Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byHoward Shaw Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Padding Oracle Attacks Satish B Securitylearn.wordpress@gmail.com 20/08/2011

2 OWASP 2 Cryptography Attack

3 OWASP 3 Agenda  Cryptography Basics  Padding oracle attack  Exploitation  Padding oracle in.NET  Tools  Remedy

4 OWASP 4 Cryptography Basics Stream Ciphers : Key supplied to encryption algorithm to get key stream Plain text is XOR with key stream to generate cipher text Ex: Rc4 1 0 = 1P K = C 0 1 = 1 C P = K Block Ciphers: Operates on fixed length group of bits or bytes (64 or 128 bit blocks) 128 bits of plain text is converted into 128 bits of cipher text Ex: AES

5 OWASP 5 Cryptography Basics Block Cipher : Modes ECB mode – Electronic code book mode Encryption of the same plain text with the same key results in the same cipher text, which is a considerable threat to security.

6 OWASP 6 Cryptography Basics CBC – cipher block chaining Encryption of the same plain text with the same key results in different cipher text because of IV. Each block of plaintext is XORed with the previous ciphertext block before being encrypted. Ci = Ek (Pi xor Ci-1)

7 OWASP 7 Cryptography Basics Each block of ciphertext is decrypted and XORed with the previous ciphertext block to obtain the plain text. First block of ciphertext is decrypted and XORed with IV to obtain the plain text.

8 OWASP 8 Cryptography Basics Block Ciphers – - Works on fixed size data - Messages are in variety of length - padding has introduced - Final block padded before encryption PKCS#5 standard - final block of plaintext is padded with N bytes of value N.

9 OWASP 9 Padding oracle attack Initially discovered in 2002. Credits: http://netifera.com/research/http://netifera.com/research/ Got famous in 2010. What is it ? Possible to decrypt and encrypt data without key in CBC mode. Typical Scenario:  Brian logged into myapp.com  Server created an encryption string specific to Brian and sent to him  Accessing any page in the application sends the encrypted value to server  Server decrypts and serves the content based on decrypted value Ex: http://myapp.com/home.jsp?UID=7B216A634951170FF851D6CC68FC953785 8795A28ED4AAC6

10 OWASP 10 Padding oracle attack Client data value = BRIAN;12;1; IV=7B216A634951170F F851D6CC68FC9537 858795A28ED4AAC6

11 OWASP 11 Padding oracle attack Client data http://myapp.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537 858795A28ED4AAC6

12 OWASP 12 Padding oracle attack http://myapp.com/home.jsp?UID=7B216A634951170FF851D6CC68FC9537 858795A28ED4AAC6 The application verifies whether the encrypted value is properly padded or not. When the application passed an encrypted value it responds with one of three ways: Valid ciphertext (with proper padding) – Normal response Invalid ciphertext (improper padding) – Exception Valid ciphertext and decrypts to an invalid value – Custom error Wrong padding can result in:  Error messages  Stack Traces  Time difference  Different responses

13 OWASP 13 Padding oracle attack oracle refers to a mechanism in cryptography that can be used to determine whether a test has passed or failed. Pass and Fail conditions can be used to decrypt without key. Decrypting without a key Valid cipher http://myapp/home.jsp? UID=7B216A634951170F F851D6CC68FC9537 Invalid cipher http://myapp/home.jsp? UID=0000000000000000 F851D6CC68FC9537

14 OWASP 14 Padding oracle attack Invalid cipher http://myapp/home.jsp?UID=0000000000000001F851D6CC68FC9537

15 OWASP 15 Padding oracle attack Invalid cipher http://myapp/home.jsp? UID=0000000000000003 F851D6CC68FC9537 Intermediary Byte ^ 0×3C == 0×01, Intermediary Byte == 0×3C ^ 0×01, Intermediary Byte == 0×3D

16 OWASP 16 Padding oracle attack Valid cipher http://myapp/home.jsp?UID=7B216A634951170FF851D6CC68FC9537 Plain text == Intermediary byte 0×3D ^ corresponding IV byte 0F = = 02 Now crack the 7 th byte and so on … In the end it gives Intermediate value

17 OWASP 17 Padding oracle attack Encrypting arbitrary values without key XOR the plaintext value with intermediary value to get IV Summary Padding oracle attack allows to encrypt and decrypt data without the key.

18 OWASP 18 Padding oracle attack in.NET Where is it applicable ?  View state  Session cookies  Any encrypted data in hidden parameters  WebResource.axd - serves embedded resources  ScriptResource.axd - serves embedded resources and files

19 OWASP 19 Padding oracle attack in.NET https://samplesite.com/WebResource.axd?d=llIAeUHrAWkUZEuvZB-98g2 valid cipher text decrypted to valid value - proper response (200 ok) valid cipher text decrypted to invalid value - page not found or similar response (404) Invalid cipher text - padding error If the application gives different errors in the above 3 cases, it is vulnerable and easy to exploit.

20 OWASP 20 Tools  Padbuster https://www.gdssecurity.com/l/t/d.php?k=PadBuster  Poet http://netifera.com/research/  Padbusterdotnet http://www.mindedsecurity.com/fileshare/padBusterdotnet.zip

21 OWASP 21 Padding oracle attack Why Is this working?  CBC mode only provides confidentiality.  Confidentiality doe not ensure that the value is tampered or not.  Integrity check has to be performed. Solution  Implemented integrity check by adding hash to the encrypted value Before fix : http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2 After fix: http://website.com/application/WebResource.axd?d=jzjghMVYzFihd9Uhe_arpA2 http://website.com/application/WebResource.axd?d=jadfz0GadfahafMVYzFihd9Uh adfadfdfdfe_aereradf349jkMjlrfgRr6moijfdn_Aretkjf093rpA2

22 OWASP 22 For more information on exploitation and usage of tools visit my site http://Securitylearn.wordpress.com References http://www.troyhunt.com/2010/09/fear-uncertainty-and-and-padding- oracle.html http://weblogs.asp.net/scottgu/archive/2010/09/28/asp-net-security- update-now-available.aspx http://eglasius.blogspot.com/2010/09/aspnet-padding-oracle-how-it- relates-to.html http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle- attacks-with-padbuster/

23 OWASP 23 Questions?

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Symmetric Encryption Prof. Ravi Sandhu.

Symmetric Encryption Prof. Ravi Sandhu.
Chapter 4: Modes of Operation CS 472: Fall 2012. Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.

Chapter 4: Modes of Operation CS 472: Fall Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
“Advanced Encryption Standard” & “Modes of Operation”

“Advanced Encryption Standard” & “Modes of Operation”
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Workshop 1: Padding Oracle Attack Daoyuan Feb 28, 2014 1.

Workshop 1: Padding Oracle Attack Daoyuan Feb 28,
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.

Cryptography1 CPSC 3730 Cryptography Chapter 6 Triple DES, Block Cipher Modes of Operation.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
McGraw-Hill©The McGraw-Hill Companies, Inc., 2004 1 Security PART VII.

McGraw-Hill©The McGraw-Hill Companies, Inc., Security PART VII.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Cryptography April 20, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Cryptography April 20, 2010 MIS 4600 – MBA © Abdou Illia.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
Encryption Methods By: Michael A. Scott 20140508.

Encryption Methods By: Michael A. Scott
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Similar presentations

Ads by Google