CRYPTOGRAPHY

THE

HAS YOU

Yurii Bilyk || 2014

• Classic & Modern Cryptography

• Block Ciphers Modes

• HASH, MAC & Padding

• Length & Padding Oracle Attacks

AGENDA

Crypto is Everywhere

Around the World, around the World…

CRYPTOGRAPHY

INTERNET

VOICE

MONEY

Classic Cryptography

Before Computer Era

Transposition Ciphers

Get key (rule of transposition)

Change position of each character according the rule

Don’t forget you key

Transposition Ciphers: Example

T h i s I s M

y S e c r e t

M e s s a g e

M y T e S h M

Scytale

Create substitution table

Substitution Ciphers

Write plaintext

Substitute each character from the plaintext to a new character according the table

Substitution Ciphers: Example

Substitution Table

Crypto

Depends on language

Frequency of characters repeating

True for old and simple ciphers

Frequency Analysis

Modern Cryptography

After Computer Era

One-Time Pad (OTP)

A plaintext is paired with random, secret key (or pad) which have the same length (or more) as message

Each bit or char of the plaintext is encrypted by combining it with the corresponding bit or char from the pad using modular addition

Unbreakable One-Time Pad (OTP)

Key is truly random

Key and at least as long as the plaintext

Key never reused in whole or in part, and kept completely secret

Symmetric-Key Cryptography

One shared key

Block ciphers

Stream ciphers

Block Ciphers

Fixed block size

Uses padding

Different modes (ECB, CBC, etc)

Electronic Codebook (ECB)

Each block processed individually

M y V e r y S e c r e t T e x t

L G l h 3 l a 1 X E K h X r A c

Plain Text

Encrypted

Electronic Codebook (ECB)

AES-256-ECB AES-256-CBCPlainText

Cipher Block Chaining (CBC)

Added initialization vector (IV)

More secure (by design)

Still vulnerable for padding attack

Cipher Block Chaining (CBC)

M y V e r y S e c r e t T e x t

L G l h 3 l a 1 X E K h X r A c

1 2 3 4 5 6 7 8

Plain Text

IV

Encrypted

Padding Types

Bit Padding (add 1 bit and zeros)

Byte Padding (add some bytes and length of padding, add number of bytes which equal to padding length, etc)

Mixed Padding (add 1 bit and then bytes, for ex. MD5 padding)

Byte Padding

A B C D 0x00 0x00 0x00 0x00

A B C D 0x04 0x04 0x04 0x04

A B C D 0xFF 0xFF 0xFF 0x03

Zero Bytes Padding

Padding Length Bytes

0xFF Bytes + Padding Length Byte

Stream Ciphers

Key Stream is used (generated from Key)

Gamma (Key Stream) generator is pseudo random with some period (bigger is better)

Works really fast ( XOR KeyStream with MSG)

Bit-Flipping Attack

Attacker know part and of plaintext and place in encrypted(for ex. amount of money)

Can change this part w/o knowing key (nature of XOR)

Message Access Code (MAC)

Hash Functions (MD5, SHA, etc)

Encrypted data integrity check

Used not only in encryption integrity check (web form data validation, plaintext data, etc)

Public-Key Cryptography

Different Keys for Encryption/Decryption

Secure key exchange method (Diffie-Hellman)

Same algorithm for encryptions/digital sign (RSA)

Meet SSL/TLS

It’s his star time

Secure Socket Layer (SSL/TLS)

Key Exchange: RSA, Diffie-Hellman, PSK

Authentication: RSA, DSA, ECDSA

Symmetric Cipher: RC4, IDEA, DES, 3DES, AES

Data Integrity: SHA, MD5, MD4 and MD2

HeartBleed

Issue in the realization of crypto protocol/system

***IT happens

Not issue in the cipher

Remember I'm offering you the truth. Nothing More.

