Practical Padding Oracle Attacks Juliano Rizzo Thai Duong Black Hat Europe, 2010 Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 1 / 41 Requisite XOR 0 ⊕ 0 = 0 0 ⊕ 1 = 1 1 ⊕ 0 = 1 1 ⊕ 1 = 0 Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 2 / 41 Outline 1 Introduction Review of CBC Mode Padding Oracle attack 2 Finding padding oracles Find potential padding oracles Confirm the existence of padding oracles 3 Basic PO attacks Cracking CAPTCHA Decrypting JSF view states 4 Advanced PO attacks Using PO to encrypt Distributed cross-site PO attacks Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 3 / 41 Introduction Review of CBC Mode CBC Mode CBC mode is a cryptography mode of operation for a block cipher. Allows encryption of arbitrary length data. Encryption and decryption are defined by: C i = e K (P i ⊕ C i−1 ) P i = d K (C i ) ⊕ C i−1 Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 4 / 41 Introduction Review of CBC Mode CBC Mode CBC mode is a cryptography mode of operation for a block cipher. Allows encryption of arbitrary length data. Encryption and decryption are defined by: C i = e K (P i ⊕ C i−1 ) P i = d K (C i ) ⊕ C i−1 Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 4 / 41 Introduction Review of CBC Mode CBC Mode CBC mode is a cryptography mode of operation for a block cipher. Allows encryption of arbitrary length data. Encryption and decryption are defined by: C i = e K (P i ⊕ C i−1 ) P i = d K (C i ) ⊕ C i−1 Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 4 / 41 Introduction Review of CBC Mode CBC Mode CBC mode is a cryptography mode of operation for a block cipher. Allows encryption of arbitrary length data. Encryption and decryption are defined by: C i = e K (P i ⊕ C i−1 ) P i = d K (C i ) ⊕ C i−1 Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 4 / 41 Introduction Review of CBC Mode CBC Mode Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 5 / 41 Introduction Review of CBC Mode Padding Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 6 / 41 Introduction Padding Oracle attack Padding oracle attack Intro du ction First introduced by Vaudenay at Eurocrypt 2002. Two assumptions: Adversary can intercept padded messages encrypted in CBC mode. Adversary has access to a padding oracle. Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 7 / 41 [...]... information Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 16 / 41 Finding padding oracles Find potential padding oracles Finding potential padding oracles Google hacking Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 17 / 41 Finding padding oracles Find potential padding oracles Finding potential padding oracles Source code auditing Look for... 41 Introduction Padding Oracle attack Padding oracle attack How to decrypt a block Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 11 / 41 Introduction Padding Oracle attack Padding oracle attack How to decrypt a block Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 12 / 41 Introduction Padding Oracle attack Padding oracle attack How to decrypt... Introduction Padding Oracle attack Padding oracle attack What is a padding oracle? Adversary submits a CBC mode ciphertext C to oracle ð Oracle decrypts under fixed key K and checks correctness of padding Oracle outputs VALID or INVALID according to correctness of padding: 0, invalid ð(C ) = 1, valid Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 9 / 41 Introduction Padding Oracle. .. () Practical Padding Oracle Attacks BH Europe 2010 8 / 41 Introduction Padding Oracle attack Padding oracle attack What is a padding oracle? Adversary submits a CBC mode ciphertext C to oracle ð Oracle decrypts under fixed key K and checks correctness of padding Oracle outputs VALID or INVALID according to correctness of padding: 0, invalid ð(C ) = 1, valid Juliano Rizzo, Thai Duong () Practical Padding. .. Padding Oracle Attacks BH Europe 2010 9 / 41 Introduction Padding Oracle attack Padding oracle attack What is a padding oracle? Adversary submits a CBC mode ciphertext C to oracle ð Oracle decrypts under fixed key K and checks correctness of padding Oracle outputs VALID or INVALID according to correctness of padding: 0, invalid ð(C ) = 1, valid Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks. ..Introduction Padding Oracle attack Padding oracle attack Introduction First introduced by Vaudenay at Eurocrypt 2002 Two assumptions: Adversary can intercept padded messages encrypted in CBC mode Adversary has access to a padding oracle Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 7 / 41 Introduction Padding Oracle attack Padding oracle attack What is a padding oracle? Juliano... Practical Padding Oracle Attacks BH Europe 2010 10 / 41 Introduction Padding Oracle attack Padding oracle attack How does it work? For a long message, decrypt block by block It’s easy to parallelize the attack For a block, decrypt the last byte first, then decrypt the next to last byte, and so on How? Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 10 / 41 Introduction Padding. .. Look for known source code keywords like javax.crypto.BadPaddingException Look for routines that perform encryption and decryption that have some code to handle error while decrypting Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 18 / 41 Finding padding oracles Find potential padding oracles Finding potential padding oracles Source code auditing Look for code that imports... value, and send to the target See if there is any error message Even a blank page is enough information Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 16 / 41 Finding padding oracles Find potential padding oracles Finding potential padding oracles Blackbox testing Crawl the target to find BASE64 strings that look like a ciphertext Replace a byte in the last block of the... information Vulnerability: encrypt and decrypt functions Use encrypt_and_sign and decrypt_and_verify instead Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 15 / 41 Finding padding oracles Find potential padding oracles Finding potential padding oracles Blackbox testing Crawl the target to find BASE64 strings that look like a ciphertext Replace a byte in the last block of the . to a padding oracle. Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 7 / 41 Introduction Padding Oracle attack Padding oracle. to a padding oracle. Juliano Rizzo, Thai Duong () Practical Padding Oracle Attacks BH Europe 2010 7 / 41 Introduction Padding Oracle attack Padding oracle