SlideShare ist ein Scribd-Unternehmen logo

Cryptography techniques for penetration testers

C
ceng
TechnologieBildung
1 von 51
Downloaden Sie, um offline zu lesen
Cryptography for Penetration Testers Chris Eng September 25, 2008
Intro – Chris Eng Senior Director of Security Research at Veracode Previously: – 2004-2006: Symantec (via acquisition) – 2000-2004: @stake – 1998-2000: National Security Agency
Contents Overview Crypto Background Analysis Techniques Case Studies
Overview
The Premise How much do you really have to know about cryptography in order to detect and exploit crypto weaknesses in web applications?
Goals Learn basic techniques for identifying and analyzing cryptographic data Learn black-box heuristics for recognizing weak cryptographic implementations Apply techniques to real-world penetration tests
Caveats This talk is best suited for penetration testers, but should be enlightening for developers too Assumes familiarity with HTTP and common character encoding mechanisms (e.g. Base64) Assumes basic understanding of cryptographic terms but requires no understanding of the underlying mathematics Case studies are from real-world applications but the actual data has been sanitized
The Crypto That Matters, In 6 Short Slides
Types of Ciphers Block Cipher – Operates on fixed-length groups of bits, called blocks – Block sizes vary depending on the algorithm (most algorithms support several different block sizes) – Several different modes of operation for encrypting messages longer than the basic block size – Example ciphers: DES, Triple DES, Blowfish, AES Stream Cipher – Operates on plaintext one bit at a time – A keystream is generated independently of the message data, then combined with the plaintext (to encrypt) or ciphertext (to decrypt) – Example ciphers: RC4, ORYX, SEAL
Block Ciphers: Electronic Code Book (ECB) Mode Fixed-size blocks of plaintext are encrypted independently Each plaintext block is substituted with ciphertext block, like a codebook Weaknesses – Structure in plaintext is reflected in ciphertext – Ciphertext blocks can be modified without detection Plaintext K Enc K Enc K Enc K Enc K Enc Ciphertext
Block Ciphers: Cipher Block Chaining (CBC) Mode Each block of plaintext is XORed with the previous ciphertext block before being encrypted Change of message affects all following ciphertext blocks Initialization Vector (IV) is used to encrypt first block Plaintext IV K Enc K Enc K Enc K Enc K Enc Ciphertext
Block Cipher Modes Illustrated Original ECB CBC Source: Wikipedia, “Block cipher modes of operation”
Stream Ciphers Plaintext message is processed byte by byte (as a stream) Key scheduler algorithm generates a keystream using a key and an Initialization Vector (IV) combined (XOR) with plaintext bit by bit Encrypt by XORing plaintext with the generated keystream Decrypt by XORing ciphertext with the same keystream Plaintext IV Key Scheduler K Ciphertext
Common Cryptography Mistakes Insecure cipher mode (usually ECB) – Will be illustrated in case study #1 Inappropriate key reuse – Will be illustrated in case study #2 Poor key selection Insufficient key length Insecure random number generation Proprietary or home-grown encryption algorithms – Seriously… don’t do this under any circumstances, EVER
Analysis Techniques
Dealing With Gibberish Data What do you do when you are pen testing a web application and you encounter data that is not easy to interpret? – Cookies – Hidden fields – Query string parameters – POST parameters – etc. How can you tell if that data is encrypted or trivially encoded? – Obviously check for common encodings first (Base64, hex)
Test For Randomness How random is it? – Output of cryptographic algorithms should be evenly distributed, given a sufficiently large sample size – Tools such as ENT (http://www.fourmilab.ch/random) will calculate entropy per byte, chi-square distribution, arithmetic mean, serial correlation, etc. C:Documents and SettingscengDesktop>ent sha1.c Entropy = 4.761198 bits per byte. Arithmetic mean value of data bytes is 69.2602 (127.5 = random). Serial correlation coefficient is 0.385237 (totally uncorrelated = 0.0). C:Documents and SettingscengDesktop>ent sha1.c.pgp Entropy = 7.892304 bits per byte. Arithmetic mean value of data bytes is 123.4868 (127.5 = random). Serial correlation coefficient is -0.039927 (totally uncorrelated = 0.0).
