Cracking the crypto

Click to edit Master title style
1
Cracking the Crypto

2
$whoami
MIHIR SHAH | SHAHENSHAH
Github: github.com/shahenshah99
Blog: shahenshah99.blogspot.com
2

3
What is Cryptography?
Cryptography is a funny topic in penetration
testing: it's such a fundamental part of the
entire science of information security, but also
often neglected in security testing.
3

4
What do we plan on doing
today?
• Bit-flipping attacks against cipher block
chaining algorithms
• Sneaking in malicious requests by calculating
a hash that will pass verification; we'll see
how cryptographic padding helps us
• Padding oracle attack; as the name suggests,
we continue to look at the padding concept
• Installation of two deliberately vulnerable web
applications for testing in your home lab
4

5
When we consider attacks against
cryptographic ciphers, we usually think
about those attacks against the cipher
itself that allow us to break the code and
recover plaintext. It's important to
remember that the message can be
attacked, even when the cipher remains
unbroken and, indeed, even the full
message is unknown.
5
What are we attacking
exactly, again?

6
B lock ciphers – A s t he name implies, it encrypt s
dat a in f ixed lengt hs of blocks. From a securit y
st andpoint , t his concept implies t hat secure
encrypt ion is easily achieved f or a single block
of data; you could have high - entropy key
mat erial w it h t he same lengt h as t he block.
H ow w e repeat edly encrypt block af t er block and
link everyt hing t oget her is called a mode of
operat ion . 6
Block Ciphers and mode
of Operations

7
Rather than me filling up this
slide, to explain how this
works. Let me show you a demo
for the same
7
Electronic Codebook(ECB)

8
You still don't know what the message is . In the
realm of cryptanalysis, this is a major breakthrough.
A simple rule of thumb about good encryption is: the
cipher text should have no relationship w hatsoever
w ith the plaintext. In this case, w e already know
something is repeating. The effort to attack the
message is already underw ay
8
Ok, we found a Pattern, So
what?

9
Enter Cipher Block Chaining (CBC),
where we encrypt a block just like
before – except before we encrypt
the next block, we XOR the plaintext
of the next block with the encrypted
output of the previous block,
creating a logical chain of blocks. 9
Introducing Block Chaining

1010

11
If we XOR the plaintext block with
the encrypted output of the previous
block, what's the XOR input for
the first block?
11
Hang on!!

12
B e f o r e m o v i n g o n l e t s j u s t l o o k a t a D e m o o n t h e C B C b a s e d
e n c r y p t i o n f o r t h e s a m e t e x t
12
we need an initial value
appropriately called
the initialization vector
(IV)

1313
Setting and attacking our
Bit-Flipping Lab

1414
Manipulating the IV to
generate predictable
results

1515

1616
Busting the Oracle Padding

17
What is padding and Why
should I care?
messages that need to be
encrypted are not of a fixed
length; they may be as short
as Hello World! or as long as
the Zimmermann Telegram. This
is where padding comes in.
PKCS#5/PKCS#7 uses padding
bytes, which are nothing more
than a hexadecimal number

1818
The number is equal to the
number of padding bytes. For
example, if there are five padding
bytes, they'll all be 0x05.

19
The purpose of this is to provide the
error-checking mechanism inherent
to this design. So if I come along and
decrypt a message only to find five
padding bytes with the value 0x07,
then guess what prophecy this wise
oracle is telling? Padding error.

20
• The encrypted data w as padded correctly, and contains
valid server data once decrypted. Basically, a
completely normal operation. The server responds w ith
HTTP 200 OK.
• The encrypted data w as padded
correctly, and contains invalid server data once
decrypted. This is just like sending something
unexpected to a server w ithout encryption, for
example, a file request for a non -existent file. This is
technically an HTTP 200, but typically w ith a custom
error (for example, File Not Found).
• The encrypted data w as padded incorrectly, w hich
breaks the decryption process and hence, nothing gets
actually passed to the server. This causes a
cryptographic exception and the response is an HTTP
500 Internal Server Error.
20
The oracle can tell us one of three things
when we pass encrypted data to the
target:

2121
The other half is the concept we introduced at the beginning of
the chapter: when you know two out of three binary values that
have an XOR relationship to each other, you can easily solve for
the missing field. So, we tweak the enciphered bits and
repeatedly submit our modified requests, chatting with the oracle
for state feedback, until we stop breaking decryption and the
oracle tells us the padding looks good. With the oracle confirming
the correct padding, this attack becomes a form of known-
plaintext cryptanalysis, allowing us to decrypt the message.

22
PadBuster can work with this via the -noiv flag
and thus uses the first bytes as an IV; the number
of bytes used as an IV is defined in the block size
parameter. We also know that CBC mode ciphers
XOR the intermediary bits (that is, the bits after
the encryption process) with the corresponding
bits from the previous block (block chaining), so
once decryption has begun, PadBuster works
backwards.

2323
Q&A

24
Thank You

Cracking the crypto

More Related Content

Similar to Cracking the crypto (20)

More from Mihir Shah (13)

Recently uploaded (20)

Cracking the crypto