Daniel Crowley - Speaking with Cryptographic Oracles
-
Upload
baronzor -
Category
Technology
-
view
2.571 -
download
2
description
Transcript of Daniel Crowley - Speaking with Cryptographic Oracles
![Page 1: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/1.jpg)
Speaking with Cryptographic Oracles
Daniel “unicornFurnace” CrowleyApplication Security Consultant, Trustwave -
Spiderlabs
![Page 2: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/2.jpg)
The Speaker and the Presentation
A quick introduction and a few distinctions
![Page 3: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/3.jpg)
Copyright Trustwave 2010 Confidential
The Speaker
Daniel Crowley
Web application security d00d
IANAC (I am not a cryptographer)
[email protected]@dan_crowley
![Page 4: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/4.jpg)
Copyright Trustwave 2010 Confidential
The Presentation Topic
Finding and exploiting:
• Encryption Oracles
• Decryption Oracles
• Padding Oracles
With little to no cryptographic knowledge
• More crypto knowledge, more useful attacks
![Page 5: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/5.jpg)
NOT the Presentation Topic
The Oracle
• We are not being harvested for energy by robot overlords
− Maybe
ORACLE
• If you Google “<any crypto word> oracle” it’s all you find
Google, the Internet Oracle
• While awesome, not what we’re talking about
![Page 6: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/6.jpg)
Copyright Trustwave 2010 Confidential
NOT the Presentation Topic
Crypto g00r00s like Adi Shamir
• While also awesome and totally related, not the topic
New attacks on old crypto
• Mistakes are easy enough to make in implementation
How Padding Oracle attacks work
• Too much time to explain
• Too many good resources
![Page 7: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/7.jpg)
Copyright Trustwave 2010 Confidential
DEFCON Drinking Game 0-day
APT iPad• APT China, cyber-war
Cloud mobile botnet• Cloud cloud Cyber-
Twilight APT Sun Tzu− RSA HBGary botnet PCI
SCADA in the cloud
Cyber-war?
LulzSec???
APT China cyber-war weeaboo, WikiLeaks mobile
LulzSec.
![Page 8: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/8.jpg)
A Primer on Cryptographic Terms
Basic cryptographic terms, concepts and mistakes
![Page 9: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/9.jpg)
Copyright Trustwave 2010 Confidential
Very Basic Terms
Cipher• A system for scrambling and unscrambling data to protect it
Key• A variable used to permute the cipher
Initialization Vector (IV)• A second variable used to randomize the cipher
Plaintext• The data in readable form
Ciphertext• The data in unreadable form
Encryption• Turning something you can read into something you can’t
Decryption• Turning something you can’t read into something you can
![Page 10: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/10.jpg)
Stream and Block Ciphers
Block
Encrypt X characters at a time• X is the block size
Key is used to directly transform plaintext to ciphertext
Stream
Encrypt one character at a time
Key is used to generate pseudo-random numbers
Those numbers are used to transform plaintext to ciphertext
![Page 11: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/11.jpg)
Very Basic Mistakes
Using a keyless cipher• Completely insecure if
cipher is ever discovered
Reusing keys and/or IVs• Makes Oracle attacks
far more dangerous• IV reuse can seriously
weaken stream ciphers− Think WEP
Leaking data from crypto operations• Foundation for Oracle
attacks
Flickr Creative Commons - Rosino
![Page 12: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/12.jpg)
What is an Oracle?
