Upload
baronzor
View
5.772
Download
2
Embed Size (px)
DESCRIPTION
Attacks against badly implemented cryptography that don't require in-depth knowledge of cryptography.
Citation preview
COPYRIGHT TRUSTWAVE 2011
Presented by:
No-Knowledge Crypto Attacks
Daniel Crowley
Structure› Background› Attack!› Potential Win
IDENTIFYING CIPHERTEXT“Yep, it’s wood”
Properties of ciphertext› Appears random› Generally encoded› Decoded length often multiple of
8/16/32–Block ciphers
Example
› Base64 encoded› Decodes to 80 bytes› Ent shows strong signs of randomness
› Probably ciphertext (okay, it is, I generated it)
REPLAY ATTACKBait and switch
Background› Reuse of cryptovariables› Trust in decrypted data
Attack!› Reuse ciphertext
OR
› Find two places where ciphertext is being accepted
› Swap them around
Potential Win› Ciphertext from “article.php?
id=(ciphertext)”› Placed in “doPasswordReset.php?
userid=(ciphertext)”› Reset password for another user
DECRYPTION ORACLEDecrypt ALL the things!
Background› Application takes encrypted input› Application decrypts input› Application gives you decrypted
output
Identifying Decryption Oracles› Look for encrypted input› Modify input and look for garbled
response
Attack!› Take ciphertext from another
location› Plug into decryption oracle
Potential Win› “Password” cookie with encrypted
value› Plug cookie into decryption oracle› PASSWORDS!
ENCRYPTION ORACLEEncrypt ALL the things!
Background› Application takes plaintext input› Application encrypts input› Application gives you encrypted
output
Identifying Encryption Oracles› Look for ciphertext in responses› Modify input and look for modified
ciphertext› Length is often the giveaway
Attack!› Encrypt strings like ‘ or 1=1#› Plug encrypted string into any
encrypted input› Cross your fingers
Potential Win› resetpass.php?id=(ciphertext)
› resetpass.php?id=( ENC(‘ or 1=1 #) )
› SQLi!
STREAM CIPHER BIT FLIPPING
Flipping easy
Background› Construction is simple› Same key & IV means same keystream› Reusing cryptovariables means
catastrophic failure
0 1 1 0 0 1 0 0
1 0 1 0 1 0 1 0
1 1 0 0 1 1 1 0
0 1 1 0 0 1 0 1
1 0 1 0 1 0 1 0
1 1 0 0 1 1 1 1
Attack!› Flip bits in ciphertext input› Same bits in plaintext are flipped› No modification to other parts of
message
Potential Win› Plaintext
–username=fred&admin=0
› Flip lots of bits until…–username=fred&admin=1
STREAM CIPHER KEYSTREAM RECOVERY
I couldn’t think of anything funny for this one
Attack!› Guess plaintext of an encrypted
message› XOR plaintext and ciphertext to get
suspected keystream› XOR suspected keystream with
unknown ciphertext–Attempt to read message
Definite Win› Ability to encrypt and decrypt anything
– In byte positions where known plaintext resides
ECB BLOCK SHUFFLINGEvery day I’m shufflin’
Background› ECB is a block cipher mode› Each block is encrypted independent of
others› Blocks can be reordered, removed,
duplicated
BLOCK 1
CIPHER
BLOCK 1
BLOCK 2
CIPHER
BLOCK 2
BLOCK 3
CIPHER
BLOCK 3
PLAINTEXT
CIPHERTEXT
Attack!› Shuffle blocks around randomly in
encrypted messages› Cross your fingers!
Plaintext before modification
0 1 2 3 4 5 6 7
L A S T V I S I
T E D = / E N /
H O M E . J S P
& U S E R I D =
1 2 3 4 \x04 \x04 \x04 \x04
lastVisited=/en/home.jsp&userId=1234
Plaintext after modification
0 1 2 3 4 5 6 7
L A S T V I S I
T E D = / E N /
H O M E . J S P
& U S E R I D =
1 & F O O = B A
1 2 3 4 \x04 \x04 \x04 \x04
lastVisited=/en/home.jsp&userId=1&foo=ba1234
CBC BIT FLIPPINGFlipping awesome
Background› CBC is a block cipher mode› When decrypting, each block affects
next block› Flipping bits in ciphertext block n
– Garbles plaintext block n– Flips same bits in plaintext block n+1
BLOCK A
IV
CIPHER
BLOCK A
BLOCK B
CIPHER
BLOCK B
BLOCK C
CIPHER
BLOCK C
PLAINTEXT
CIPHERTEXT
BLOCK A
IV
CIPHER
BLOCK A
BLOCK B
CIPHER
BLOCK B
BLOCK C
CIPHER
BLOCK C
PLAINTEXT
CIPHERTEXT
Attack!› Submit ciphertext multiple times
› Flip a different bit each time› Cross your fingers!
Potential Win› Plaintext is:
– lastVisited=http://example.com/home.jsp&uid=124%01
– (lastVisited=http)(://example.com/h)(ome.jsp&uid=124%01)• Split into 16 byte blocks
› Flip bits in bytes 13-15 in block 2–Block 2 becomes garbage–“124” in block 3 has bits flipped in
plaintext
MISCELLANEOUSBonus round!
Other Fun Attacks› Padding Oracles
– padBuster.pl
› Hash length extension attacks– Hash_extender