Poodle
SamitAnwer1
452 views
11 slides
Mar 18, 2017
Slide 1 of 11
1
2
3
4
5
6
7
8
9
10
11
About This Presentation
Null Meet Talk 18/3/2017
Slide Content
POODLE This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller , Thai Duong, Krzysztof Kotowicz Presented By: Samit Anwer
Padding Oracle On Downgraded Legacy Encryption If attacker interferes with a handshake offering TLS 1.0 or later, clients will downgrade to SSL 3.0 Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher (AES/DES) in CBC mode W e will be taking a running example of AES in CBC mode of operation Assumption: the attacker can modify network transmissions between client and server
Attacker sends link to victim (http://evil.com) When victim visits the link, the Javascript embedded on evil.com starts making cookie bearing requests to https://example.com A HTTP request looks like: POST / path Cookie: name = value ...\ r\n\r\n body The attacker can MITM the encrypted traffic and attacker controls data in “ path ” and “ body ”. Attack Scenario
POST / path Cookie: name = value ...\r\n\r\ n body ‖ 20byte MAC ‖ padding C 1 C 2 C i C n-1 C n P 1 P 2 P i P n-1 P n P i P n P 1 C i C 1 C n C i = E K (P i Ꚛ C i-1 ) C = IV Cipher Block Chaining Encryption EnCt29642a9666ee9dbc 8c0306acacb63bf8dcf2c 554d9642a9666ee9 dbc8c0306acae2n1AGm0v gFHgpMKrFgwdWAEF AES block size is 16 bytes DES block size is 8 bytes
Cipher Block Chaining Decryption P i = D K (C i ) Ꚛ C i-1 C = IV C 1 C n C i P 1 P i P n C 1 C 2 C i C n-1 C n P 1 P 2 P i P n-1 P n POST / path Cookie: name = value ...\r\n\r\ n body ‖ 20byte MAC ‖ padding EnCt29642a9666ee9dbc 8c0306acacb63bf8dcf2c 554d9642a9666ee9 dbc8c0306acae2n1AGm0v gFHgpMKrFgwdWAEF Back
POST / path Cookie: s essionid = value ...\r\n\r\ n body ‖ 20byte MAC ‖ padding Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC The attacker controls the request path & request body & hence can forge requests such that: The padding fills an entire block (encrypted into C n ). The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which gets encrypted into C i ). The attacker replaces C n by any earlier ciphertext block C i the ciphertext will be accepted if D K (C i ) ⊕ C n-1 happens to have 15 as its final byte, otherwise, it will be rejected giving rise to a padding oracle attack The attack C i C n
Attack Contd. Assuming L=16 (AES) and ciphertext gets accepted: F rom (a): 15 = D K ( C i ) [15] ⊕ C n-1 [15] , which can be written as => D K ( C i ) [15] = 15 ⊕ C n-1 [15] --------- (1 ) We know: P i = D K (C i ) ⊕ C i-1 and hence P i [15] = D K (C i ) [15] ⊕ C i-1 [15] --------- (2 ) By replacing D K (C i ) [15] from ( 1) in (2) we get P i [15] = 15 ⊕ C n-1 [15] ⊕ C i-1 [15] Unknown entity Known entity C 1 C n /C i C n-1 P 1 P n-1 P n From CBC decryption ( here ) we know: P i = D K (C i ) Ꚛ C i-1 P n = D K (C n ) Ꚛ C n-1 P n [15] = D K (C n )[15] Ꚛ C n-1 [15 ] ----- (a) C 1 C 2 C i C n-1 C n /C i D K (C n /C i )
Overall Effort 256 SSL 3.0 requests per byte Recommendation disabling the SSL 3.0 protocol in the client or in the server or both TLS_FALLBACK_SCSV when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites , compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection Problem with SSL 3.0 in CBC mode: The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
Demo Overview s rc : https ://patzke.org/implementing-the-poodle-attack.html
Attack Steps: Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. Justify the URL and POST length such that the last block of the ciphertext is padding. Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet.
References This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller , Thai Duong, Krzysztof Kotowicz https ://www.openssl.org/~ bodo/ssl-poodle.pdf Attack of the week: POODLE, https ://blog.cryptographyengineering.com/2014/10/15/attack-of-week-poodle / Implementing the POODLE Attack, https :// patzke.org/implementing-the-poodle-attack.html
Tags
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 452
- Slides 11
- Age 3181 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
30 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
32 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
30 views
14
Fertility awareness methods for women in the society
Isaiah47
29 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
26 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
28 views