A system which takes queries and
provides answers
Queries might be
• Plaintext
• Ciphertext
Answers might be
• Corresponding plaintext
• Corresponding ciphertext
• Info about operation
• Sample from PRNGPicture by D Sharon Pruitt – Creative Commons
![Page 13: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/13.jpg)
Seek the Oracle
How to identify cryptographic OraclesFrom a black-box perspective
![Page 14: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/14.jpg)
Copyright Trustwave 2010 Confidential
Decryption Oracles: Identify Input
Identify where encrypted input occurs
• Identify all points of user input− For Web apps: GET, POST, URL, Cookie, headers
• Identify those which may be encrypted− Encrypted data is generally encoded
• Base64
• ASCII hex
• URL encoding
− Decoded data is likely encrypted if seemingly random
− Modification of values may result in decryption-related errors
![Page 15: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/15.jpg)
Decryption Oracles: Find Decrypted Output
May be reflected
• Normal output
• Error
May be given in later response
May be inferred from modified
output
May be stored and not shown
• Additional vulnerabilities
may reveal output
![Page 16: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/16.jpg)
Copyright Trustwave 2010 Confidential
Decryption Oracles: An Example
ScenarioConsider “GetPage.php?file=<encrypted_stuff>”
• Opens a file to be included based on encrypted input− Allows for quick page additions− Prevents file inclusion attacks…?− Assumes properly encrypted input is sanitary
• Errors are verbose
UsageFeed the script some ciphertext
• Record the “file” the error tells you wasn’t found
![Page 17: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/17.jpg)
Encryption Oracles: Find Encrypted Data
Often found in
• Cookies
• Hidden variables
• Databases
• File resident data
Flickr Creative Commons – Gideon van der Stelt
![Page 18: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/18.jpg)
Copyright Trustwave 2010 Confidential
Encryption Oracles: Determine Point of Entry
Frequently encrypted data• Client-side state variables• Passwords• Financial data• Anything sufficiently sensitive
Being encrypted is not enough• We need to be able to manipulate it• And see the ciphertext
![Page 19: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/19.jpg)
Copyright Trustwave 2010 Confidential
Encryption Oracles: An Example
ScenarioConsider “auth” cookie, encrypted
• Username + “:” + password_hash + “:” + timestampAssume usernames can’t contain “:” character
• No delimiter injection Timestamp to control expiration
UsageRegister with any username, log inCopy cookie value and replace any encrypted input
with it• Can’t use colons or control suffix
− Might not matter
![Page 20: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/20.jpg)
Copyright Trustwave 2010 Confidential
Padding Oracles
Input must be encrypted
Must be a padded block cipher
Valid vs. invalid padding is distinguishable
• This is the essence of a padding Oracle
Padding Oracles can be used as decryption Oracles
• Using the CBC-R technique they are also encryption Oracles
− May be limited in that the first block will be garbled
![Page 21: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/21.jpg)
Exploiting Cryptographic Oracles
Breaking bad crypto and bad crypto usage
![Page 22: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/22.jpg)
Copyright Trustwave 2010 Confidential
Converting One Oracle Into Another
Padding Oracles only tell you whether padding is valid
• This information can be used to decrypt data
• In some circumstances, it can also be used to encrypt
Decryption Oracles
• Can be converted to encryption Oracles using brute force
− Far more effective with stream ciphers
Encryption Oracles
• Can be converted to decryption Oracles using brute force
− Again, more effective with stream ciphers
![Page 23: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/23.jpg)
Copyright Trustwave 2010 Confidential
Attack 0: Crypto Recon
Check for static key, IV, and deterministic cipher• Encrypt the same plaintext twice• Check to see if they are identical
Check for stream vs. block ciphers• Encrypt plaintexts of various sizes• Compare plaintext size to ciphertext size
Check for ECB block cipher mode• Encrypt repeating plaintext blocks• Look for repetitive ciphertext
Check for stream cipher feedback• Encrypt some arbitrary plaintext• Change the first byte• Observe whether the following bytes change
![Page 24: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/24.jpg)
Copyright Trustwave 2010 Confidential
Attack 1: Bad Algorithms
• Occasionally, people try to make their own algorithms• And they’re not cryptographers
• And it doesn’t end well
Real homespun crypto seen in the wild:
“hello” might become “KqIKefKPrPKPrPKuJXK”
![Page 25: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/25.jpg)
Copyright Trustwave 2010 Confidential
Attack 1: Bad Algorithms
Is there substitution?Submit “AAAA” : Get “KLoKLoKLoKLoK”
• There is!• We can already see patterns, too
Is there transposition?Submit “AABB” : Get “KLoKLoKaBeKaBeK”
• No transposition• We can see more patterns• The “K” seems to be a delimeter• Substitution doesn’t change on position
• One replacement per letter
![Page 26: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/26.jpg)
Copyright Trustwave 2010 Confidential
Attack 1: Bad Algorithms
Submit “BABA” : Get “KaBeKLoKaBeKLoK”
• Exactly what we expected
Submit “abcdefghi…XYZ0123456789” : Get entire key!
