View
56
Download
2
Category
Preview:
Citation preview
• Classic & Modern Cryptography
• Block Ciphers Modes
• HASH, MAC & Padding
• Length & Padding Oracle Attacks
AGENDA
Transposition Ciphers
Get key (rule of transposition)
Change position of each character according the rule
Don’t forget you key
Create substitution table
Substitution Ciphers
Write plaintext
Substitute each character from the plaintext to a new character according the table
Depends on language
Frequency of characters repeating
True for old and simple ciphers
Frequency Analysis
One-Time Pad (OTP)
A plaintext is paired with random, secret key (or pad) which have the same length (or more) as message
Each bit or char of the plaintext is encrypted by combining it with the corresponding bit or char from the pad using modular addition
Unbreakable One-Time Pad (OTP)
Key is truly random
Key and at least as long as the plaintext
Key never reused in whole or in part, and kept completely secret
Electronic Codebook (ECB)
Each block processed individually
M y V e r y S e c r e t T e x t
L G l h 3 l a 1 X E K h X r A c
Plain Text
Encrypted
Cipher Block Chaining (CBC)
Added initialization vector (IV)
More secure (by design)
Still vulnerable for padding attack
Cipher Block Chaining (CBC)
M y V e r y S e c r e t T e x t
L G l h 3 l a 1 X E K h X r A c
1 2 3 4 5 6 7 8
Plain Text
IV
Encrypted
Padding Types
Bit Padding (add 1 bit and zeros)
Byte Padding (add some bytes and length of padding, add number of bytes which equal to padding length, etc)
Mixed Padding (add 1 bit and then bytes, for ex. MD5 padding)
Byte Padding
A B C D 0x00 0x00 0x00 0x00
A B C D 0x04 0x04 0x04 0x04
A B C D 0xFF 0xFF 0xFF 0x03
Zero Bytes Padding
Padding Length Bytes
0xFF Bytes + Padding Length Byte
Stream Ciphers
Key Stream is used (generated from Key)
Gamma (Key Stream) generator is pseudo random with some period (bigger is better)
Works really fast ( XOR KeyStream with MSG)
Bit-Flipping Attack
Attacker know part and of plaintext and place in encrypted(for ex. amount of money)
Can change this part w/o knowing key (nature of XOR)
Message Access Code (MAC)
Hash Functions (MD5, SHA, etc)
Encrypted data integrity check
Used not only in encryption integrity check (web form data validation, plaintext data, etc)
Public-Key Cryptography
Different Keys for Encryption/Decryption
Secure key exchange method (Diffie-Hellman)
Same algorithm for encryptions/digital sign (RSA)
Secure Socket Layer (SSL/TLS)
Key Exchange: RSA, Diffie-Hellman, PSK
Authentication: RSA, DSA, ECDSA
Symmetric Cipher: RC4, IDEA, DES, 3DES, AES
Data Integrity: SHA, MD5, MD4 and MD2
Padding Oracle
Oracle: something that can prove or refute your assumptions
Padding: building blocks to make things the same size
Together: are nightmare of cryptography
Padding Oracle Nightmare
You don’t need a key
Almost doesn’t depends on cipher algorithm (CBC mode)
Faster that brute force attack
Padding Oracle Attack: Details
M y M S G 3 3 3
L G l h 3 l a 1 X E K h X r A c
Plain M2
Encrypted C1 Encrypted C2
I K 7 u F Q s b
Intermediate I2
Padding Oracle Attack: Details
M2= C1 I2
I2= M2 C1
We CAN change result Plaintext M2 by changing Encrypted C1 Message
Padding Oracle Attack: Last Byte
M y M S G 3 3 D
L G l h 3 l a A X E K h X r A B
I K 7 u F Q s C
C1[8] C2[8]
I2[8]
M2[8]
Padding Oracle Attack: Last Byte
1. Iterate byte PP from 0x00 to 0xFF (possible M2[8] byte)
2. Set A = C1[8] PP 0x013. Check Padding Oracle if we got correct padding (D = 0x01)
4. In case of correct padding we can calculate M2[8] last byte:
• M2[8] = C1[8] C• Because C = D A
• Then C = 0x01 C1[8] PP 0x01• We can simplify it to C = C1[8] PP
• In this case M2[8] = C1[8] C1[8] PP• And finally M2[8] = PP, voila!
M y M S G 3 3D
L G l h 3 l aA X E K h X r AB
I K 7 u F Q sC
C1[8] C2[8]
I2[8]
M2[8]
Padding Oracle Attack: Next Byte
C1[7] C2[7]
I2[7]
M2[7]
Padding Oracle Attack: Next Byte
1. New step, modify C1[8] = C1[8] M2[8] 0x022. Iterate byte PP from 0x00 to 0xFF (possible M2[7] byte)
3. Set A = C1[7] PP 0x024. Check Padding Oracle if we got correct padding (D = 0x02)
5. In case of correct padding we can calculate M2[8] last byte:
• M2[7] = C1[7] C• Because C = D A
• Then C = 0x02 C1[7] PP 0x02• We can simplify it to C = C1[7] PP
• In this case M2[7] = C1[7] C1[7] PP• And finally M2[7] = PP, we did it again!
Padding Oracle Attack: Tools
POET – Apache MyFaces form padding oracle expl. toolhttp://netifera.com/research/
PadBuster – ASP.NET (not only) padding oracle expl. toolhttps://github.com/GDSSecurity/PadBuster
Bletchley – python based cryptography expl. multitoolhttps://code.google.com/p/bletchley/
• Use MAC in pair of encryption
• Don’t show Padding Errors to Attacker
• Use another cipher mode (CFB, etc)
How-to Mitiagate?
Hash Crack Speed
8xGPU SHA-1 crack speed: 29 528M c/s
8xCHARS password Z!sN0/7u:
95 symbols length alphabet6.70 X 1015 search space
2.6 days to brute ALLcombinations
Salted Hash
• Yes, it’s better that just hash
• But also could be broken
(MAC Length Extension Attack)
Where is the problem?
HASH (KEY+MSG) is BAD
- extension attack is possible
HASH (MSG+KEY) is GOOD
- extension attack is impossible
Length extension attack: Tools
HashPump – C++ tool for hash extension expl. attackhttps://github.com/bwall/HashPump
hlextend – python hash extension expl. libraryhttps://github.com/stephenbradshaw/hlextend
Outline
• Only one cipher is UNBREAKBLE (OTP)
• You can find WEAKNESS in ciphers, preferences, or chains of crypto (HeartBleed)
• Some BAD usage of GOOD things are possible (Hash Length Extension)
• Some MISSING mitigations of KNOWN issues cold be a problem (Padding Oracle)
• Crypto is BIG part of security, so have FUN
Recommended