Brief introduction into Padding Oracle attack vector

Padding oracle attacks
Mohsen Ahmadi
Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015

Vaudenay attacks
• originally published in 2002 by Serge Vaudenay
• in 2010 it was used for code execution in ASP.net

Oracle?! Vs. padding oracle?!
• In cryptography is a system that will perform given cryptographic
operations on behalf of the user
• A padding oracle is a specific type of oracle that will take
encrypted data from the user, attempt to decrypt it privately,
then reveal whether or not the padding is correct

Block Cipher vs. Stream Cipher
• Block Cipher
• Encryption and decryption of a block of plaintext and cipher text
are specific
• all block encrypt/decrypt with the same key
• Examples of block-cipher encryption algorithms are DES and AES
• Stream-cipher
• The Data is regarded as a stream of bits/bytes, encrypt and
decrypt process undertaken against a bit or a byte every time
• every bit/byte encrypt/decrypt with a different key
• Examples of stream-cipher encryption algorithm is RC4Web appliation penetration testing worksop - Mohsen ahmadi _ 2014-2015

Operation mode block ciphers
• Block cipher encryption algorithm like AES/DES themselves
actually only designed to perform encryption/decryption of a
block or blocks of plaintext cipher text only
• In the mode of operation described how the encryption decryption
is done against a plaintext blocks/the cipher text, how the
relationship between a block with another block

ECB (Electronic Code Book)
• Encrypt/decrypt each block individually
• Each block encrypt/decrypt apart, with no relation between each
other
• weakness of ECB mode is when any plaintext blocks are identical,
then cipher text will be identical

CBC (Cipher Block Chaining)
• blocks are intertwined (chained) together
• Two plaintext blocks are identical does not produce
Cipher text blocks are identical

Padding(cont)
• In a block-cipher the plaintext and cipher text must be cut into
pieces and arranged in blocks of data of the same size
• Because the data must be entered in blocks of the same size, then
required padding bytes as data to fulfill the mountings to fit the
size of the block

Valid Padding e.g.
• If the data already contains 8 bytes ' ABCDEFGH ' why still need
padding?
• In the PKCS standards are already set up that must be added the
padding all data, even though such data is even the size of a block
is necessary

Invalid Padding e.g.
• When the last byte of value outside the range 01 – 08, then the
padding definitely not valid
• When the last byte is 01, then the padding value must be valid
• When the last byte is 02, then padding value is valid when the
previous byte is 02
• When the last byte is valuable 03, then valid if the padding 2 bytes
before also 03

Padding oracle attack
• Padding oracle attack works by detecting the response from the
server that tells the client whether padding is valid or not
• Keep in mind that checking the padding is done after the
decryption was completed
• Detect whether the padding bytes are valid or not, begins by
looking at the last byte the last block and then saw new byte-byte
before the content of the final byte is dependent

Encryption process(cont)

Encryption process in depth

Decryption process

Padding validation(cont)
• Decryption process will not stop
• After decryption validation check done by oracle
• Separate plaintext from padding values

Padding validation(cont)
• What is padding error in this e.g. ?
Padding value is always between 1 to 8

Padding validation
• What is padding error in this e.g. ?
Padding is correct but garbled data!

Malleability trait

Oracle in depth!(cont)
• Oracle is a validation which we can ask and give answer by true or
false, yes or no and another conditions or even blind
In a web application
• usually responded with oracle html text "Error", "Stack trace",
"Invalid Padding Exception" or similar error message
or
• distinguish between the status codes of HTTP

Padding oracle structure
• Attacker send many requests to oracle server
(kind of brute-force attack) and check which
Request produce valid padding message
“500 Interval Server Error” -> padding invalid
“200 OK” -> padding valid

POC!
• http://192.168.149.144/oracle.php?str=2D7850F447A90B87123B36A03
8A8682F
• Block cipher algorithm is DES 64bits with mode operation CBC
Which conditions padding is invalid?
Is it make difference type of block cipher in padding
oracle attack?

Getting last byte of 𝐶2(cont)
• break cipher text into the blocks
• Because the length of cipher text is 32 bytes string in hex
• Strlen(“2D7850F447A90B87123B36A038A8682F”)=32
• Mean the real length is 16 bytes
• It could be presumed that this is a block-cipher with a block of
length is 8 bytes
• 2D7850F447A90B87 123B36A038A8682F
𝐶1 𝐶2
8 bytes 8 bytes

• Payload which we send to Oracle consists of 𝐶1 + 𝐶2 which
• 𝐶1: malformed cipher text block which send by attacker
• 𝐶2: target block which decrypts
• First block could contains null or any bytes order, but last byte will
effect on last byte of decrypted cipher text that should make valid
padding
00 00 00 00 00 00 00 00-FF 12 3B 36 A0 38 A8 68 2F

• We should find last byte of intermediate value block which when
XORed with our malformed cipher text block produce correct
padding value (‘x01’)
• There is one equation but with
two unknown variables
this equation cannot be solved
Mathematically but fortunately
We’ve Oracle!
A⊕B=01

• A⊕00=01 -> invalid
• A⊕02=01-> invalid
• …
• Hey guys

• A⊕87=01-> valid
• So what’s A?

Getting last byte of 𝑃2
• 𝐷 𝑘(𝐶2) is not 𝑃2!
• 𝐶1⊕𝐷 𝑘(𝐶2) =𝑃2
• So 86⊕85=03

Get byte 7 𝑃2(cont)
• desired conditions of valid padding is syllabic byte 02-02
• 𝐶1[7]=86⊕02=84
• Again solving an equation with
Two unknown variables!!

• we'll interrogate the Oracle to help us solve the equation in the
form of brute force as follows:
• If the Oracle respond with a status of “Wrong padding” that means
the answer to the above questions is “NO”, meaning that it should
try with the next question
• When the Oracle respond with a status of “200 OK” that means
the answer to the above question is ”YES!”

• …
• A⊕0A=02-> valid
• So what’s A?

Get byte 7 𝑃2
• So 0A⊕02=08
• 𝑃2[6]=08⊕0B=03

Get the 6th byte of P2
• So A9⊕03=AA
• 𝑃2[5]=AA⊕A9=03

• So 0E⊕04=0A
• 𝑃2[4]=0A⊕47=4D

• So BD⊕05=B8
• 𝑃2[3]=B8⊕F4=4C

• So 1D⊕06=1B
• 𝑃2[2]=1B⊕50=4B

Get the second byte of P2
• So 35⊕07=32
• 𝑃2[1]=32⊕78=4A

Get the first byte of P2
• So 6C⊕08=64
• 𝑃2[0]=64⊕2D=49

C2 Decrypted!
• 𝐷 𝑘 123B36A038A8682F =IJKLM+030303
• Decrypting 𝐶2 is on your own as a homework!

Q&A!

Thanks 

Brief introduction into Padding Oracle attack vector

More Related Content

What's hot (20)

Similar to Brief introduction into Padding Oracle attack vector (20)

Recently uploaded (20)

Brief introduction into Padding Oracle attack vector