Observe Characteristics Is the length a multiple of a common block size? – Indicates that the application may be using a block cipher Is the length the same as a known hash algorithm? – For example, MD5 is usually represented as 32 hex characters – May also indicate the presence of an HMAC – Still may be worthwhile to hash various permutations of known data in case a simple unkeyed hash is being used, e.g. PasswordCookie = MD5(password)
Stimulus, Response Does the length of the token change based on the length of some value that you can supply? Username Token For a block cipher, you can determine the block size by incrementing input one byte at a time and observing when the encrypted output length jumps by multiple bytes (i.e. the block size) Username Token
Stimulus, Response How does the token change in response to user-supplied data? – Figure out how changing different parts of the input affects the output – Is more than one block affected by a single character change in the input? Username Password Token
Deeper Block Cipher Inspection Are there any blocks of data that seem to repeat in the same token or over multiple tokens? – Possibly ECB mode, this doesn’t just happen by coincidence – Determine block size and try modifying single ciphertext blocks or swapping blocks between messages Do multiple tokens begin with the same block or series of blocks but then diverge? – Possibly CBC mode with a static IV – Remember, swapping ciphertext blocks is not possible because changing one block affects subsequent blocks
Case Study: Block Cipher
Context A public-facing web portal for a large ISP (?) – can’t remember exactly Allowed subscribers to manage their accounts, check e-mail, etc. Used an encrypted cookie to track user identity
Fetch of “My Account” Page This is the cookie used for authentication GET /jsp/showMyAcct.jsp HTTP/1.0 Cookie: EM=Zm9vQHN5bWFudGVjLmNvbQ==; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJ7ZIkik/ElDGk1AW4Q 2zd4M= Host: the.vulnerable.site User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Accept: text/css,*/*;q=0.1 Accept-Language: en-us,en;q=0.7,ja;q=0.3 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: close
EE Cookie Is Re-Issued on Each Request EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJ7ZIkik/ElDGk1AW4Q2z d4M=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJzy7GW2GoU8aWteZ03Yh Z/8=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJzy7GW2GoU8aWteZ03Yh Z/8=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJ2un6iQdjT71hwonLp2O S84=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJ2un6iQdjT71hwonLp2O S84=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJ2un6iQdjT71ILU+OyTd r7Q=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEfES6rl7qREhbICEdM7k4dxREuq5e6kRIWxzvofBNR gkk=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEfES6rl7qREhbICEdM7k4dxWg3mgwT+ZCkkiYmqVxo grM=;
Base64 Decoded EE Cookies 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce827b64892293f1250c6935016e10db37783 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce8273cbb196d86a14f1a5ad799d3762167ff 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce8273cbb196d86a14f1a5ad799d3762167ff 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce8276ba7ea241d8d3ef5870a272e9d8e4bce 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce8276ba7ea241d8d3ef5870a272e9d8e4bce 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce8276ba7ea241d8d3ef520b53e3b24ddafb4 7488f2980c38bffb5d205fb47433c32884497e8bd011811f112eab97ba911216c808474cee4 e1dc5112eab97ba911216c73be87c13518249 7488f2980c38bffb5d205fb47433c32884497e8bd011811f112eab97ba911216c808474cee4 e1dc568379a0c13f990a4922626a95c6882b3
Base64 Decoded EE Cookies 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 b64892293f1250c6 935016e10db37783 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 3cbb196d86a14f1a 5ad799d3762167ff 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 3cbb196d86a14f1a 5ad799d3762167ff 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 870a272e9d8e4bce 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 870a272e9d8e4bce 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 20b53e3b24ddafb4 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f 112eab97ba911216 c808474cee4e1dc5 112eab97ba911216 c73be87c13518249 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f 112eab97ba911216 c808474cee4e1dc5 68379a0c13f990a4 922626a95c6882b3
