Thông tin tài liệu
Practical Padding Oracle Attacks
Juliano Rizzo Thai Duong
Black Hat Europe, 2010
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 1 / 41
Requisite
XOR
0 ⊕ 0 = 0
0 ⊕ 1 = 1
1 ⊕ 0 = 1
1 ⊕ 1 = 0
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 2 / 41
Outline
1
Introduction
Review of CBC Mode
Padding Oracle attack
2
Finding padding oracles
Find potential padding oracles
Confirm the existence of padding oracles
3
Basic PO attacks
Cracking CAPTCHA
Decrypting JSF view states
4
Advanced PO attacks
Using PO to encrypt
Distributed cross-site PO attacks
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 3 / 41
Introduction Review of CBC Mode
CBC Mode
CBC mode is a cryptography mode of operation for a block cipher.
Allows encryption of arbitrary length data.
Encryption and decryption are defined by:
C
i
= e
K
(P
i
⊕ C
i−1
)
P
i
= d
K
(C
i
) ⊕ C
i−1
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 4 / 41
Introduction Review of CBC Mode
CBC Mode
CBC mode is a cryptography mode of operation for a block cipher.
Allows encryption of arbitrary length data.
Encryption and decryption are defined by:
C
i
= e
K
(P
i
⊕ C
i−1
)
P
i
= d
K
(C
i
) ⊕ C
i−1
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 4 / 41
Introduction Review of CBC Mode
CBC Mode
CBC mode is a cryptography mode of operation for a block cipher.
Allows encryption of arbitrary length data.
Encryption and decryption are defined by:
C
i
= e
K
(P
i
⊕ C
i−1
)
P
i
= d
K
(C
i
) ⊕ C
i−1
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 4 / 41
Introduction Review of CBC Mode
CBC Mode
CBC mode is a cryptography mode of operation for a block cipher.
Allows encryption of arbitrary length data.
Encryption and decryption are defined by:
C
i
= e
K
(P
i
⊕ C
i−1
)
P
i
= d
K
(C
i
) ⊕ C
i−1
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 4 / 41
Introduction Review of CBC Mode
CBC Mode
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 5 / 41
Introduction Review of CBC Mode
Padding
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 6 / 41
Introduction Padding Oracle attack
Padding oracle attack
Intro du ction
First introduced by Vaudenay at Eurocrypt 2002.
Two assumptions:
Adversary can intercept padded messages encrypted in CBC mode.
Adversary has access to a padding oracle.
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 7 / 41
[...]... information Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 16 / 41 Finding padding oracles Find potential padding oracles Finding potential padding oracles Google hacking Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 17 / 41 Finding padding oracles Find potential padding oracles Finding potential padding oracles Source code auditing Look for... 41 Introduction Padding Oracle attack Padding oracle attack How to decrypt a block Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 11 / 41 Introduction Padding Oracle attack Padding oracle attack How to decrypt a block Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 12 / 41 Introduction Padding Oracle attack Padding oracle attack How to decrypt... Introduction Padding Oracle attack Padding oracle attack What is a padding oracle? Adversary submits a CBC mode ciphertext C to oracle ð Oracle decrypts under fixed key K and checks correctness of padding Oracle outputs VALID or INVALID according to correctness of padding: 0, invalid ð(C ) = 1, valid Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 9 / 41 Introduction Padding Oracle. .. () Practical Padding Oracle Attacks BH Europe 2010 8 / 41 Introduction Padding Oracle attack Padding oracle attack What is a padding oracle? Adversary submits a CBC mode ciphertext C to oracle ð Oracle decrypts under fixed key K and checks correctness of padding Oracle outputs VALID or INVALID according to correctness of padding: 0, invalid ð(C ) = 1, valid Juliano Rizzo, Thai Duong () Practical Padding. .. Padding Oracle Attacks BH Europe 2010 9 / 41 Introduction Padding Oracle attack Padding oracle attack What is a padding oracle? Adversary submits a CBC mode ciphertext C to oracle ð Oracle decrypts under fixed key K and checks correctness of padding Oracle outputs VALID or INVALID according to correctness of padding: 0, invalid ð(C ) = 1, valid Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks. ..Introduction Padding Oracle attack Padding oracle attack Introduction First introduced by Vaudenay at Eurocrypt 2002 Two assumptions: Adversary can intercept padded messages encrypted in CBC mode Adversary has access to a padding oracle Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 7 / 41 Introduction Padding Oracle attack Padding oracle attack What is a padding oracle? Juliano... Practical Padding Oracle Attacks BH Europe 2010 10 / 41 Introduction Padding Oracle attack Padding oracle attack How does it work? For a long message, decrypt block by block It’s easy to parallelize the attack For a block, decrypt the last byte first, then decrypt the next to last byte, and so on How? Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 10 / 41 Introduction Padding. .. Look for known source code keywords like javax.crypto.BadPaddingException Look for routines that perform encryption and decryption that have some code to handle error while decrypting Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 18 / 41 Finding padding oracles Find potential padding oracles Finding potential padding oracles Source code auditing Look for code that imports... value, and send to the target See if there is any error message Even a blank page is enough information Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 16 / 41 Finding padding oracles Find potential padding oracles Finding potential padding oracles Blackbox testing Crawl the target to find BASE64 strings that look like a ciphertext Replace a byte in the last block of the... information Vulnerability: encrypt and decrypt functions Use encrypt_and_sign and decrypt_and_verify instead Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 15 / 41 Finding padding oracles Find potential padding oracles Finding potential padding oracles Blackbox testing Crawl the target to find BASE64 strings that look like a ciphertext Replace a byte in the last block of the . to a padding oracle.
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 7 / 41
Introduction Padding Oracle attack
Padding oracle. to a padding oracle.
Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 7 / 41
Introduction Padding Oracle attack
Padding oracle
Ngày đăng: 16/03/2014, 17:20
Xem thêm: Practical Padding Oracle Attacks pot