no-knowledge crypto attacks
DESCRIPTION
Attacks against badly implemented cryptography that don't require in-depth knowledge of cryptography.TRANSCRIPT
![Page 1: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/1.jpg)
COPYRIGHT TRUSTWAVE 2011
Presented by:
No-Knowledge Crypto Attacks
Daniel Crowley
![Page 2: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/2.jpg)
Structure› Background› Attack!› Potential Win
![Page 3: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/3.jpg)
IDENTIFYING CIPHERTEXT“Yep, it’s wood”
![Page 4: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/4.jpg)
Properties of ciphertext› Appears random› Generally encoded› Decoded length often multiple of
8/16/32–Block ciphers
![Page 5: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/5.jpg)
Example
› Base64 encoded› Decodes to 80 bytes› Ent shows strong signs of randomness
› Probably ciphertext (okay, it is, I generated it)
![Page 6: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/6.jpg)
REPLAY ATTACKBait and switch
![Page 7: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/7.jpg)
Background› Reuse of cryptovariables› Trust in decrypted data
![Page 8: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/8.jpg)
Attack!› Reuse ciphertext
OR
› Find two places where ciphertext is being accepted
› Swap them around
![Page 9: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/9.jpg)
Potential Win› Ciphertext from “article.php?
id=(ciphertext)”› Placed in “doPasswordReset.php?
userid=(ciphertext)”› Reset password for another user
![Page 10: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/10.jpg)
DECRYPTION ORACLEDecrypt ALL the things!
![Page 11: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/11.jpg)
Background› Application takes encrypted input› Application decrypts input› Application gives you decrypted
output
![Page 12: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/12.jpg)
Identifying Decryption Oracles› Look for encrypted input› Modify input and look for garbled
response
![Page 13: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/13.jpg)
Attack!› Take ciphertext from another
location› Plug into decryption oracle
![Page 14: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/14.jpg)
Potential Win› “Password” cookie with encrypted
value› Plug cookie into decryption oracle› PASSWORDS!
![Page 15: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/15.jpg)
ENCRYPTION ORACLEEncrypt ALL the things!
![Page 16: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/16.jpg)
Background› Application takes plaintext input› Application encrypts input› Application gives you encrypted
output
![Page 17: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/17.jpg)
Identifying Encryption Oracles› Look for ciphertext in responses› Modify input and look for modified
ciphertext› Length is often the giveaway
![Page 18: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/18.jpg)
Attack!› Encrypt strings like ‘ or 1=1#› Plug encrypted string into any
encrypted input› Cross your fingers
![Page 19: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/19.jpg)
Potential Win› resetpass.php?id=(ciphertext)
› resetpass.php?id=( ENC(‘ or 1=1 #) )
› SQLi!
![Page 20: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/20.jpg)
STREAM CIPHER BIT FLIPPING
Flipping easy
![Page 21: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/21.jpg)
Background› Construction is simple› Same key & IV means same keystream› Reusing cryptovariables means
catastrophic failure
![Page 22: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/22.jpg)
0 1 1 0 0 1 0 0
1 0 1 0 1 0 1 0
1 1 0 0 1 1 1 0
![Page 23: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/23.jpg)
0 1 1 0 0 1 0 1
1 0 1 0 1 0 1 0
1 1 0 0 1 1 1 1
![Page 24: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/24.jpg)
Attack!› Flip bits in ciphertext input› Same bits in plaintext are flipped› No modification to other parts of
message
![Page 25: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/25.jpg)
Potential Win› Plaintext
–username=fred&admin=0
› Flip lots of bits until…–username=fred&admin=1
![Page 26: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/26.jpg)
STREAM CIPHER KEYSTREAM RECOVERY
I couldn’t think of anything funny for this one
![Page 27: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/27.jpg)
Attack!› Guess plaintext of an encrypted
message› XOR plaintext and ciphertext to get
suspected keystream› XOR suspected keystream with
unknown ciphertext–Attempt to read message
![Page 28: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/28.jpg)
Definite Win› Ability to encrypt and decrypt anything
– In byte positions where known plaintext resides
![Page 29: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/29.jpg)
ECB BLOCK SHUFFLINGEvery day I’m shufflin’
![Page 30: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/30.jpg)
Background› ECB is a block cipher mode› Each block is encrypted independent of
others› Blocks can be reordered, removed,
duplicated
![Page 31: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/31.jpg)
BLOCK 1
CIPHER
BLOCK 1
BLOCK 2
CIPHER
BLOCK 2
BLOCK 3
CIPHER
BLOCK 3
PLAINTEXT
CIPHERTEXT
![Page 32: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/32.jpg)
Attack!› Shuffle blocks around randomly in
encrypted messages› Cross your fingers!
![Page 33: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/33.jpg)
Plaintext before modification
0 1 2 3 4 5 6 7
L A S T V I S I
T E D = / E N /
H O M E . J S P
& U S E R I D =
1 2 3 4 \x04 \x04 \x04 \x04
lastVisited=/en/home.jsp&userId=1234
![Page 34: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/34.jpg)
Plaintext after modification
0 1 2 3 4 5 6 7
L A S T V I S I
T E D = / E N /
H O M E . J S P
& U S E R I D =
1 & F O O = B A
1 2 3 4 \x04 \x04 \x04 \x04
lastVisited=/en/home.jsp&userId=1&foo=ba1234
![Page 35: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/35.jpg)
CBC BIT FLIPPINGFlipping awesome
![Page 36: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/36.jpg)
Background› CBC is a block cipher mode› When decrypting, each block affects
next block› Flipping bits in ciphertext block n
– Garbles plaintext block n– Flips same bits in plaintext block n+1
![Page 37: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/37.jpg)
BLOCK A
IV
CIPHER
BLOCK A
BLOCK B
CIPHER
BLOCK B
BLOCK C
CIPHER
BLOCK C
PLAINTEXT
CIPHERTEXT
![Page 38: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/38.jpg)
BLOCK A
IV
CIPHER
BLOCK A
BLOCK B
CIPHER
BLOCK B
BLOCK C
CIPHER
BLOCK C
PLAINTEXT
CIPHERTEXT
![Page 39: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/39.jpg)
Attack!› Submit ciphertext multiple times
› Flip a different bit each time› Cross your fingers!
![Page 40: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/40.jpg)
Potential Win› Plaintext is:
– lastVisited=http://example.com/home.jsp&uid=124%01
– (lastVisited=http)(://example.com/h)(ome.jsp&uid=124%01)• Split into 16 byte blocks
› Flip bits in bytes 13-15 in block 2–Block 2 becomes garbage–“124” in block 3 has bits flipped in
plaintext
![Page 41: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/41.jpg)
MISCELLANEOUSBonus round!
![Page 42: No-Knowledge Crypto Attacks](https://reader038.vdocuments.site/reader038/viewer/2022103110/548d9e15b4795964258b467f/html5/thumbnails/42.jpg)
Other Fun Attacks› Padding Oracles
– padBuster.pl
› Hash length extension attacks– Hash_extender