Base64 Decoded EE Cookies – Repetition 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 b64892293f1250c6 935016e10db37783 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 3cbb196d86a14f1a 5ad799d3762167ff 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 3cbb196d86a14f1a 5ad799d3762167ff 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 870a272e9d8e4bce 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 870a272e9d8e4bce 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 20b53e3b24ddafb4 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f 112eab97ba911216 c808474cee4e1dc5 112eab97ba911216 c73be87c13518249 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f 112eab97ba911216 c808474cee4e1dc5 68379a0c13f990a4 922626a95c6882b3
Determining the Token Construct The only variable blocks are the last two (possibly a “last accessed” timestamp or similar timeout mechanism) Register a new account with a username of ‘c’ x 32, the maximum length permitted, and observe the value of the EE cookie – Note: ‘c’ x 32 is Perl notation for “cccccccccccccccccccccccccccccccc” – this syntax will be used throughout this case study dd73f765d6753fc0 1941f7f757f1ad49 1941f7f757f1ad49 1941f7f757f1ad49 294e437e2c142217 7da37ce1b09f2c9e 23945baf6847e94f 1ae0e1f8f4ba4c61 b893a5d48de9826c 0afc64f82d4b4a5d 11a9ec13975ae99b The token is longer, meaning the username is probably stored in the cookie The repetition of the cipher-text blocks mirrors the repeated ‘c’ characters in the plaintext of the username
Determining the Token Construct Register another account with a username of ‘c’ x 16, and compare to the EE cookie generated in the previous step ‘c’ x 16 dd73f765d6753fc0 1941f7f757f1ad49 294e437e2c142217 7da37ce1b09f2c9e 23945baf6847e94f 2e62dc893303ec04 b893a5d48de9826c 03f261d8fd58bd87 11a9ec13975ae99b
Determining the Token Construct Register another account with a username of ‘c’ x 16, and compare to the EE cookie generated in the previous step ‘c’ x 16 dd73f765d6753fc0 1941f7f757f1ad49 294e437e2c142217 7da37ce1b09f2c9e 23945baf6847e94f 2e62dc893303ec04 b893a5d48de9826c 03f261d8fd58bd87 11a9ec13975ae99b This must be the ‘c’ x 32 encrypted form of ‘c’x8 dd73f765d6753fc0 1941f7f757f1ad49 1941f7f757f1ad49 1941f7f757f1ad49 294e437e2c142217 7da37ce1b09f2c9e 23945baf6847e94f 1ae0e1f8f4ba4c61 b893a5d48de9826c 0afc64f82d4b4a5d 11a9ec13975ae99b Why don’t we see two identical blocks for ‘c’ x 16 and four identical blocks for ‘c’ x 32? Padding! The username doesn’t align perfectly with the block boundaries – so where does it actually start?
Determining the Offset Location We want to figure out at what position in the cookie the username is located Additional user accounts were created with specific usernames in order to determine if there is any initial padding in the first block ccccccccccc dd73f765d6753fc0 b3671231259e657c 6d82dbfc2a54ced6 f2e835ed7d538576 b3089a21999468a9 29649aa77b9a5f17 aceab4efb11f7739 b1e6e08fb2288c2f cccccdddddd 197555b290c6a351 ba0dd4bd91dc2296 7da37ce1b09f2c9e 23945baf6847e94f 44de41ae0fec32a9 b893a5d48de9826c 3b47c51eeb93002a 11a9ec13975ae99b ccccccddddd dd73f765d6753fc0 ba0dd4bd91dc2296 7da37ce1b09f2c9e 23945baf6847e94f 44de41ae0fec32a9 b893a5d48de9826c f4cab32b1390799f 11a9ec13975ae99b
Determining the Offset Location We want to figure out at what position in the cookie the username is located Additional user accounts were created with specific usernames in order to determine if there is any initial padding in the first block ? ? c c c c c c c c c c c ... dd73f765d6753fc0 b3671231259e657c 6d82dbfc2a54ced6 f2e835ed7d538576 b3089a21999468a9 29649aa77b9a5f17 aceab4efb11f7739 b1e6e08fb2288c2f ? ? c c c c c d d d d d d ... 197555b290c6a351 ba0dd4bd91dc2296 7da37ce1b09f2c9e 23945baf6847e94f 44de41ae0fec32a9 b893a5d48de9826c 3b47c51eeb93002a 11a9ec13975ae99b ? ? c c c c c c d d d d d ... dd73f765d6753fc0 ba0dd4bd91dc2296 7da37ce1b09f2c9e 23945baf6847e94f 44de41ae0fec32a9 b893a5d48de9826c f4cab32b1390799f 11a9ec13975ae99b
Carrying Out the Impersonation Attack We know, via a separate user enumeration vulnerability in the application, that a user called ‘siteadmin’ exists To impersonate this user, we need to obtain the valid cipher-text blocks ? ? s i t e a d m i n ... xxxxxxxxxxxxxxxx yyyyyyyyyyyyyyyy zzzzzzzzzzzzzzzz ... So we register one user called ‘sitead11’ and another called ‘111111min’ and extract the cipher-text we need ? ? s i t e a d 1 1 ... 7e7efe1d694e66e8 0c7f1fde08ac0eed 7da37ce1b09f2c9e 23945baf6847e94f af904fcefe28814e b893a5d48de9826c 334ebd58bd579cc7 11a9ec13975ae99b ? ? 1 1 1 1 1 1 m i n ... 2b9eccd28b963000 7ede3268478cde61 7da37ce1b09f2c9e 23945baf6847e94f af904fcefe28814e b893a5d48de9826c dbb938a969645aec 11a9ec13975ae99b
