、 OFB 、CTR
blocksize : Blocksize
KEY
11
Attack
12
Attack block cipher
13
ECB mode
14
Attack ecb mode
15
CBC mode
16
Padding OraclePadding : PKCS#5
Oracle
Like “blind injection”
“side channel attack”
17
Attack stream cipher
18
Stream cipher
19
Reused Key AttackE(A) = A xor CE(B) = B xor C
E(A) xor E(B) = (A xor C) xor (B xor C) = A xor B xor C xor C = A xor BE(A) xor E(B) = A xor B
20
PHPWind StrCode()
for ($i = 0; $i < $strLen; $i++) {
$k = $i % $keyLen;
$code .= $string[$i] ^ $key[$k];
}
21
PHPWind captcha generationck.php , chars: $list = 'BCEFGHJKMPQRTVWXY2346789';
"1315107631"."\t\t".md5("73669"."1315107631")timestam
ptimestampcaptch
a
22
Gain captcha
23
Set-Cookie
24
Crack captchaknown :plaintext1= time1 + md5(captcha1 + time1)
Aciphertext1
E(A)ciphertext2
E(B)want : ‖plaintext2 = time2 + md5(captcha2 + time2)
B
MD5 Rainbow Table !
⊕⊕
25
Crack It!
26
Bit-flipping Attack
E(A) xor E(B) = A xor B
A xor E(A) xor B = E(B)
27
Captcha never expired
Global.php: gdconfirm()
Common.php: safecheck()
28
constructBit-flipping Attack: A xor E(A) xor B = E(B)Never expired time:$timestamp– $cookieData[0] < 0
29
POC
30
Discuz! authcode()$keyc : IV$ckey_length : IV length$keya: xor key$keyb: HMAC key
31
authcode() analysis
79uz_d57e_auth=d08fwJQZGV/999z5qNLk5OIofp9dd2qDkWXVeg1RFQGwKicuAMaih5M5aefx0ycOfLAc2jtZL/y3J7TpUh2GsAPl;
000000000067c38ee9eca0b04dccccbbbb
IV
timestamp( 10bytes)HMAC ( 16bytes ) plaintext( xx
bytes )
32
authcode() security consideration
Reused Key Attack : IV makes xor key changed
everytime XOR_KEY = fn(IV, KEY)Bit-flipping Attack : HMAC defend against forgery HMAC = fn(Plaintext, KEY)
33
authcode() weak IVDefault length of IV is 4 bytes :
Collect an IV dicts ( a-z0-9 ): 364 = 1,679,616 个 IVThe same iv, the same xor key -- in WEP cracking , 24bits IV will expired in 5
hours
34
POC:known :
test : crack($cipher2) == $plaintext2
35
POC:
36
Collect ciphers and IVs
37
Birthday AttackThe possibilities in 30 personAny 2 have the same specific
birthday: 1 − (364 / 365)30 ≈ 7.9%
Any 2 have the same birthday : nearly 70%
38
39
Attack authcode() ?Reused Key Attack : IV makes xor key changed
everytime brutefoce IVsBit-flipping Attack : HMAC defend against forgery still safe
40
Other attack ?Discuz! Getwebshell:http://www.oldjun.com/blog/index.php/archives/76/Phpcms cookie sql injection:http://www.80vul.com/phpcms/phpcms_sys_auth.txt
……
Summary & Conclusion
42
adviceDo not use ECB modeDo not use stream cipherUse AES-256 or blowfish in CBC modeDo not use the same key to do different thingsUse random IVUse HMAC-SHA512 instead of MD5
Thanks!