Pad Oracle & Length Extension

Padding Oracle

Oracle: something that can prove or refute your assumptions

Padding: building blocks to make things the same size

Together: are nightmare of cryptography

Padding Oracle Nightmare

You don’t need a key

Almost doesn’t depends on cipher algorithm (CBC mode)

Faster that brute force attack

The Magic XOR Rules

A A = 0

A 0 = A

A B = B A

(A B) C = A (B C)

Padding Oracle Attack: Details

M y M S G 3 3 3

L G l h 3 l a 1 X E K h X r A c

Plain M2

Encrypted C1 Encrypted C2

I K 7 u F Q s b

Intermediate I2

Padding Oracle Attack: Details

M2= C1 I2

I2= M2 C1

We CAN change result Plaintext M2 by changing Encrypted C1 Message

Padding Oracle Attack: Last Byte

M y M S G 3 3 D

L G l h 3 l a A X E K h X r A B

I K 7 u F Q s C

C1[8] C2[8]

I2[8]

M2[8]

Padding Oracle Attack: Last Byte

1. Iterate byte PP from 0x00 to 0xFF (possible M2[8] byte)

2. Set A = C1[8] PP 0x013. Check Padding Oracle if we got correct padding (D = 0x01)

4. In case of correct padding we can calculate M2[8] last byte:

• M2[8] = C1[8] C• Because C = D A

• Then C = 0x01 C1[8] PP 0x01• We can simplify it to C = C1[8] PP

• In this case M2[8] = C1[8] C1[8] PP• And finally M2[8] = PP, voila!

M y M S G 3 3D

L G l h 3 l aA X E K h X r AB

I K 7 u F Q sC

C1[8] C2[8]

I2[8]

M2[8]

Padding Oracle Attack: Next Byte

C1[7] C2[7]

I2[7]

M2[7]

Padding Oracle Attack: Next Byte

1. New step, modify C1[8] = C1[8] M2[8] 0x022. Iterate byte PP from 0x00 to 0xFF (possible M2[7] byte)

3. Set A = C1[7] PP 0x024. Check Padding Oracle if we got correct padding (D = 0x02)

5. In case of correct padding we can calculate M2[8] last byte:

• M2[7] = C1[7] C• Because C = D A

• Then C = 0x02 C1[7] PP 0x02• We can simplify it to C = C1[7] PP

• In this case M2[7] = C1[7] C1[7] PP• And finally M2[7] = PP, we did it again!

Padding Oracle Attack: Tools

POET – Apache MyFaces form padding oracle expl. toolhttp://netifera.com/research/

PadBuster – ASP.NET (not only) padding oracle expl. toolhttps://github.com/GDSSecurity/PadBuster

Bletchley – python based cryptography expl. multitoolhttps://code.google.com/p/bletchley/

• Use MAC in pair of encryption

• Don’t show Padding Errors to Attacker

• Use another cipher mode (CFB, etc)

How-to Mitiagate?

Hash is…

Sometimes it’s tricky

Hash Crack Speed

8xGPU SHA-1 crack speed: 29 528M c/s

8xCHARS password Z!sN0/7u:

95 symbols length alphabet6.70 X 1015 search space

2.6 days to brute ALLcombinations

Salted Hash

• Yes, it’s better that just hash

• But also could be broken

(MAC Length Extension Attack)

Hash Padding

KEY

MESSAGE

NULL Bytes Padding

MESSAGE+KEY Length

Just 1 Bit

Length extension attack

KEY Original MSG

NULL Bytes Padding

MESSAGE Length

BOX 1 BOX 2Extended Part

Where is the problem?

HASH (KEY+MSG) is BAD

- extension attack is possible

HASH (MSG+KEY) is GOOD

- extension attack is impossible

Length extension attack: Tools

HashPump – C++ tool for hash extension expl. attackhttps://github.com/bwall/HashPump

hlextend – python hash extension expl. libraryhttps://github.com/stephenbradshaw/hlextend

• Use HMAC instead of poor hash functions

• Use other hash functions (SHA-3)

How-to Mitiagate?

Order is Significant

And Kitties also

Outline

• Only one cipher is UNBREAKBLE (OTP)

• You can find WEAKNESS in ciphers, preferences, or chains of crypto (HeartBleed)

• Some BAD usage of GOOD things are possible (Hash Length Extension)

• Some MISSING mitigations of KNOWN issues cold be a problem (Padding Oracle)

• Crypto is BIG part of security, so have FUN

Crypto is your Friend

Sometimes The Best

And Enemy

I would say, complicated

Questions???

Kawai can’t be too much

Thanks!

Yurii Bilykyubilyk@gmail.com