Carrying Out the Impersonation Attack Now we can impersonate the ‘siteadmin’ user! ... s i t e a d 1 1 ... 7e7efe1d694e66e8 0c7f1fde08ac0eed 7da37ce1b09f2c9e 23945baf6847e94f af904fcefe28814e b893a5d48de9826c 334ebd58bd579cc7 11a9ec13975ae99b ... 1 1 1 1 1 1 m i n ... 2b9eccd28b963000 7ede3268478cde61 7da37ce1b09f2c9e 23945baf6847e94f af904fcefe28814e b893a5d48de9826c dbb938a969645aec 11a9ec13975ae99b ... s i t e a d m i n ... 7e7efe1d694e66e8 7ede3268478cde61 7da37ce1b09f2c9e 23945baf6847e94f af904fcefe28814e b893a5d48de9826c dbb938a969645aec 11a9ec13975ae99b
Recap We were able to successfully subvert the authentication mechanism without any knowledge of the algorithm or the key, based solely on observed patterns in the ciphertext The root cause of the vulnerability was the insecure cipher mode and the lack of a verification mechanism (not to mention poor design) ECB mode should not be used – Use CBC instead – CBC prevents the same block of plain-text from producing the same block of cipher-text – CBC also deters the ad-hoc substitution of inline blocks
Case Study: Stream Cipher
Context A public-facing multi-tenant web application for a major financial services company Allowed customers to manage their accounts and conduct transactions Aggressively utilized encryption for URL parameters
Crypto Example: What Am I Looking At? Token values observed in URLs – Changed every time we logged on to the application – Never the same for any two sessions or any two users Stmt=Ct9X4RWkQZ2L1vmKYd70D2gnCKN7y1PqgUuOytUYW/X3u1qk0xh8HyE= Stmt=Ct9X4RWkQZ2K0f6Pa9X2Cm4gCKN7y1PqgUuOytUYW/Xxu1qk0wVYO1w= Stmt=Ct9X4RWkQZ2L1vmKYd71CG0iCKJ4wl3igUuFyd0YWPH3u1qk0zB/Nwg= Stmt=Ct9X4RWkQZ2K0f6Pa9X2CGgmCKFwy1frgUuHytwYWPDyu1qk0w0jZxE= Stmt=Ct9X4RWkQZ2K0f6Pa9X2CWgjCKFxy1fqgUuHyNoYWPP7u1qk029kMC4= Stmt=Ct9X4RWkQZ2K0f6Pa9X3BG8mCKB7zlTjgUyAyNQYWPLxu1qk03N9EDg= Stmt=Ct9X4RWkQZ2L1vmKYd72D28kCKZwzlfvgU2Azd8YUfW+9lujrTZ4Dw== Stmt=Ct9X4RWkQZ2L1vmKYd73DmIpCKZ6wlGmzEiDy5BWWrrz91ykrSVk . . File=eNU81UH7AKLZiLnbILCEUjd8G/oVqgWjnhfTmocX Ctxt=CN9RqBTrIITOlaLQM4DndDR3G+ . . (at least seven other tokens in a similar format)
Crypto Example: What Am I Looking At? Base64-decoded values for several different “Stmt” tokens Statement #7044323226 0adf57e115a4419d8bd6f98a61def40f682708a37bcb53ea814b8ecad5... Statement #6731991741 0adf57e115a4419d8ad1fe8f6bd5f60a6e2008a37bcb53ea814b8ecad5... Statement #7044322573 0adf57e115a4419d8bd6f98a61def5086d2208a278c25de2814b85c9dd... Statement #6731991527 0adf57e115a4419d8ad1fe8f6bd5f608682608a170cb57eb814b87cadc... Statement #6731991422 0adf57e115a4419d8ad1fe8f6bd5f609682308a171cb57ea814b87c8da... Statement #6731990957 0adf57e115a4419d8ad1fe8f6bd5f7046f2608a07bce54e3814c80c8d4... Statement #7044321255 0adf57e115a4419d8bd6f98a61def60f6f2408a670ce57ef814d80cddf... Statement #7044320388 0adf57e115a4419d8bd6f98a61def70e622908a67ac251a6cc4883cb90...
Detecting Patterns Looked for correlations between statement number and cipher-text 7044323226 704432 0adf57e115a4419d8bd6f98a61de 8bd6f98a61def40f682708a37bcb53ea814b8ecad5... 6731991741 673199 0adf57e115a4419d8ad1fe8f6bd5 8ad1fe8f6bd5f60a6e2008a37bcb53ea814b8ecad5... 7044322573 704432 0adf57e115a4419d8bd6f98a61de 8bd6f98a61def5086d2208a278c25de2814b85c9dd... 6731991527 673199 0adf57e115a4419d8ad1fe8f6bd5 8ad1fe8f6bd5f608682608a170cb57eb814b87cadc... 6731991422 673199 0adf57e115a4419d8ad1fe8f6bd5 8ad1fe8f6bd5f609682308a171cb57ea814b87c8da... 6731990957 673199 0adf57e115a4419d8ad1fe8f6bd5 8ad1fe8f6bd5f7046f2608a07bce54e3814c80c8d4... 7044321255 704432 0adf57e115a4419d8bd6f98a61de 8bd6f98a61def60f6f2408a670ce57ef814d80cddf... 7044320388 704432 0adf57e115a4419d8bd6f98a61de 8bd6f98a61def70e622908a67ac251a6cc4883cb90...
Detecting Patterns Conclusion: It looks like a stream cipher 7044323226 2 0adf57e115a4419d8bd6f98a61def40f68 682708a37bcb53ea814b8ecad5... 6731991741 1 0adf57e115a4419d8ad1fe8f6bd5f6 f60a6e2008a37bcb53ea814b8ecad5... 7044322573 5 0adf57e115a4419d8bd6f98a61def508 086d2208a278c25de2814b85c9dd... 6731991527 1 0adf57e115a4419d8ad1fe8f6bd5f608682608a170cb57eb814b87cadc... f6086826 6731991422 1 2 0adf57e115a4419d8ad1fe8f6bd5f6 682308a171cb57ea814b87c8da... f60968 6731990957 0 5 0adf57e115a4419d8ad1fe8f6bd5f7 6f26 f7046f2608a07bce54e3814c80c8d4... 7044321255 1 5 0adf57e115a4419d8bd6f98a61def6 6f2408a670ce57ef814d80cddf... f60f6f 7044320388 0 0adf57e115a4419d8bd6f98a61def7 f70e622908a67ac251a6cc4883cb90...