• We now submit one of every character in sequence
• The Oracle tells us what each maps to
![Page 27: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/27.jpg)
Copyright Trustwave 2010 Confidential
Attack 1 and a half: Revenge of Bad Algorithms
Others use a simple xor operation to encrypt data
P xor K = CC xor K = PC xor P = K
Wikimedia Commons - Herpderper
![Page 28: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/28.jpg)
Copyright Trustwave 2010 Confidential
Attack 1.75: Bride of Bad Algorithms
For some simple ciphers like xor
Encryption = Decryption
THUS
Encryption Oracle = Decryption Oracle
THUS
Such ciphers are made completely useless by leaking output
THUS
For God’s sake stop using xor
![Page 29: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/29.jpg)
Copyright Trustwave 2010 Confidential
Attack 1: Bad Algorithms
DEMO
![Page 30: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/30.jpg)
Copyright Trustwave 2010 Confidential
Attack 2: Trusted Encrypted Input
People tend to reuse keys and IVs• If we can encrypt arbitrary data in one place• It may work in another
If devs don’t think you can mess with input• They probably won’t sanitize it• Encrypted inputs with MAC aren’t totally tamper-proof
![Page 31: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/31.jpg)
Copyright Trustwave 2010 Confidential
Attack 2: Trusted Encrypted Input
Encrypted password with MAC in cookie• Checked against database on each request needing auth
Find encryption Oracle with the same keys & IV• Use encryption Oracle to encrypt ‘ or 1=1--• Plug resulting value into cookie• Laugh all the way to the bank
![Page 32: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/32.jpg)
Copyright Trustwave 2010 Confidential
Attack 2: Trusted Encrypted Input
DEMO
![Page 33: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/33.jpg)
Copyright Trustwave 2010 Confidential
Attack 3: Let the client have it, it’s encrypted
I. Find a decryption Oracle
II. Find encrypted data
III. Decrypt that sucka
IV. ?????
V. PROFIT!!!
This attack also relies on key/IV reuse
![Page 34: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/34.jpg)
Copyright Trustwave 2010 Confidential
Attack 3: Let the client have it, it’s encrypted
DEMO
![Page 35: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/35.jpg)
Copyright Trustwave 2010 Confidential
What encryption?
If you can find
• An encryption Oracle
• A decryption Oracle
You can encrypt or decrypt any data
• As long as keys and IVs are reused
− Algorithm doesn’t matter
− Padding doesn’t matter
− Cipher mode doesn’t matter
All encryption which uses the same key and IV is now useless
![Page 36: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/36.jpg)
Copyright Trustwave 2010 Confidential
How Can I Fix My Code?
Avoid giving away information about crypto operations• Output
− Not always plausible
• Success/Failure− Suppress or generalize errors
• Timing− Make code take the same time to finish no matter what
happens
Authenticate your crypto• Encrypt-then-MAC• MAC-then-Encrypt still allows for padding oracle attacks
![Page 37: Daniel Crowley - Speaking with Cryptographic Oracles](https://reader034.fdocuments.us/reader034/viewer/2022051412/54b8773a4a79593c328b45d9/html5/thumbnails/37.jpg)
Copyright Trustwave 2010 Confidential
Questions?
Daniel CrowleyTrustwave – SpiderLabs