Embed Size (px)
Citation preview
CRYPTOGRAPHY
THE
HAS YOU
Yurii Bilyk || 2014
• Classic & Modern Cryptography
• Block Ciphers Modes
• HASH, MAC & Padding
• Length & Padding Oracle Attacks
AGENDA
Crypto is Everywhere
Around the World, around the World…
CRYPTOGRAPHY
INTERNET
VOICE
MONEY
Classic Cryptography
Before Computer Era
Transposition Ciphers
Get key (rule of transposition)
Change position of each character according the rule
Don’t forget you key
Transposition Ciphers: Example
T h i s I s M
y S e c r e t
M e s s a g e
M y T e S h M
Scytale
Create substitution table
Substitution Ciphers
Write plaintext
Substitute each character from the plaintext to a new character according the table
Substitution Ciphers: Example
Substitution Table
Crypto
Depends on language
Frequency of characters repeating
True for old and simple ciphers
Frequency Analysis
Modern Cryptography
After Computer Era
One-Time Pad (OTP)
A plaintext is paired with random, secret key (or pad) which have the same length (or more) as message
Each bit or char of the plaintext is encrypted by combining it with the corresponding bit or char from the pad using modular addition
Unbreakable One-Time Pad (OTP)
Key is truly random
Key and at least as long as the plaintext
Key never reused in whole or in part, and kept completely secret
Symmetric-Key Cryptography
One shared key
Block ciphers
Stream ciphers
Block Ciphers
Fixed block size
Uses padding
Different modes (ECB, CBC, etc)
Electronic Codebook (ECB)
Each block processed individually
M y V e r y S e c r e t T e x t
L G l h 3 l a 1 X E K h X r A c
Plain Text
Encrypted
Electronic Codebook (ECB)
AES-256-ECB AES-256-CBCPlainText
Cipher Block Chaining (CBC)
Added initialization vector (IV)
More secure (by design)
Still vulnerable for padding attack
Cipher Block Chaining (CBC)
M y V e r y S e c r e t T e x t
L G l h 3 l a 1 X E K h X r A c
1 2 3 4 5 6 7 8
Plain Text
IV
Encrypted
Padding Types
Bit Padding (add 1 bit and zeros)
Byte Padding (add some bytes and length of padding, add number of bytes which equal to padding length, etc)
Mixed Padding (add 1 bit and then bytes, for ex. MD5 padding)
Byte Padding
A B C D 0x00 0x00 0x00 0x00
A B C D 0x04 0x04 0x04 0x04
A B C D 0xFF 0xFF 0xFF 0x03
Zero Bytes Padding
Padding Length Bytes
0xFF Bytes + Padding Length Byte
Stream Ciphers
Key Stream is used (generated from Key)
Gamma (Key Stream) generator is pseudo random with some period (bigger is better)
Works really fast ( XOR KeyStream with MSG)
Bit-Flipping Attack
Attacker know part and of plaintext and place in encrypted(for ex. amount of money)
Can change this part w/o knowing key (nature of XOR)
Message Access Code (MAC)
Hash Functions (MD5, SHA, etc)
Encrypted data integrity check
Used not only in encryption integrity check (web form data validation, plaintext data, etc)
Public-Key Cryptography
Different Keys for Encryption/Decryption
Secure key exchange method (Diffie-Hellman)
Same algorithm for encryptions/digital sign (RSA)
Meet SSL/TLS
It’s his star time
Secure Socket Layer (SSL/TLS)
Key Exchange: RSA, Diffie-Hellman, PSK
Authentication: RSA, DSA, ECDSA
Symmetric Cipher: RC4, IDEA, DES, 3DES, AES
Data Integrity: SHA, MD5, MD4 and MD2
HeartBleed
Issue in the realization of crypto protocol/system
***IT happens
Not issue in the cipher
Remember I'm offering you the truth. Nothing More.
