Presentation is loading. Please wait.

Presentation is loading. Please wait.

Workshop 1: Padding Oracle Attack Daoyuan Feb 28, 2014 1.

Published byMatilda Rich Modified over 10 years ago

Similar presentations

Presentation on theme: "Workshop 1: Padding Oracle Attack Daoyuan Feb 28, 2014 1."— Presentation transcript:

1 Workshop 1: Padding Oracle Attack Daoyuan Feb 28, 2014 1

2 Objectives Understand the principles and details of the padding oracle attack. Learn to use PadBuster to automate the padding oracle attack. 2

3 Background Padding Oracle Block Cipher: Cipher-Block Chaining (CBC) Mode – XOR: http://en.wikipedia.org/wiki/Exclusive_orhttp://en.wikipedia.org/wiki/Exclusive_or – Assume you have already understood them. 3

4 Just for your future reference 4

5 Background - Padding Why padding? – Plaintext messages come in a variety of lengths. – Block ciphers require all messages to come in an exact number of blocks. 5 Padding is added into the plaintext, not the ciphertext.

6 Background - Padding 6 At least one padding byte is ALWAYS appended

7 Background – Padding + Oracle The final decrypted block should end with: » A single 0x01 byte (0x01) » Two 0x02 bytes (0x02, 0x02) » Three 0x03 bytes (0x03, 0x03, 0x03) » Four 0x04 bytes (0x04, 0x04, 0x04, 0x04) »...and so on If not, most cryptographic providers will throw an invalid padding exception. – This extra information is called Oracle. 7

8 A Basic Padding Oracle Attack Scenario An application uses a query string parameter – to pass the encrypted username, company id, and role id of a user – http://sampleapp/home.jsp?UID=7B216A634951170FF851D6CC 68FC9537858795A28ED4AAC6 Ciphertext in ASCII Hex representation, 24bytes. – Plaintext: BRIAN;12;2; 8

9 Understand the whole process for the correct plaintext Encryption Diagram 9

10 Understand the whole process for the correct plaintext Decryption Diagram 10

11 The Padding Oracle in Web Apps When the application receives an encrypted value, it responds in one of three ways: – When a valid ciphertext is received (one that is properly padded and contains valid data) the application responds normally (200 OK). – When an invalid ciphertext is received (one that, after decrypted, does not end with a valid padding) the application throws a cryptographic exception (500 Internal Server Error, or 403…). – When a valid ciphertext is received (one that is properly padded) but decrypted to an invalid value, the application displays a custom error message (404 Not Found). 11 We can distinguish valid padding or not.

12 Know our attack goal and resources Our goal: decrypt the value by using padding oracle attack. Moreover, we have the padding oracle information that server will respond. 12 ? ??? ??

13 The Overview of the PO Attack The attack trick: isolate each block and try to only decrypt this block of plaintext. 13 ??? Fixed, but we don’t know. Need to change it now. This will also change. Server will tell us when it is valid.

14 The Overview of PO Attack If we can change them to this status: 14 ??? Fixed, but we don’t know. 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0xM 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x?? 0x01 Valid Padding Get 0xN : 0xM: we try and know 0x01: server tells us Get one byte: = 0xN XOR 0x3D 0xN

15 Recap the detailed attack steps First try from 0 (an IV of all NULL values): – Request:http://sampleapp/home.jsp?UID=000000 0000000000F851D6CC68FC9537 – Response: 500 - Internal Server Error 15

16 Recap the detailed attack steps Second try is 1: – Request:http://sampleapp/home.jsp?UID=000000 0000000001F851D6CC68FC9537 – Response: 500 - Internal Server Error 16

17 Recap the detailed attack steps Until this try: – Request:http://sampleapp/home.jsp?UID=000000 000000003CF851D6CC68FC9537 – Response: 200 OK 17

18 Recap the detailed attack steps Decrypt the second byte in the same way: 18

19 Recap the detailed attack steps Then we can decrypt all intermediary values: 19

20 Recap the detailed attack steps Finally recover the plaintext for the first block 20

21 Then move to the next block Isolate the second block 21 Our IVs Get the intermediate values: using our own IVs Obtain the plaintext: combine with the previous ciphertext

22 Automate the PO Attack By PadBuster An open source tool by Brian Holyfield – https://github.com/GDSSecurity/PadBuster https://github.com/GDSSecurity/PadBuster – Written in Perl, thus requiring the Perl environment. Attack the previous example: – Separated into two lines 22 padBuster.pl http://sampleapp/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6 7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6 8 -encoding 2 URL Encrypted SampleBlock Size 0: Base64 (default) 1: Lowercase HEX ASCII 2: Uppercase HEX ASCII

23 Exercises Combine this PPT and a document: – lab1_exercises.docx – Write your answer into this document. 23 Please hand in a hard copy of all exercise answers!