Deriving Part of the Keystream Use XOR to calculate 10 bytes of the keystream based on the known plain-text (i.e. the statement number) 7044322573 0adf57e115a4419d8bd6f98a61def5086d22 8bd6f98a61def5086d2208a278c25de2814b85c9dd1858f1... XOR 37303434333232353733 7 0 4 4 3 2 2 5 7 3 = bce6cdbe52ecc73d5a11 Partial keystream? bce6cdbe52ecc73d5a11 6731991422 XOR 0adf57e115a4419d8ad1fe8f6bd5f6096823 8ad1fe8f6bd5f609682308a171cb57ea814b87c8da1858f3... = 36373331393931343232 6 7 3 1 9 9 1 4 2 2 Checks out!
Deriving More of the Keystream Now try the same thing against one of the other collected tokens, such as the one called “Ctxt” Ctxt= 08df51a814eb2084ce95a2d03380e7743477 ce95a2d03380e77434771be6249b10b39211cad7c24b2194... XOR bce6cdbe52ecc73d5a11 = Known key material 72736f6e616c20496e66 r s o n a l I n f Ctxt= 08df51a814eb2084 2084ce95a2d03380e77434771be6249b10b39211 1be6249b10b39211cad7c24b2194... XOR 506572736f6e616c20496e666f726d6174696f6e 5065 6f726d6174696f6e P e r s o n a l I n f o r m a t i o n = 70e1bce6cdbe52ecc73d5a11749449fa64dafd7f 70e1 749449fa64dafd7f More keystream!
Lather, Rinse, Repeat Now try the same thing against one of the other collected tokens, such as the one called “File” File= 78d53cd541fb00a2d988b9db20b08452377c1bfa15aa05a39e17 00a2d988b9db20b08452377c1bfa15aa05a39e17d39a871769c6... XOR 70e1bce6cdbe52ecc73d5a11749449fa64dafd7f = Known key material 7043656e7465725c436f6d6d6f6e5c5061796368 p C e n t e r C o m m o n P a y c h File= 78d53cd541fb d541fb00a2d988b9db20b08452377c1bfa15aa05a39e17d39a8717 d39a871769c6... XOR 48656c7043656e7465725c436f6d6d6f6e5c506179636865636b73 48656c 65636b73 H e l p C e n t e r C o m m o n P a y c h e c k s = 9d249770e1bce6cdbe52ecc73d5a11749449fa64dafd7fb6f9ec64 9d2497 b6f9ec64 More keystream!
Token Poisoning Attempt Through this iterative process, we can obtain the entire keystream (or rather, a sufficient amount of the keystream to encrypt and decrypt all of the cipher-text we encounter) Fully decrypted “Stmt” tokens contain the following data: 107|131|7044336068|324070|20897|1161|107SWEL 107|131|7044335527|305353|20238|1101|107RyQC 107|131|7044334802|288149|19607|1041|107l7nS 107|131|7044333801|278718|19363|981|1070VN+ 107|131|7044333131|258265|17041|882|107HmoE So now, we can replace the statement number with another valid statement number, and view the contents… right? 107|131|1234567890 1234567890|324070|20897|1161|107SWEL 107|131|7044336068|324070|20897|1161|107SWEL
Integrity Checking (Not Really) The application appears to be performing some sort of integrity check on the token content 107|131|7044336068|324070|20897|1161|107SWEL SWEL (49 61 0b) 107|131|7044335527|305353|20238|1101|107RyQC RyQC (47 24 02) 107|131|7044334802|288149|19607|1041|107l7nS l7nS (97 b9 ec) 107|131|7044333801|278718|19363|981|1070VN+ 107|131|7044333801|278718|19363|981|1070VN+ 0VN+ (d1 53 7e) 107|131|7044333131|258265|17041|882|107HmoE HmoE (1e 6a 04) Four Base64 encoded characters appended to the end of each token equate to three decoded bytes, or 24 bits This turned out to be a standard CRC-24 algorithm, for which reference code was quickly found via a Google search – Cyclic Redundancy Checksums (CRCs) are used to detect errors in the transmission and storage of data
Step By Step: Building Tokens From Scratch Generate the desired plain-text of the token, or manipulate an existing token Calculate the CRC-24 of the plain-text and append it (in Base64 encoded form) to the end of the token Encrypt the token by performing an XOR of the plain-text with the recovered keystream Base64 encode the encrypted token
Recap Once again, we were able to successfully subvert the encryption mechanism without any knowledge of the algorithm or the key, based solely on observed patterns in the ciphertext It turned out, after talking to the development team, that they were using RC4, with a unique key generated for each user session The root cause of the vulnerability is the re-use of the keystream combined with the lack of an integrity check – Stream cipher keystream should not be used to encrypt multiple plaintexts – Integrity checking should be performed via a keyed HMAC or similar algorithm that cannot be easily reproduced using reference code
Q&A
Contact Chris Eng Sr. Director, Security Research Veracode, Inc. ceng@veracode.com