Pad Oracle & Length Extension
Padding Oracle
Oracle: something that can prove or refute your assumptions
Padding: building blocks to make things the same size
Together: are nightmare of cryptography
Padding Oracle Nightmare
You don’t need a key
Almost doesn’t depends on cipher algorithm (CBC mode)
Faster that brute force attack
The Magic XOR Rules
A A = 0
A 0 = A
A B = B A
(A B) C = A (B C)
Padding Oracle Attack: Details
M y M S G 3 3 3
L G l h 3 l a 1 X E K h X r A c
Plain M2
Encrypted C1 Encrypted C2
I K 7 u F Q s b
Intermediate I2
Padding Oracle Attack: Details
M2= C1 I2
I2= M2 C1
We CAN change result Plaintext M2 by changing Encrypted C1 Message
Padding Oracle Attack: Last Byte
M y M S G 3 3 D
L G l h 3 l a A X E K h X r A B
I K 7 u F Q s C
C1[8] C2[8]
I2[8]
M2[8]
Padding Oracle Attack: Last Byte
1. Iterate byte PP from 0x00 to 0xFF (possible M2[8] byte)
2. Set A = C1[8] PP 0x013. Check Padding Oracle if we got correct padding (D = 0x01)
4. In case of correct padding we can calculate M2[8] last byte:
• M2[8] = C1[8] C• Because C = D A
• Then C = 0x01 C1[8] PP 0x01• We can simplify it to C = C1[8] PP
• In this case M2[8] = C1[8] C1[8] PP• And finally M2[8] = PP, voila!
M y M S G 3 3D
L G l h 3 l aA X E K h X r AB
I K 7 u F Q sC
C1[8] C2[8]
I2[8]
M2[8]
Padding Oracle Attack: Next Byte
C1[7] C2[7]
I2[7]
M2[7]
Padding Oracle Attack: Next Byte
1. New step, modify C1[8] = C1[8] M2[8] 0x022. Iterate byte PP from 0x00 to 0xFF (possible M2[7] byte)
3. Set A = C1[7] PP 0x024. Check Padding Oracle if we got correct padding (D = 0x02)
5. In case of correct padding we can calculate M2[8] last byte:
• M2[7] = C1[7] C• Because C = D A
• Then C = 0x02 C1[7] PP 0x02• We can simplify it to C = C1[7] PP
• In this case M2[7] = C1[7] C1[7] PP• And finally M2[7] = PP, we did it again!
Padding Oracle Attack: Tools
POET – Apache MyFaces form padding oracle expl. toolhttp://netifera.com/research/
PadBuster – ASP.NET (not only) padding oracle expl. toolhttps://github.com/GDSSecurity/PadBuster
Bletchley – python based cryptography expl. multitoolhttps://code.google.com/p/bletchley/
• Use MAC in pair of encryption
• Don’t show Padding Errors to Attacker
• Use another cipher mode (CFB, etc)
How-to Mitiagate?
Hash is…
Sometimes it’s tricky
Hash Crack Speed
8xGPU SHA-1 crack speed: 29 528M c/s
8xCHARS password Z!sN0/7u:
95 symbols length alphabet6.70 X 1015 search space
2.6 days to brute ALLcombinations
Salted Hash
• Yes, it’s better that just hash
• But also could be broken
(MAC Length Extension Attack)
Hash Padding
KEY
MESSAGE
NULL Bytes Padding
MESSAGE+KEY Length
Just 1 Bit
Length extension attack
KEY Original MSG
NULL Bytes Padding
MESSAGE Length
BOX 1 BOX 2Extended Part
Where is the problem?
HASH (KEY+MSG) is BAD
- extension attack is possible
HASH (MSG+KEY) is GOOD
- extension attack is impossible
Length extension attack: Tools
HashPump – C++ tool for hash extension expl. attackhttps://github.com/bwall/HashPump
hlextend – python hash extension expl. libraryhttps://github.com/stephenbradshaw/hlextend
• Use HMAC instead of poor hash functions
• Use other hash functions (SHA-3)
How-to Mitiagate?
Order is Significant
And Kitties also
Outline
• Only one cipher is UNBREAKBLE (OTP)
• You can find WEAKNESS in ciphers, preferences, or chains of crypto (HeartBleed)
• Some BAD usage of GOOD things are possible (Hash Length Extension)
• Some MISSING mitigations of KNOWN issues cold be a problem (Padding Oracle)
• Crypto is BIG part of security, so have FUN
Crypto is your Friend
Sometimes The Best
And Enemy
I would say, complicated
Questions???
Kawai can’t be too much