24 Exercise #1 Describe padding oracle attack in one sentence (5 marks). – Use your own words to describe the essence of the attack. 24

25 Exercise #2 After obtaining this status, what is the next value of Initialization Vector we should try? – Answer it with reasons. (5 marks) 25 Next value should try?

26 Exercise #3-1 Decrypt the ciphertext. (5 marks) – http://x.ozetta.net/lab/decrypt_me.php (prepared by Zetta KE and Anthony LAI from VXRL last year) http://x.ozetta.net/lab/decrypt_me.php It will redirect you to a link with a random ciphertext, e.g., http://x.ozetta.net/lab/decrypt_me.php?cipher=9f5756b0bb 7b46a82c07280fa9e1ae6040312108d3011654 http://x.ozetta.net/lab/decrypt_me.php?cipher=9f5756b0bb 7b46a82c07280fa9e1ae6040312108d3011654 Backup server: http://www2.comp.polyu.edu.hk/~sccomp444/lab2/ http://www2.comp.polyu.edu.hk/~sccomp444/lab2/ – Write the PadBuster command and obtain your own plaintext. For more hints, see lab1_exercises.docx. 26

27 For Exercise #3, you may choose either 3-1 or 3-2, the next one. 27

28 Exercise #3-2 Decrypt the ciphertext. (5 marks) – See https://class.coursera.org/crypto- preview/quiz/attempt?quiz_id=123https://class.coursera.org/crypto- preview/quiz/attempt?quiz_id=123 Target: http://crypto- class.appspot.com/po?er=f20bdba6ff29eed7b046d1df9fb70 00058b1ffb4210a580f748b4ac714c001bd4a61044426fb515 dad3f21f18aa577c0bdf302936266926ff37dbf7035d5eeb4http://crypto- class.appspot.com/po?er=f20bdba6ff29eed7b046d1df9fb70 00058b1ffb4210a580f748b4ac714c001bd4a61044426fb515 dad3f21f18aa577c0bdf302936266926ff37dbf7035d5eeb4 Decrypt it using PadBuster, instead of coding a new one. – The decrypted message may seem a bit strange to you. but if you Google it, you will see that it is a famous cryptographic sentence. 28

29 Exercise #4 Draw the cipher block graphs (10 marks) – We’re given web server logs that appear to show an attacker exploiting a vulnerability. https://raw.github.com/SaveTheRbtz/crypto- class/master/ex4/proj4-log.txt https://raw.github.com/SaveTheRbtz/crypto- class/master/ex4/proj4-log.txt – Read this blog post and analyze how he captures the secret. http://hackeroutfit.wordpress.com/2012/07/06/oracle- padding-attack-challenge/ http://hackeroutfit.wordpress.com/2012/07/06/oracle- padding-attack-challenge/ – Your task: draw two complete cipher block graphs to explain his procedure. One to obtain all Intermediary Values (HEX) One to obtain the stolen secret (Plaintext) 29

30 Thanks to: (References) http://blog.gdssecurity.com/labs/2010/9/14/auto mated-padding-oracle-attacks-with- padbuster.html http://blog.gdssecurity.com/labs/2010/9/14/auto mated-padding-oracle-attacks-with- padbuster.html – Nearly all materials are based on it. – I just organize them and sometimes add my own thoughts. The content, answer sheet of Exercise #3-1 and the decrypt_me.php script are prepared by Zetta KE (ozetta@vxrl.org) and Anthony LAI (darkfloyd@vxrl.org) from VXRL. 30

Download ppt "Workshop 1: Padding Oracle Attack Daoyuan Feb 28, 2014 1."

Similar presentations

“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Workshop 2: Length Extension Attack Zhou Peng March 07, 2014.

Workshop 2: Length Extension Attack Zhou Peng March 07, 2014.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Mark Dixon Page 1 16 – Passing Data between pages: Forms, Sessions, & Query Strings.

Mark Dixon Page 1 16 – Passing Data between pages: Forms, Sessions, & Query Strings.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Advanced Web Hack: Padding Oracle Attack

Advanced Web Hack: Padding Oracle Attack
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.

Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 4 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.

1 How to securely outsource cryptographic computations Susan Hohenberger and Anna Lysyanskaya TCC2005.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.

Similar presentations

Ads by Google