Empfohlen

Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
アプリの鍵が消える時_Droid kaigi2018
アプリの鍵が消える時_Droid kaigi2018アプリの鍵が消える時_Droid kaigi2018
アプリの鍵が消える時_Droid kaigi2018ak_shio_555
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsSpv Reddy
 

Empfohlen

Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Continuous Application Security at Scale with IAST and RASP -- Transforming D...
Continuous Application Security at Scale with IAST and RASP -- Transforming D...Jeff Williams
 
OWASP API Security Top 10 - API World
OWASP API Security Top 10 - API WorldOWASP API Security Top 10 - API World
OWASP API Security Top 10 - API World42Crunch
 
Threat modeling web application: a case study
Threat modeling web application: a case studyThreat modeling web application: a case study
Threat modeling web application: a case studyAntonio Fontes
 
OWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesOWASP AppSecCali 2015 - Marshalling Pickles
OWASP AppSecCali 2015 - Marshalling PicklesChristopher Frohoff
 
アプリの鍵が消える時_Droid kaigi2018
アプリの鍵が消える時_Droid kaigi2018アプリの鍵が消える時_Droid kaigi2018
アプリの鍵が消える時_Droid kaigi2018ak_shio_555
 
Containerizing your Security Operations Center
Containerizing your Security Operations CenterContainerizing your Security Operations Center
Containerizing your Security Operations CenterJimmy Mesta
 
Content security policy
Content security policyContent security policy
Content security policyRonan Dunne, CEH, SSCP
 
DevSecOps
DevSecOpsDevSecOps
DevSecOpsSpv Reddy
 
OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Serf / Consul 入門 ~仕事を楽しくしよう~
Serf / Consul 入門 ~仕事を楽しくしよう~Serf / Consul 入門 ~仕事を楽しくしよう~
Serf / Consul 入門 ~仕事を楽しくしよう~Masahito Zembutsu
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentestingn|u - The Open Security Community
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今
Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今
Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今Tomohisa Ishikawa, CISSP, CSSLP, CISA, CISM, CFE
 
Security: The Value of SBOMs
Security: The Value of SBOMsSecurity: The Value of SBOMs
Security: The Value of SBOMsWeaveworks
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO Alliance
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephAnthony Jose
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 
CVSS
CVSSCVSS
CVSSChristian Heinrich
 
CA_Module_1.pptx
CA_Module_1.pptxCA_Module_1.pptx
CA_Module_1.pptxYazanSalileh
 
Encryption
EncryptionEncryption
Encryptionkeith dias
 
Topic21 Elect. Codebook, Cipher Block Chaining.pptx
Topic21 Elect. Codebook, Cipher Block Chaining.pptxTopic21 Elect. Codebook, Cipher Block Chaining.pptx
Topic21 Elect. Codebook, Cipher Block Chaining.pptxShimoFcis
 

Weitere ähnliche Inhalte

Was ist angesagt?

OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkChaitanya Bhatt
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?Sam Thomas
 
Serf / Consul 入門 ~仕事を楽しくしよう~
Serf / Consul 入門 ~仕事を楽しくしよう~Serf / Consul 入門 ~仕事を楽しくしよう~
Serf / Consul 入門 ~仕事を楽しくしよう~Masahito Zembutsu
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onSplunk
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewMichael Furman
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Security: The Value of SBOMs
Security: The Value of SBOMsSecurity: The Value of SBOMs
Security: The Value of SBOMsWeaveworks
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...idsecconf
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO Alliance
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephAnthony Jose
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFThomas Graf
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdfFarouk2nd
 

Was ist angesagt? (20)

OWASP based Threat Modeling Framework
OWASP based Threat Modeling FrameworkOWASP based Threat Modeling Framework
OWASP based Threat Modeling Framework
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?PHP unserialization vulnerabilities: What are we missing?
PHP unserialization vulnerabilities: What are we missing?
 
Serf / Consul 入門 ~仕事を楽しくしよう~
Serf / Consul 入門 ~仕事を楽しくしよう~Serf / Consul 入門 ~仕事を楽しくしよう~
Serf / Consul 入門 ~仕事を楽しくしよう~
 
iOS Application Pentesting
iOS Application PentestingiOS Application Pentesting
iOS Application Pentesting
 
Threat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-onThreat Hunting with Splunk Hands-on
Threat Hunting with Splunk Hands-on
 
OWASP Top 10 2021 What's New
OWASP Top 10 2021 What's NewOWASP Top 10 2021 What's New
OWASP Top 10 2021 What's New
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今
Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今
Internet Week 2018:D2-3 丸ごと分かるペネトレーションテストの今
 
Security: The Value of SBOMs
Security: The Value of SBOMsSecurity: The Value of SBOMs
Security: The Value of SBOMs
 
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
Vm escape: case study virtualbox bug hunting and exploitation - Muhammad Alif...
 
