No-Knowledge Crypto Attacks

COPYRIGHT TRUSTWAVE 2011

Presented by:

No-Knowledge Crypto Attacks

Daniel Crowley

Structure› Background› Attack!› Potential Win

IDENTIFYING CIPHERTEXT“Yep, it’s wood”

Properties of ciphertext› Appears random› Generally encoded› Decoded length often multiple of

8/16/32–Block ciphers

Example

› Base64 encoded› Decodes to 80 bytes› Ent shows strong signs of randomness

› Probably ciphertext (okay, it is, I generated it)

REPLAY ATTACKBait and switch

Background› Reuse of cryptovariables› Trust in decrypted data

Attack!› Reuse ciphertext

OR

› Find two places where ciphertext is being accepted

› Swap them around

Potential Win› Ciphertext from “article.php?

id=(ciphertext)”› Placed in “doPasswordReset.php?

userid=(ciphertext)”› Reset password for another user

DECRYPTION ORACLEDecrypt ALL the things!

Background› Application takes encrypted input› Application decrypts input› Application gives you decrypted

output

Identifying Decryption Oracles› Look for encrypted input› Modify input and look for garbled

response

Attack!› Take ciphertext from another

location› Plug into decryption oracle

Potential Win› “Password” cookie with encrypted

value› Plug cookie into decryption oracle› PASSWORDS!

ENCRYPTION ORACLEEncrypt ALL the things!

Background› Application takes plaintext input› Application encrypts input› Application gives you encrypted

output

Identifying Encryption Oracles› Look for ciphertext in responses› Modify input and look for modified

ciphertext› Length is often the giveaway

Attack!› Encrypt strings like ‘ or 1=1#› Plug encrypted string into any

encrypted input› Cross your fingers

Potential Win› resetpass.php?id=(ciphertext)

› resetpass.php?id=( ENC(‘ or 1=1 #) )

› SQLi!

STREAM CIPHER BIT FLIPPING

Flipping easy

Background› Construction is simple› Same key & IV means same keystream› Reusing cryptovariables means

catastrophic failure

0 1 1 0 0 1 0 0

1 0 1 0 1 0 1 0

1 1 0 0 1 1 1 0

0 1 1 0 0 1 0 1

1 0 1 0 1 0 1 0

1 1 0 0 1 1 1 1

Attack!› Flip bits in ciphertext input› Same bits in plaintext are flipped› No modification to other parts of

message

Potential Win› Plaintext

–username=fred&admin=0

› Flip lots of bits until…–username=fred&admin=1

STREAM CIPHER KEYSTREAM RECOVERY

I couldn’t think of anything funny for this one

Attack!› Guess plaintext of an encrypted

message› XOR plaintext and ciphertext to get

suspected keystream› XOR suspected keystream with

unknown ciphertext–Attempt to read message

Definite Win› Ability to encrypt and decrypt anything

– In byte positions where known plaintext resides

ECB BLOCK SHUFFLINGEvery day I’m shufflin’

Background› ECB is a block cipher mode› Each block is encrypted independent of

others› Blocks can be reordered, removed,

duplicated

BLOCK 1

CIPHER

BLOCK 1

BLOCK 2

CIPHER

BLOCK 2

BLOCK 3

CIPHER

BLOCK 3

PLAINTEXT

CIPHERTEXT

Attack!› Shuffle blocks around randomly in

encrypted messages› Cross your fingers!

Plaintext before modification

0 1 2 3 4 5 6 7

L A S T V I S I

T E D = / E N /

H O M E . J S P

& U S E R I D =

1 2 3 4 \x04 \x04 \x04 \x04

lastVisited=/en/home.jsp&userId=1234

Plaintext after modification

0 1 2 3 4 5 6 7

L A S T V I S I

T E D = / E N /

H O M E . J S P

& U S E R I D =

1 & F O O = B A

1 2 3 4 \x04 \x04 \x04 \x04

lastVisited=/en/home.jsp&userId=1&foo=ba1234

CBC BIT FLIPPINGFlipping awesome

Background› CBC is a block cipher mode› When decrypting, each block affects

next block› Flipping bits in ciphertext block n

– Garbles plaintext block n– Flips same bits in plaintext block n+1

BLOCK A

IV

CIPHER

BLOCK A

BLOCK B

CIPHER

BLOCK B

BLOCK C

CIPHER

BLOCK C

PLAINTEXT

CIPHERTEXT

BLOCK A

IV

CIPHER

BLOCK A

BLOCK B

CIPHER

BLOCK B

BLOCK C

CIPHER

BLOCK C

PLAINTEXT

CIPHERTEXT

Attack!› Submit ciphertext multiple times

› Flip a different bit each time› Cross your fingers!

Potential Win› Plaintext is:

– lastVisited=http://example.com/home.jsp&uid=124%01

– (lastVisited=http)(://example.com/h)(ome.jsp&uid=124%01)• Split into 16 byte blocks

› Flip bits in bytes 13-15 in block 2–Block 2 becomes garbage–“124” in block 3 has bits flipped in

plaintext

MISCELLANEOUSBonus round!

Other Fun Attacks› Padding Oracles

– padBuster.pl

› Hash length extension attacks– Hash_extender