Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Slides:



Advertisements
Similar presentations
Chapter 4: Modes of Operation CS 472: Fall Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.
Advertisements

ECE454/CS594 Computer and Network Security
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Sri Lanka Institute of Information Technology
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
Chapter 5 Cryptography Protecting principals communication in systems.
Cryptographic Technologies
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Lecture 23 Symmetric Encryption
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS
Cryptographic Security Cryptographic Mechanisms 1Mesbah Islam– Operating Systems.
Chapter 31 Network Security
Modes of Operation. Topics  Overview of Modes of Operation  EBC, CBC, CFB, OFB, CTR  Notes and Remarks on each modes.
Cryptography, Authentication and Digital Signatures
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Lecture 4: Using Block Ciphers
TE/CS 536 Network Security Spring 2006 – Lectures 6&7 Secret Key Cryptography.
CS526: Information Security Prof. Sam Wagstaff September 16, 2003 Cryptography Basics.
Module 3 – Cryptography Cryptography basics Ciphers Symmetric Key Algorithms Public Key Algorithms Message Digests Digital Signatures.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Chapter 9: Algorithms Types and Modes Dulal C. Kar Based on Schneier.
Encryption Types & Modes Chapter 9 Encryption Types –Stream Ciphers –Block Ciphers Encryption Modes –ECB - Electronic Codebook –CBC - Cipher Block Chaining.
BLOCK CIPHER SYSTEMS OPERATION MODES OF DATA ENCRYPTION STANDARD (DES)
Modes of Usage Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) 11 Coming up: Modes of.
Modes of Operation INSTRUCTOR: DANIA ALOMAR. Modes of Operation A block cipher can be used in various methods for data encryption and decryption; these.
Stream Ciphers and Block Ciphers A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. Examples of classical stream.
The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.
Lecture 8 Overview. Secure Hash Algorithm (SHA) SHA SHA SHA – SHA-224, SHA-256, SHA-384, SHA-512 SHA-1 A message composed of b bits.
Enterprise Security API (ESAPI) 2.0 Crypto Changes
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Class 3 Cryptography Refresher II CIS 755: Advanced Computer Security Spring 2014 Eugene Vasserman
Lecture 23 Symmetric Encryption
Exam 1 Review CS461/ECE422 Fall Exam guidelines A single page of supplementary notes is allowed  8.5x11. Both sides. Write as small as you like.
Privacy and Integrity: “ Two Essences of Network Security” Presenter Prosanta Gope Advisor Tzonelih Hwang Quantum Information and Network Security Lab,
Symmetric Encryption Lesson Introduction ●Block cipher primitives ●DES ●AES ●Encrypting large message ●Message integrity.
Computer Science and Engineering Computer System Security CSE 5339/7339 Lecture 11 September 23, 2004.
Presentation Road Map 1 Authenticated Encryption 2 Message Authentication Code (MAC) 3 Authencryption and its Application Objective Modes of Operation.
Network Security Celia Li Computer Science and Engineering York University.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
IT 221: Introduction to Information Security Principles Lecture 5: Message Authentications, Hash Functions and Hash/Mac Algorithms For Educational Purposes.
Part 1  Cryptography 1 Integrity Part 1  Cryptography 2 Data Integrity  Integrity  detect unauthorized writing (i.e., modification of data)  Example:
Computer Security By Rubel Biswas. Introduction History Terms & Definitions Symmetric and Asymmetric Attacks on Cryptosystems Outline.
@Yuan Xue 285: Network Security CS 285 Network Security Message Authentication Code Data integrity + Source authentication.
Understanding Cryptography by Christof Paar and Jan Pelzl These slides were prepared by Christof Paar and Jan Pelzl Chapter 12.
Block Cipher Modes Last Updated: Aug 25, ECB Mode Electronic Code Book Divide the plaintext into fixed-size blocks Encrypt/Decrypt each block independently.
Block Cipher Encrypting a large message Electronic Code Book (ECB) message m1 m2 m3 m4 m5 m6 c1 c2 c3 c4 c5 c6 E E E Secret.
Symmetric Cryptography
CSCE 715: Network Systems Security
Block Cipher Modes CS 465 Make a chart for the mode comparisons
Cryptography Basics and Symmetric Cryptography
Cryptography Lecture 10.
Block cipher and modes of encryptions
Symmetric-Key Encryption
Padding Oracle Attacks
Topic 13: Message Authentication Code
Cryptography Lecture 9.
Review of Cryptography: Symmetric and Asymmetric Crypto Advanced Network Security Peter Reiher August, 2014.
Secret-Key Encryption
Presentation transcript:

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation Practical Crypto Attacks Against Web Applications Justin Clarke OWASP London Chapter Leader OWASP Global Connections Committee

OWASP Foundation  IANAC  Usage != security  Pentesting? Overview

OWASP Foundation  Confidentiality – Prevent the disclosure of information to unauthorized individuals or systems  Integrity – Ensure that data cannot be modified undetectably  Authenticity - Validate that a party is who they claim they are The Need for Cryptography

OWASP Foundation  Symmetric Crypto Attacks  ECB Mode Usage  Padding-Based Attacks  Secure Random Number Generation (if we have time) Scenarios

OWASP Foundation  Most block ciphers support multiple modes of operation  The most common modes are :  ECB – Electronic Code Book  CBC – Cipher Block Chaining  CFB - Cipher Feedback  OFB - Output Feedback  None provide integrity if used in isolation Symmetric Crypto Attacks

OWASP Foundation Why is ECB mode BAD?

