Practical attacks on web crypto
Erlend Oftedal
—
@webtonull
Bekk Consulting
7. December 2011
Who am I?
- Work as a developer
- Leader of Security Competency group at BEKK
- OWASP Norway Chapter lead
- Member of Norwegian Honeynet Project
- Above average interest in security
Agenda
- Hashing
- Attacks on hashes
- Attacks on encrypted values
What's the best way to anger a security guy?
Say something like: "We encrypt our passwords with MD5"
Hash functions
- Maps a large dataset to a smaller data set
- Low cost
- Deterministic
- Uniform
http://en.wikipedia.org/wiki/Hash_function
Cryptographic hash functions
- Easy to compute for any given message
- Infeasable to generate a message for a given hash
- Infeasable to modify a message without changing the hash
- Infeasable to find two different messages with the same hash
http://en.wikipedia.org/wiki/Cryptographic_hash_function
Hashing passwords
- Infeasable to generate a message for a given hash
- Infeasable to modify a message without changing the hash
- Infeasable to find two different messages with the same hash
- Deterministic
- Low cost
Given a password hash, what is the easiest way to find the password?
d8b36fa2ce602b7258ecaa289cf70aa1
Someone actually built a tool
https://github.com/juuso/BozoCrack
How to avoid these pitfalls
Signing data with hashes
Client:
GET /
Server:
200 OK ... <a href="/resource/?a=123&b=46&signature=LQWJDQOC21ASDiojoQ2e13lkajsd="></a> ...
Client:
GET /resource/?a=123&b=46&signature=LQWJDQOC21ASDiojoQ2e13lkajsd=
Server:
200 OK Data authorized by signature...
Signing data with hashes
- Naive approach:
Signature = md5(secret + data_to_sign)
- MD5 is just an example. This next attack works on for instance SHA1 as well
Block based hash algorithms (MD)
- Starts with a constant value S
- First block of data D0:
H0 = MD5_round(s, D0)
- Consecutive blocks Dn:
Hn = MD5_round(Hn-1, Dn)
- The last block is padded with a 1, some 0s and the length of the original string
Attacking the signature
- Consider the following layout:
MD5(secret + data) = h(secret + data + padding)
-
What if we wanted to hash data that was by coincedence (or not) equal to this:
secret + data + padding + some other data
-
The layout would become
MD5(...) = h(secret + data + padding + some other data + padding)
Attacking the signature
- So if we have the output of:
Hx = MD5(secret + data)
-
We can use Hx as the starting value S in order to calculate:
MD5(secret + data + padding + new data)
- by running for the new data (D'0-D'n):
H0 = MD5_round(Hx, D'0)
- We have to make sure the padding gets the correct length
- This is called a length extension attack
Any real-life examples?
- Thai Duong and Juliano Rizzo disovered a flaw like this in Flickr's API Signature
- Flickr's API signatures worked like this
- Sort your URL parameters list into alphabetical order based on the parameter name:
bar=2&baz=3&foo=1
- Concatenate the shared secret and parameter name-value pairs:
SECRETbar2baz3foo1
- Calculate the md5() hash of this string and append to the list of parameters
bar=2&baz=3&foo=1&signature=afb12318a0b9823bcd
- Sort your URL parameters list into alphabetical order based on the parameter name:
Attack on the Flickr API
- The signature could not separate between:
bar=2&baz=3&foo=1
andb=ar2baz3foo1
- This allowed an attacker to build a new signed URI with arguments:
b=ar2baz3foo10000020&bar=6&baz=5&foo=4
and then length extend the signature to include the new parameters
Avoiding attacks on hash-based signatures
- Don't reinvent the wheel - use HMAC
Padding oracles
- First introduced in Security Flaws Induced by CBC Padding Applications to SSL, IPSEC, WTLS... by Serge Vaudenay in 2002
- In 2010 ASP.NET, Ruby on Rails and Apache Myfaces was found to be vulnerable by Juliano Rizzo and Thai Duong
Padding oracles
Client:
GET /
Server:
200 OK ... <a href="/resource/LQWJDQOC21ASDiojoQ2e13lkajsd="></a> ...
Client:
GET /resource/LQWJDQOC21ASDiojoQ2e13lkajsd=
Server:
