Yurii Bilyk || 2014

SSL/P DLE:History repeats itself

AGENDA

XOR Function

Symmetric-Key Crypto Basics

Padding Oracle Attack details

POODLE Attack

LIVE. DIE. REPEAT.

History Repeats Itself

Secure Socket Layer (SSL/TLS)

Key Exchange: RSA, Diffie-Hellman, PSK

Authentication: RSA, DSA, ECDSA

Symmetric Cipher: RC4, IDEA, DES, 3DES, AES

Data Integrity: SHA, MD5, MD4 and MD2

SSL/TLS Vulnerabilities History

2002

2013

Padding Oracle Attack discovery

BEAST Attack discovery

CRIME & BREACH Attack discovery

Lucky 13 Attack discovery

POODLE Attack discovery2014

Heart Bleed

Issue in the realization of crypto protocol/system

***IT happens

Not issue in the cipher

Modern Cryptography

After Computer Era

One-Time Pad (OTP)

A plaintext is paired with random, secret key (or pad) which have the same length (or more) as message

Each bit or char of the plaintext is encrypted by combining it with the corresponding bit or char from the pad using modular addition

Unbreakable One-Time Pad (OTP)

Key is truly random

Key and at least as long as the plaintext

Key never reused in whole or in part, and kept completely secret

Symmetric-Key Cryptography

One shared key

Block ciphers

Stream ciphers

Stream Cipher

Flood Is Coming

Stream Ciphers

Key Stream is used (generated from Key)

Gamma (Key Stream) generator is pseudo random with some period (bigger is better)

Works really fast ( XOR Key Stream with MSG)

Bit-Flipping Attack

Attacker know part and of plaintext and place in encrypted(for ex. amount of money)

Can change this part w/o knowing key (nature of XOR)

Message Access Code (MAC)

Hash Functions (MD5, SHA, etc)

Encrypted data integrity check

Used not only in encryption integrity check (web form data validation, plaintext data, etc)

Block Cipher

Tetris Is Here

Block Ciphers

Fixed block size

Uses padding

Different modes (ECB, CBC, etc)

Electronic Codebook (ECB)

Each block processed individually

M y V e r y S e c r e t T e x t

L G l h 3 l a 1 X E K h X r A c

Plain Text

Encrypted

Electronic Codebook (ECB)

AES-256-ECB AES-256-CBCPlainText

Cipher Block Chaining (CBC)

Added initialization vector (IV)

More secure (by design)

Still vulnerable for padding attack

Cipher Block Chaining (CBC)

M y V e r y S e c r e t T e x t

L G l h 3 l a 1 X E K h X r A c

1 2 3 4 5 6 7 8

Plain Text

IV

Encrypted

Padding Types

Bit Padding (add 1 bit and zeros)

Byte Padding (add some bytes and length of padding, add number of bytes which equal to padding length, etc)

Mixed Padding (add 1 bit and then bytes, for ex. MD5 padding)

Byte Padding

A B C D 0x00 0x00 0x00 0x00

A B C D 0x04 0x04 0x04 0x04

A B C D 0xFF 0xFF 0xFF 0x03

Zero Bytes Padding

Padding Length Bytes

0xFF Bytes + Padding Length Byte

Remember I'm offering you the truth. Nothing More.

Padding Oracle

Padding Oracle

Oracle: something that can prove or refute your assumptions

Padding: building blocks to make things the same size

Together: are nightmare of cryptography

Padding Oracle Nightmare

You don’t need a KEY

Almost doesn’t depends on cipher algorithm (CBC mode)

Faster that brute force attack

XOR Magic

It’s just a magic

Exercise (Swap Variables)

int a = 5, b = 10

a = a b // a = 15

a = a b // a = 10 b = a b // b = 5

The Magic XOR Rules

A A = 0A 0 = AA B = B A(A B) C = A (B C)

Padding Oracle Attack: Details

M y M S G 3 3 3

L G l h 3 l a 1 X E K h X r A c

Plain M2

Encrypted C1 Encrypted C2

I K 7 u F Q s b

Intermediate I2

Padding Oracle Attack: Details

M2= C1 I2I2= M2 C1

We CAN change result Plaintext M2 by changing Encrypted C1 Message

Padding Oracle Attack: Last Byte

M y M S G 3 3 D

L G l h 3 l a A X E K h X r A B

I K 7 u F Q s C

C1[8] C2[8]

I2[8]

M2[8]

Padding Oracle Attack: Last Byte

1. Iterate byte PP from 0x00 to 0xFF (possible M2[8] byte)

2. Set A = C1[8] PP 0x013. Check Padding Oracle if we got correct padding (D = 0x01)

4. In case of correct padding we can calculate M2[8] last byte:• M2[8] = C1[8] C• Because C = D A• Then C = 0x01 C1[8] PP 0x01• We can simplify it to C = C1[8] PP

• In this case M2[8] = C1[8] C1[8] PP• And finally M2[8] = PP, voila!

Padding Oracle Attack: Tools

POET – Apache MyFaces form padding oracle expl. tool http://netifera.com/research/

PadBuster – ASP.NET (not only) padding oracle expl. tool https://github.com/GDSSecurity/PadBuster

Bletchley – python based cryptography expl. multitool https://code.google.com/p/bletchley/

• Use MAC in pair of encryption

• Don’t show Padding Errors to Attacker

• Use another cipher mode (CFB, etc)

How-to Mitigate?

POODLE? Are you kidding!?

Dogs are men’s best friends

POODLE: Basic Info

Old Good Padding Oracle

Present in ALL SSLv3 realizations (architecture issue)

Wrong MAC usage

POODLE: Possible Exploitation

1

2

3

Hacker uses MITM attack

User should send the same plaintext requests (eg. GET request via XSS)

Attacker want to steal cookie (know possible structure of the plaintext request)

• Disable SSLv3 on the server – web server, openssl, etc

• Disable SSLv3 support on the client – web browser, library, etc

• Really, disable this old buggy SSLv3!

How-to Mitigate?

Outline

• Padding Oracle attack is still alive

• Usage of OLD protocols could cause a lot of security issues

• Disable SSLv3 in your products/environment

Thanks!

Yurii Bilykyubilyk@gmail.com