Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byOsborn Warner Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org/ Practical Crypto Attacks Against Web Applications Justin Clarke OWASP London Chapter Leader OWASP Global Connections Committee

2 OWASP Foundation  IANAC  Usage != security  Pentesting? Overview

3 OWASP Foundation  Confidentiality – Prevent the disclosure of information to unauthorized individuals or systems  Integrity – Ensure that data cannot be modified undetectably  Authenticity - Validate that a party is who they claim they are The Need for Cryptography

4 OWASP Foundation  Symmetric Crypto Attacks  ECB Mode Usage  Padding-Based Attacks  Secure Random Number Generation (if we have time) Scenarios

5 OWASP Foundation  Most block ciphers support multiple modes of operation  The most common modes are :  ECB – Electronic Code Book  CBC – Cipher Block Chaining  CFB - Cipher Feedback  OFB - Output Feedback  None provide integrity if used in isolation Symmetric Crypto Attacks

6 OWASP Foundation Why is ECB mode BAD?

7 OWASP Foundation  Reason #1 Why is ECB mode BAD? ECB CONFIDENTIALITY

8 OWASP Foundation  Reason #2 Why is ECB mode BAD? UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3

9 OWASP Foundation  Reason #2 Why is ECB mode BAD? UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 Block 1Block 2Block 3Block 4Block 5Block 6Block 7 UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 9648dab1 d7f285ac 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 69e75f87 cf74ab6d CIPHERTEXT

10 OWASP Foundation Why is ECB mode BAD? Block 1Block 7Block 2Block 3Block 4Block 5Block 6 9648dab1 d7f285ac 69e75f87 cf74ab6d 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 Block 1Block 2Block 3Block 4Block 5Block 6Block 7 UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 9648dab1 d7f285ac 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 69e75f87 cf74ab6d  Reason #2 CIPHERTEXT

11 OWASP Foundation Why is ECB mode BAD? Block 1Block 7Block 2Block 3Block 4Block 5Block 6 9648dab1 d7f285ac 69e75f87 cf74ab6d 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 UID:23901,Role:39,Email:john@doe.com,NickName:JohnDoe230 UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 UID:23901,Role:39,Email:john@doe.com,NickName:JohnDoe230 Block 1Block 2Block 3Block 4Block 5Block 6Block 7 UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 9648dab1 d7f285ac 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 69e75f87 cf74ab6d  Reason #2 CIPHERTEXT

12 OWASP Foundation Why is ECB mode BAD? Block 1Block 7Block 2Block 3Block 4Block 5Block 6 9648dab1 d7f285ac 69e75f87 cf74ab6d 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 UID:23901,Role:39,Email:john@doe.com,NickName:JohnDoe230 UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 UID:23901,Role:39,Email:john@doe.com,NickName:JohnDoe230 Block 1Block 2Block 3Block 4Block 5Block 6Block 7 UID:23909,Email:john@doe.com,NickName:JohnDoe2301,Role:3 9648dab1 d7f285ac 22a1eaee db7aabbb 0f5a7a2a 1f8de75f 86adfcf6 17abcbcf 6adb7872 7ab9dd8e 96bdc238 5fa70ba2 69e75f87 cf74ab6d  Reason #2 CIPHERTEXT

13 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org/ DEMO ECB Mode Attack

14 OWASP Foundation What about CBC mode?

15 OWASP Foundation What about CBC mode? CBC CONFIDENTIALITY

16 OWASP Foundation  Original Ciphertext CBC Decryption BLOCK 1BLOCK 2BLOCK 3

17 OWASP Foundation  Block Swapping will result in data corruption CBC Decryption BLOCK 1BLOCK 3BLOCK 2

18 OWASP Foundation  “Padding Oracle” Attack  Leverages byte flipping of ciphertext to generate invalid padding exceptions  Data can be decrypted (and encrypted too) without knowledge of the secret key Attacking CBC Encrypted Data

19 OWASP Foundation How Padding Works

20 OWASP Foundation  Assuming this scheme, then there are only 8 possible valid padding sequences:  0x01  0x02, 0x02  0x03, 0x03, 0x03,  0x04, 0x04, 0x04, 0x04  0x05, 0x05, 0x05, 0x05, 0x05,  0x06, 0x06, 0x06, 0x06, 0x06, 0x06  0x07, 0x07, 0x07, 0x07, 0x07, 0x07, 0x07  0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08, 0x08 How Padding Works

21 OWASP Foundation Flipping Bytes in CBC Mode

22 OWASP Foundation  Is the key the correct size?  Invalid Key Exception  Is the value (bytes) an even block multiple?  Invalid Length Exception  Is the decrypted block properly padded?  Invalid Padding Exception  Return the value The Decryption Process CRITICAL