FIDO and the Future of User Authentication
FIDO and the Future of User AuthenticationFIDO and the Future of User Authentication
FIDO and the Future of User Authentication
 
Radare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto JosephRadare2 - An Introduction by Anto Joseph
Radare2 - An Introduction by Anto Joseph
 
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...
 
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologiesOWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
OWASP Poland Day 2018 - Frans Rosen - Attacking modern web technologies
 
Cilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPFCilium - API-aware Networking and Security for Containers based on BPF
Cilium - API-aware Networking and Security for Containers based on BPF
 
Bypass_AV-EDR.pdf
Bypass_AV-EDR.pdfBypass_AV-EDR.pdf
Bypass_AV-EDR.pdf
 
CVSS
CVSSCVSS
CVSS
 
CA_Module_1.pptx
CA_Module_1.pptxCA_Module_1.pptx
CA_Module_1.pptx
 

Ähnlich wie Cryptography techniques for penetration testers

Topic21 Elect. Codebook, Cipher Block Chaining.pptx
Topic21 Elect. Codebook, Cipher Block Chaining.pptxTopic21 Elect. Codebook, Cipher Block Chaining.pptx
Topic21 Elect. Codebook, Cipher Block Chaining.pptxShimoFcis
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation harshit chavda
 
block ciphermodes of operation.pptx
block ciphermodes of operation.pptxblock ciphermodes of operation.pptx
block ciphermodes of operation.pptxDEEPAK948083
 
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHMTHE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHMcscpconf
 
Information System Security.pptx
Information System Security.pptxInformation System Security.pptx
Information System Security.pptxGIT
 
Cryptography in Blockchain
Cryptography in BlockchainCryptography in Blockchain
Cryptography in BlockchainEC-Council
 
DATA SECURITY WITH AES ENCRYPTION, ELLIPTIC CURVE ENCRYPTION AND SIGNATURE
DATA SECURITY WITH AES ENCRYPTION, ELLIPTIC CURVE ENCRYPTION AND SIGNATURE DATA SECURITY WITH AES ENCRYPTION, ELLIPTIC CURVE ENCRYPTION AND SIGNATURE
DATA SECURITY WITH AES ENCRYPTION, ELLIPTIC CURVE ENCRYPTION AND SIGNATURE Mohammed Abdul Lateef
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)Haris Ahmed
 
CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2Hamed Moghaddam
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Mazin Alwaaly
 
A Novel Structure with Dynamic Operation Mode for Symmetric-Key Block Ciphers
A Novel Structure with Dynamic Operation Mode for Symmetric-Key Block CiphersA Novel Structure with Dynamic Operation Mode for Symmetric-Key Block Ciphers
A Novel Structure with Dynamic Operation Mode for Symmetric-Key Block CiphersIJNSA Journal
 
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...editor1knowledgecuddle
 
Secured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionSecured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionTharindu Weerasinghe
 
Block cipher modes of operations
Block cipher modes of operationsBlock cipher modes of operations
Block cipher modes of operationsAkashRanjandas1
 
Information and data security block cipher operation
Information and data security block cipher operationInformation and data security block cipher operation
Information and data security block cipher operationMazin Alwaaly
 
Different date block size using to evaluate the performance between different...
Different date block size using to evaluate the performance between different...Different date block size using to evaluate the performance between different...
Different date block size using to evaluate the performance between different...IJCNCJournal
 
Information and network security 18 modern techniques block ciphers
Information and network security 18 modern techniques block ciphersInformation and network security 18 modern techniques block ciphers
Information and network security 18 modern techniques block ciphersVaibhav Khanna
 

Ähnlich wie Cryptography techniques for penetration testers (20)

Encryption
EncryptionEncryption
Encryption
 
Topic21 Elect. Codebook, Cipher Block Chaining.pptx
Topic21 Elect. Codebook, Cipher Block Chaining.pptxTopic21 Elect. Codebook, Cipher Block Chaining.pptx
Topic21 Elect. Codebook, Cipher Block Chaining.pptx
 
Block cipher modes of operation
Block cipher modes of operation Block cipher modes of operation
Block cipher modes of operation
 
block ciphermodes of operation.pptx
block ciphermodes of operation.pptxblock ciphermodes of operation.pptx
block ciphermodes of operation.pptx
 
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHMTHE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
THE UNIFIED OPERATION STRUCTURE FOR SYMMETRIC-KEY ALGORITHM
 
Information System Security.pptx
Information System Security.pptxInformation System Security.pptx
Information System Security.pptx
 
Cryptography in Blockchain
Cryptography in BlockchainCryptography in Blockchain
Cryptography in Blockchain
 
Block Ciphers Modes of Operation
Block Ciphers Modes of OperationBlock Ciphers Modes of Operation
Block Ciphers Modes of Operation
 
DATA SECURITY WITH AES ENCRYPTION, ELLIPTIC CURVE ENCRYPTION AND SIGNATURE
DATA SECURITY WITH AES ENCRYPTION, ELLIPTIC CURVE ENCRYPTION AND SIGNATURE DATA SECURITY WITH AES ENCRYPTION, ELLIPTIC CURVE ENCRYPTION AND SIGNATURE
DATA SECURITY WITH AES ENCRYPTION, ELLIPTIC CURVE ENCRYPTION AND SIGNATURE
 
Data Encryption Standard (DES)
Data Encryption Standard (DES)Data Encryption Standard (DES)
Data Encryption Standard (DES)
 
DEC algorithm
DEC algorithmDEC algorithm
DEC algorithm
 
CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2CISSP Certification Security Engineering-Part2
CISSP Certification Security Engineering-Part2
 
Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...Information and data security block cipher and the data encryption standard (...
Information and data security block cipher and the data encryption standard (...
 