200 OK Secret data....
Padding oracles
- Reponses from server:
- 200 Ok - All ok
- 404 Not found/invalid - The value was decrypted ok, but the server could not process the result
- 500 Invalid padding - The server could not decrypt the value
XOR
- A ⊕ A = 0
- A ⊕ 0 = A
- A ⊕ 1 = !A
- From this we can build more complex rules
- A ⊕ B ⊕ B = A
- A ⊕ B ⊕ B ⊕ A = 0
CBC based encryption
CBC based decryption
PKCS#5/7 padding
Padding oracles
Attacking the oracle
- The attacker wants to decrypt a secret value
GET /resource/<IV><C0><C1><C2>
- The attacker creates a random block R
- And sends it to the server together with a cipher text block:
GET /resource/<R><C0>
- This will probably result in a padding error
Padding oracles
Attacking the oracle
- To decrypt the byte next to the last, the attacker needs to find a valid padding of 2
- The attacker sets the last byte of R to:
R7 = R7 ⊕ 0x01 ⊕ 0x02
- He then does the same trick for the second to last byte
Padding oracles
Attacking the oracle
- Now the attacker has the full output from the decrypt function
- To get the plain text, the attacker can simply:
Pn = Rn ⊕ 0x08 ⊕ IVn
- The process is then repeated for each block Cn, but in this last step instead of IV, Cn-1 is used
Example
Padding Oracle Attacks
- Between 1 and 256 requests per byte of recovered plain text (mean = 128)
- The process can be reversed in order to encrypt data, but this requires a lot more requests
- http://erlend.oftedal.no/blog/poet/
Defense against Padding Oracle Attacks
- Have only two results - Ok and Not found
- What's wrong with this code?
try { value = decrypt(inputValue); if (db.querySecretElement(value) != null) { return OK; } else { return NOT_FOUND; } } catch(PaddingException ex) { return NOT_FOUND; }
BEAST
- Yet another attack discovered by Juliano Rizzo and Thai Duong
- Published at ekoparty 2011
- An attack on SSL 3.0 and TLS 1.0
The keys to this attack
- If two equal blocks Pn and Pm are encrypted using the same key and same IV, the resulting cipher text is the same.
- If the IV is different we can still get the same cipher text by altering the plain text
Pm* = Pm ⊕ IVn ⊕ IVm
- What is sent to the encryption algorithm thus becomes:
Pm* ⊕ IVm = Pm ⊕ IVn ⊕ IVm ⊕ IVm = Pm ⊕ IVn
Why does this matter?
- The communication is layed out like this:
[A = attacker controlled data][S = secret data]
The chosen boundary attack (cont.)
- Simplified - If A has the length of a block minus one, the last byte of the first block will be the first byte of the secret data
-
The layout of the SSL traffic is thus:
[IV][C0=E(A + S0)][C1=E(S1-S8)][...]
- The attacker now knows the IV and C0
The chosen boundary attack (cont.)
- If the connection is kept open and the attacker can send more data, the attacker knows the IVn (=Cn-1) of the next block n to be encrypted
- This allows the attacker to find S0, by sending for i = 0 to 255:
Pn+i = [A + i] ⊕ IV ⊕ Cn+i-1
- If any Cn+i = C0, the value of S0 has been found, and the attacker can stop
The chosen boundary attack - Example
The chosen boundary attack
- Now the attacker knows the first letter of the secret
- Next:
- Reduce size of A by 1 to bring in next byte from S
- Create new connection and rerun algorithm untill the new byte is found
- Repeat for entire secret
- http://erlend.oftedal.no/blog/beast/
Defense against BEAST
- TLS 1.1+ injects an empty frame before every new message
- => Makes the IV unpredictable
- Moving to non-CBC ciphers like RC4
BONUS MATERIAL
Attacks on XML encryption
- By Tibor Jager and Juraj Somorovsky here at RUB
- Is somewhat similar to padding oracles, but does not attack the padding
- XML encryption is padded with random values + length
- So what did they find?
Attacks on XML encryption (cont.)
- Errors in XML-layout may be detectable in the response from the web service
- By carefully manipulating the cipher text, we can disover when we break the XML layout
- This tells us enough about the cipher text to recover it
Todays inspirational quote
What doesn't kill you makes you smallerSuper Mario
http://twitter.com/#!/hubs/statuses/143803181145665536
Questions?
- Erlend Oftedal - @webtonull
- erlend@oftedal.no