23 OWASP Foundation The Padding Oracle Attack

24 OWASP Foundation The Padding Oracle Attack Call this “Byte X” Call this “Byte Y” Basic Premise: A change of Byte X (ciphertext) will change Byte Y (plaintext) There is a one-to-one correlation between Byte X values and Byte Y values Exception is thrown if plain-text does not end with a valid padding sequence

25 OWASP Foundation The Padding Oracle Attack Byte X == 0x00 Byte Y == ??? Exception? YES Byte Y is not valid padding

26 OWASP Foundation The Padding Oracle Attack Byte X == 0x01 Byte Y == ??? Exception? YES Byte Y is not valid padding

27 OWASP Foundation The Padding Oracle Attack Byte X == 0x02 Byte Y == ??? Exception? YES Byte Y IS valid padding (must be 0x01)

28 OWASP Foundation  What does that tell us?  The altered byte value produced valid padding when XOR’ed with the intermediate value The Padding Oracle Attack IF A ^ B = C THEN A ^ C = B AND C ^ B = A

29 OWASP Foundation  What does that tell us?  If the padding byte was 0x01: –Our Byte (0x02) ^ Intermediate Byte (??) == 0x01 –Intermediate Byte == Our Byte (0x02) ^ 0x01  The plain-text value is the intermediate value XOR’ed with the prior ciphertext byte The Padding Oracle Attack

30 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org/ DEMO Padding Oracle Attack

31 OWASP Foundation  As we’ve seen, encrypted data (while kept private) is still susceptible to tampering  We need to ensure PRIVACY and INTEGRITY What’s the solution? Encryption Message

32 OWASP Foundation  Encrypt + Sign the Ciphertext  HMAC: Combines a cryptographic hash function with a secret key  Cannot be re-computed without the key  Verifies the integrity and authenticity of a message SIGNATURE What’s the solution? Encryption Message

33 OWASP Foundation Another Lesson Learned  Why not HMAC within the ciphertext?  Does not prevent against side channel attacks during decryption  Padding Oracle Attack in.NET Framework  Discovered September 2010  Viewstate and Forms Authentication Cookies were affected even though an HMAC was included within the ciphertext  Tampering was only be detected after decryption

34 OWASP Foundation  Crypto is hard to get right  Lots of ways to make mistakes  When in doubt, ask an expert So to Summarize…

35 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation http://www.owasp.org/ Justin Clarke justin.clarke@owasp.org justin@gdssecurity.com Twitter: @connectjunkie

Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Chapter 4: Modes of Operation CS 472: Fall 2012. Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.

Chapter 4: Modes of Operation CS 472: Fall Encrypting a Large Massage 1.Electronic Code Book (ECB) 2.Cipher Block Chaining (CBC) 3.Output Feedback.
ECE454/CS594 Computer and Network Security

ECE454/CS594 Computer and Network Security
MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.

MAC Raushan. DES simple fiestel network 3131 PlainText Blocks 2*4=8bits 31 f f =0011 xor 0011=0000 = 0 f(r,k)=(2*r+k^2)%8 f(1,5)=(2*1+5^2)%8=3 xor 3 3.
Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.

Encipherment Using Modern Symmetric-Key Ciphers. 8.2 Objectives ❏ To show how modern standard ciphers, such as DES or AES, can be used to encipher long.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format

Side Channel Attacks on CBC Encrypted Messages in the PKCS#7 Format
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.

Block Ciphers 1 Block Ciphers Block Ciphers 2 Block Ciphers  Modern version of a codebook cipher  In effect, a block cipher algorithm yields a huge.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
Cryptographic Technologies

Cryptographic Technologies
Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.

Modes of Operation CS 795. Electronic Code Book (ECB) Each block of the message is encrypted with the same secret key Problems: If two identical blocks.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Hash Functions Nathanael Paul Oct. 9, 2002. Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)

Hash Functions Nathanael Paul Oct. 9, Hash Functions: Introduction Cryptographic hash functions –Input – any length –Output – fixed length –H(x)
Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.

Overview of Cryptography and Its Applications Dr. Monther Aldwairi New York Institute of Technology- Amman Campus INCS741: Cryptography.
Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.

Fall 2010/Lecture 311 CS 426 (Fall 2010) Public Key Encryption and Digital Signatures.
Lecture 23 Symmetric Encryption

Lecture 23 Symmetric Encryption
CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

CRYPTOGRAPHIC DATA INTEGRITY ALGORITHMS

Similar presentations

Ads by Google