padding oracle attack
TRANSCRIPT
Copyright © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundation
OWASP
http://www.owasp.org
Padding Oracle Attacks
Satish [email protected]
20/08/2011
OWASP 2
Cryptography Attack
OWASP 3
Agenda
Cryptography Basics Padding oracle attack Exploitation Padding oracle in .NET Tools Remedy
OWASP4
Cryptography Basics
Stream Ciphers :Key supplied to encryption algorithm to get key streamPlain text is XOR with key stream to generate cipher textEx: Rc4
1 0 = 1 P K = C
0 1 = 1 C P = K
Block Ciphers: Operates on fixed length group of bits or bytes (64 or 128 bit blocks)
128 bits of plain text is converted into 128 bits of cipher text Ex: AES
OWASP5
Cryptography Basics
Block Cipher : Modes
ECB mode – Electronic code book mode
Encryption of the same plain text with the same key results in the same cipher text, which is a considerable threat to security.
OWASP6
Cryptography Basics
CBC – cipher block chaining
Encryption of the same plain text with the same key results in different cipher text because of IV.Each block of plaintext is XORed with the previous ciphertext block before being encrypted.
Ci = Ek (Pi xor Ci-1)
OWASP7
Cryptography Basics
Each block of ciphertext is decrypted and XORed with the previous ciphertext block to obtain the plain text.First block of ciphertext is decrypted and XORed with IV to obtain the plain text.
OWASP8
Cryptography Basics
Block Ciphers – - Works on fixed size data - Messages are in variety of length - padding has introduced - Final block padded before encryption
PKCS#5 standard - final block of plaintext is padded with N bytes of value N.
OWASP9
Padding oracle attack
Initially discovered in 2002. Credits: http://netifera.com/research/Got famous in 2010.
What is it ? Possible to decrypt and encrypt data without key in CBC mode. Typical Scenario:
Brian logged into myapp.com Server created an encryption string specific to Brian and sent to him Accessing any page in the application sends the encrypted value to server Server decrypts and serves the content based on decrypted value
Ex:http://myapp.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
OWASP10
Padding oracle attack
Client datavalue = BRIAN;12;1;
IV=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
OWASP11
Padding oracle attack
Client datahttp://myapp.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
OWASP12
Padding oracle attack
http://myapp.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6
The application verifies whether the encrypted value is properly padded or not.
When the application passed an encrypted value it responds with one of three ways:Valid ciphertext (with proper padding) – Normal responseInvalid ciphertext (improper padding) – ExceptionValid ciphertext and decrypts to an invalid value – Custom error
Wrong padding can result in: Error messages Stack Traces Time difference Different responses
OWASP13
Padding oracle attack
oracle refers to a mechanism in cryptography that can be used to determine whethera test has passed or failed.
Pass and Fail conditions can be used to decrypt without key.
Decrypting without a key
Valid cipher http://myapp/home.jsp? UID=7B216A634951170FF851D6CC68FC9537
Invalid cipherhttp://myapp/home.jsp?UID=0000000000000000F851D6CC68FC9537
OWASP14
Padding oracle attack
Invalid cipherhttp://myapp/home.jsp?UID=0000000000000001F851D6CC68FC9537
OWASP15
Padding oracle attack
Invalid cipherhttp://myapp/home.jsp?UID=0000000000000003F851D6CC68FC9537
Intermediary Byte ^ 0×3C == 0×01,Intermediary Byte == 0×3C ^ 0×01,Intermediary Byte == 0×3D
OWASP16
Padding oracle attack
Valid cipher http://myapp/home.jsp?UID=7B216A634951170FF851D6CC68FC9537
Plain text == Intermediary byte 0×3D ^ corresponding IV byte 0F = = 02
Now crack the 7th byte and so on …
In the end it gives Intermediate value
OWASP17
Padding oracle attack
Encrypting arbitrary values without key
XOR the plaintext value with intermediary value to get IV
SummaryPadding oracle attack allows to encrypt and decrypt data without the key.
OWASP18
Padding oracle attack in .NET
Where is it applicable ?
View state
Session cookies
Any encrypted data in hidden parameters
WebResource.axd - serves embedded resources
ScriptResource.axd - serves embedded resources and files
OWASP19
Padding oracle attack in .NET
https://samplesite.com/WebResource.axd?d=llIAeUHrAWkUZEuvZB-98g2
valid cipher text decrypted to valid value - proper response (200 ok)
valid cipher text decrypted to invalid value - page not found or similar response (404)
Invalid cipher text - padding error
If the application gives different errors in the above 3 cases, it is vulnerable and easy to exploit.
OWASP20
Tools
Padbuster https://www.gdssecurity.com/l/t/d.php?k=PadBuster
Poethttp://netifera.com/research/
Padbusterdotnethttp://www.mindedsecurity.com/fileshare/padBusterdotnet.zip
OWASP21
Padding oracle attack
Why Is this working?
CBC mode only provides confidentiality. Confidentiality doe not ensure that the value is tampered or not. Integrity check has to be performed.
Solution
Implemented integrity check by adding hash to the encrypted value
Before fix :http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2
After fix:http://website.com/application/WebResource.axd?d=jadfz0GadfahafMVYzFihd9Uhadfadfdfdfe_aereradf349jkMjlrfgRr6moijfdn_Aretkjf093rpA2
OWASP22
For more information on exploitation and usage of tools visit my site
http://www.securitylearn.net
References
http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding-oracle.html
http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security-update-now-available.aspx
http://eglasius.blogspot.com/2010/09/aspnet-padding-oracle-how-it-relates-to.html
http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
OWASP23
Questions?