OWASP Foundation  Reason #1 Why is ECB mode BAD? ECB CONFIDENTIALITY

OWASP Foundation  Reason #2 Why is ECB mode BAD?

OWASP Foundation  Reason #2 Why is ECB mode BAD? Block 1Block 2Block 3Block 4Block 5Block 6Block dab1 d7f285ac 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 69e75f87 cf74ab6d CIPHERTEXT

OWASP Foundation Why is ECB mode BAD? Block 1Block 7Block 2Block 3Block 4Block 5Block dab1 d7f285ac 69e75f87 cf74ab6d 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 Block 1Block 2Block 3Block 4Block 5Block 6Block dab1 d7f285ac 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 69e75f87 cf74ab6d  Reason #2 CIPHERTEXT

OWASP Foundation Why is ECB mode BAD? Block 1Block 7Block 2Block 3Block 4Block 5Block dab1 d7f285ac 69e75f87 cf74ab6d 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 Block 1Block 2Block 3Block 4Block 5Block 6Block dab1 d7f285ac 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 69e75f87 cf74ab6d  Reason #2 CIPHERTEXT

OWASP Foundation Why is ECB mode BAD? Block 1Block 7Block 2Block 3Block 4Block 5Block dab1 d7f285ac 69e75f87 cf74ab6d 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 Block 1Block 2Block 3Block 4Block 5Block 6Block dab1 d7f285ac 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 69e75f87 cf74ab6d  Reason #2 CIPHERTEXT

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation DEMO ECB Mode Attack

OWASP Foundation What about CBC mode?

OWASP Foundation What about CBC mode? CBC CONFIDENTIALITY

OWASP Foundation  Original Ciphertext CBC Decryption BLOCK 1BLOCK 2BLOCK 3

OWASP Foundation  Block Swapping will result in data corruption CBC Decryption BLOCK 1BLOCK 3BLOCK 2

OWASP Foundation  “Padding Oracle” Attack  Leverages byte flipping of ciphertext to generate invalid padding exceptions  Data can be decrypted (and encrypted too) without knowledge of the secret key Attacking CBC Encrypted Data

OWASP Foundation How Padding Works

OWASP Foundation  Assuming this scheme, then there are only 8 possible valid padding sequences:  0x01  0x02, 0x02  0x03, 0x03, 0x03,  0x04, 0x04, 0x04, 0x04  0x05, 0x05, 0x05, 0x05, 0x05,  0x06, 0x06, 0x06, 0x06, 0x06, 0x06  0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07  0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08 How Padding Works

OWASP Foundation Flipping Bytes in CBC Mode

OWASP Foundation  Is the key the correct size?  Invalid Key Exception  Is the value (bytes) an even block multiple?  Invalid Length Exception  Is the decrypted block properly padded?  Invalid Padding Exception  Return the value The Decryption Process CRITICAL

OWASP Foundation The Padding Oracle Attack

OWASP Foundation The Padding Oracle Attack Call this “Byte X” Call this “Byte Y” Basic Premise: A change of Byte X (ciphertext) will change Byte Y (plaintext) There is a one-to-one correlation between Byte X values and Byte Y values Exception is thrown if plain-text does not end with a valid padding sequence

OWASP Foundation The Padding Oracle Attack Byte X == 0x00 Byte Y == ??? Exception? YES Byte Y is not valid padding

OWASP Foundation The Padding Oracle Attack Byte X == 0x01 Byte Y == ??? Exception? YES Byte Y is not valid padding

OWASP Foundation The Padding Oracle Attack Byte X == 0x02 Byte Y == ??? Exception? YES Byte Y IS valid padding (must be 0x01)

OWASP Foundation  What does that tell us?  The altered byte value produced valid padding when XOR’ed with the intermediate value The Padding Oracle Attack IF A ^ B = C THEN A ^ C = B AND C ^ B = A

OWASP Foundation  What does that tell us?  If the padding byte was 0x01: –Our Byte (0x02) ^ Intermediate Byte (??) == 0x01 –Intermediate Byte == Our Byte (0x02) ^ 0x01  The plain-text value is the intermediate value XOR’ed with the prior ciphertext byte The Padding Oracle Attack

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation DEMO Padding Oracle Attack

OWASP Foundation  As we’ve seen, encrypted data (while kept private) is still susceptible to tampering  We need to ensure PRIVACY and INTEGRITY What’s the solution? Encryption Message

OWASP Foundation  Encrypt + Sign the Ciphertext  HMAC: Combines a cryptographic hash function with a secret key  Cannot be re-computed without the key  Verifies the integrity and authenticity of a message SIGNATURE What’s the solution? Encryption Message

OWASP Foundation Another Lesson Learned  Why not HMAC within the ciphertext?  Does not prevent against side channel attacks during decryption  Padding Oracle Attack in.NET Framework  Discovered September 2010  Viewstate and Forms Authentication Cookies were affected even though an HMAC was included within the ciphertext  Tampering was only be detected after decryption

OWASP Foundation  Crypto is hard to get right  Lots of ways to make mistakes  When in doubt, ask an expert So to Summarize…

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation Justin Clarke

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.