![Electronic Code Book
4
E
P[0]
C[0]
E
P[1]
C[1]
E
P[2]
C[2]](https://image.slidesharecdn.com/paddingoraclepublic-130806071305-phpapp01/85/Padding-oracle-opkoko2011-4-320.jpg)
![Cipher Block Chaining
6
E
P[0]
C[0]
xor
IV
E
P[1]
C[1]
xor
E
P[2]
C[2]
xor](https://image.slidesharecdn.com/paddingoraclepublic-130806071305-phpapp01/85/Padding-oracle-opkoko2011-6-320.jpg)
![Cipher Block Chaining
7
xor
C[0]
P[0]
D
IV
xor
C[1]
P[1]
D
xor
C[2]
P[2]
D](https://image.slidesharecdn.com/paddingoraclepublic-130806071305-phpapp01/85/Padding-oracle-opkoko2011-7-320.jpg)
![C[2] C[1] C[0] C[-1]
16
xor
C[0]
P[0]
D
C[-1]
xor
C[1]
P[1]
D
xor
C[2]
P[2]
D](https://image.slidesharecdn.com/paddingoraclepublic-130806071305-phpapp01/85/Padding-oracle-opkoko2011-16-320.jpg)
Padding oracle [opkoko2011]
- 1. Padding Oracle On the Best server-side Bug pwnie awards 2011
- 2. Padding Oracle • 2002 – Vaudenay – side-channel – padding oracle – CBC-mode • Network encryption • 2010 – Doung, Rizzo – Web! – Captchas – JSF ViewStates – ASP.NET • ASP.NET – O_O 2
- 3. Block Ciphers 3 E P C D P P: Plaintext C: Ciphertext k: key E: Encrypt D: Decrypt Block cipher: Fixed block/plaintext/ciphertext length 128 bit – 16 bytes 64 bit – 8 bytes (key length and block length are totally unrelated) k
- 5. 5 EC B Other modesplaintext This image is derived from File:Tux.jpg, and therefore requires attribution. All uses are permitted provided that Larry Ewing, the owner of the original image, who requires that you mention him, his email address, lewing@isc.tamu.edu, and The GIMP, according to http://www.isc.tamu.edu/~lewing/linux/.
- 8. 8
- 9. CBC and XOR 9 xor C P D IV intermediate 0 xor X = 0 X = 0 0 xor X = 1 X = 1 1 xor X = 1 X = 1 1 xor X = 0 X = 0 If only we had an oracle telling us the plaintext!
- 10. Oracle: PKCS #5 Padding 10 ? ? ? ? ? ? ? 01 ? ? ? ? ? ? 02 02 ? ? ? ? ? 03 03 03 ? 07 07 07 07 07 07 07 08 08 08 08 08 08 08 08 …. Last ciphertext block is an oracle! Padding: OK Padding: Bad
- 11. 11
- 13. Padding Oracle 13 xor C P D IV intermediate C fixed => intermediate fixed IV can be set by attacker Padding Oracle yields P IV xor P = intermediate Search for P = ???????1 Search for P = ??????22 … Search for P = 88888888 intermediate xor IV = P
- 14. DEMO or if demo breaks, youtube http://youtu.be/B7UzYaTSeq8 14
- 15. CBC-R: CBC in reverse 15 xor C P D IV intermediate C = whatever Padding Oracle intermediate P = whatever IV = P xor intermediate IV & C valid ciphertext
- 16. C[2] C[1] C[0] C[-1] 16 xor C[0] P[0] D C[-1] xor C[1] P[1] D xor C[2] P[2] D
- 17. Encrypt and Authenticate 17 E P C D P HMAC C + M verify C c = encrypt( p ) m = hmac( c ) transmit( c, m ) recieve( c, m ) mm = hmac( c ) if ( m == mm ) { p = decrypt( c ) } else { ninja kill sender }
- 18. Developer challenges • Encryption frameworks may not be secure – 2010, most web frameworks were insecure – some frameworks are still very broken • Options – OWASP, Microsoft – responds to security – Validate your framework yourself – Do not trust that web encryption works 18
- 20. Demonstration environment • Encryption key in web.config • Windows server • ASP.NET • DotNetNuke CMS • Latest / fully patched versions at time of video release. 20
- 21. ScriptResources.axd?d= • Ciphertext in d= parameter • Plaintext of d= supports grabbing files • Vulnerable to Padding Oracle and CBC-R • ?d= CBC-R ( ”R|~Web.config” ) • Attacker has encryption secrets! 21
- 22. Becomming DotNetNuke admin • Web.config gives encryption keys • Generate ASP.NET authentication cookie – FormsAuthentication.SetAuthCookie( Convert.ToString( LoggedOnUserName ), true ); – Encrypt and MAC authcookie for ”SuperUser” • Upload DotNetNuke extension backdoor 22
- 23. OS: Complete loss of control • Start local command shell – User: network service • Privilege escalation exploit – ”Token kidnaping revenge” – User: SYSTEM • Callback to netcat listener 23