Practical attacks on web crypto

Erlend Oftedal — @webtonull
Bekk Consulting
7. December 2011

Who am I?

Agenda

What's the best way to anger a security guy?
Say something like: "We encrypt our passwords with MD5"

Hash functions

http://en.wikipedia.org/wiki/Hash_function

Cryptographic hash functions

http://en.wikipedia.org/wiki/Cryptographic_hash_function

Hashing passwords

Given a password hash, what is the easiest way to find the password?

d8b36fa2ce602b7258ecaa289cf70aa1

Someone actually built a tool

https://github.com/juuso/BozoCrack

How to avoid these pitfalls

Signing data with hashes

Client:
GET /
Server:
200 OK
... <a href="/resource/?a=123&b=46&signature=LQWJDQOC21ASDiojoQ2e13lkajsd="></a> ...
Client:
GET /resource/?a=123&b=46&signature=LQWJDQOC21ASDiojoQ2e13lkajsd=
Server:
200 OK
Data authorized by signature...

Signing data with hashes

Block based hash algorithms (MD)

  1. Starts with a constant value S
  2. First block of data D0:
    H0 = MD5_round(s, D0)
  3. Consecutive blocks Dn:
    Hn = MD5_round(Hn-1, Dn)
  4. The last block is padded with a 1, some 0s and the length of the original string

Attacking the signature

Attacking the signature

Any real-life examples?

Attack on the Flickr API

Avoiding attacks on hash-based signatures

Padding oracles

Padding oracles

Client:
GET /
Server:
200 OK
... <a href="/resource/LQWJDQOC21ASDiojoQ2e13lkajsd="></a> ...
Client:
GET /resource/LQWJDQOC21ASDiojoQ2e13lkajsd=
Server:
200 OK
Secret data....

Padding oracles

XOR

CBC based encryption

CBC based decryption

PKCS#5/7 padding

Padding oracles

Attacking the oracle

  1. The attacker wants to decrypt a secret value
    GET /resource/<IV><C0><C1><C2>
  2. The attacker creates a random block R
  3. And sends it to the server together with a cipher text block:
    GET /resource/<R><C0>
  4. This will probably result in a padding error

Padding oracles

Attacking the oracle

  1. To decrypt the byte next to the last, the attacker needs to find a valid padding of 2
  2. The attacker sets the last byte of R to:
    R7 = R7 ⊕ 0x01 ⊕ 0x02
  3. He then does the same trick for the second to last byte

Padding oracles

Attacking the oracle

  1. Now the attacker has the full output from the decrypt function
  2. To get the plain text, the attacker can simply:
    Pn = Rn ⊕ 0x08 ⊕ IVn
  3. The process is then repeated for each block Cn, but in this last step instead of IV, Cn-1 is used

Example

Padding Oracle Attacks

Defense against Padding Oracle Attacks

BEAST

The keys to this attack

Why does this matter?

The chosen boundary attack (cont.)

The chosen boundary attack (cont.)

The chosen boundary attack - Example

The chosen boundary attack

Defense against BEAST

BONUS MATERIAL

Attacks on XML encryption

Attacks on XML encryption (cont.)

Todays inspirational quote

What doesn't kill you makes you smaller Super Mario
http://twitter.com/#!/hubs/statuses/143803181145665536
Questions?