A Novel Structure with Dynamic Operation Mode for Symmetric-Key Block Ciphers
A Novel Structure with Dynamic Operation Mode for Symmetric-Key Block CiphersA Novel Structure with Dynamic Operation Mode for Symmetric-Key Block Ciphers
A Novel Structure with Dynamic Operation Mode for Symmetric-Key Block Ciphers
 
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
Comparative Analysis of Cryptographic Algorithms and Advanced Cryptographic A...
 
Secured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryptionSecured algorithm for gsm encryption & decryption
Secured algorithm for gsm encryption & decryption
 
Block cipher modes of operations
Block cipher modes of operationsBlock cipher modes of operations
Block cipher modes of operations
 
Information and data security block cipher operation
Information and data security block cipher operationInformation and data security block cipher operation
Information and data security block cipher operation
 
Different date block size using to evaluate the performance between different...
Different date block size using to evaluate the performance between different...Different date block size using to evaluate the performance between different...
Different date block size using to evaluate the performance between different...
 
Information and network security 18 modern techniques block ciphers
Information and network security 18 modern techniques block ciphersInformation and network security 18 modern techniques block ciphers
Information and network security 18 modern techniques block ciphers
 

Kürzlich hochgeladen

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Kürzlich hochgeladen (20)

Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

Cryptography techniques for penetration testers

  • 2. Intro – Chris Eng Senior Director of Security Research at Veracode Previously: – 2004-2006: Symantec (via acquisition) – 2000-2004: @stake – 1998-2000: National Security Agency
  • 3. Contents Overview Crypto Background Analysis Techniques Case Studies
  • 5. The Premise How much do you really have to know about cryptography in order to detect and exploit crypto weaknesses in web applications?
  • 6. Goals Learn basic techniques for identifying and analyzing cryptographic data Learn black-box heuristics for recognizing weak cryptographic implementations Apply techniques to real-world penetration tests
  • 7. Caveats This talk is best suited for penetration testers, but should be enlightening for developers too Assumes familiarity with HTTP and common character encoding mechanisms (e.g. Base64) Assumes basic understanding of cryptographic terms but requires no understanding of the underlying mathematics Case studies are from real-world applications but the actual data has been sanitized
  • 8. The Crypto That Matters, In 6 Short Slides
  • 9. Types of Ciphers Block Cipher – Operates on fixed-length groups of bits, called blocks – Block sizes vary depending on the algorithm (most algorithms support several different block sizes) – Several different modes of operation for encrypting messages longer than the basic block size – Example ciphers: DES, Triple DES, Blowfish, AES Stream Cipher – Operates on plaintext one bit at a time – A keystream is generated independently of the message data, then combined with the plaintext (to encrypt) or ciphertext (to decrypt) – Example ciphers: RC4, ORYX, SEAL
  • 10. Block Ciphers: Electronic Code Book (ECB) Mode Fixed-size blocks of plaintext are encrypted independently Each plaintext block is substituted with ciphertext block, like a codebook Weaknesses – Structure in plaintext is reflected in ciphertext – Ciphertext blocks can be modified without detection Plaintext K Enc K Enc K Enc K Enc K Enc Ciphertext
  • 11. Block Ciphers: Cipher Block Chaining (CBC) Mode Each block of plaintext is XORed with the previous ciphertext block before being encrypted Change of message affects all following ciphertext blocks Initialization Vector (IV) is used to encrypt first block Plaintext IV K Enc K Enc K Enc K Enc K Enc Ciphertext
  • 12. Block Cipher Modes Illustrated Original ECB CBC Source: Wikipedia, “Block cipher modes of operation”
  • 13. Stream Ciphers Plaintext message is processed byte by byte (as a stream) Key scheduler algorithm generates a keystream using a key and an Initialization Vector (IV) combined (XOR) with plaintext bit by bit Encrypt by XORing plaintext with the generated keystream Decrypt by XORing ciphertext with the same keystream Plaintext IV Key Scheduler K Ciphertext
  • 14. Common Cryptography Mistakes Insecure cipher mode (usually ECB) – Will be illustrated in case study #1 Inappropriate key reuse – Will be illustrated in case study #2 Poor key selection Insufficient key length Insecure random number generation Proprietary or home-grown encryption algorithms – Seriously… don’t do this under any circumstances, EVER
  • 16. Dealing With Gibberish Data What do you do when you are pen testing a web application and you encounter data that is not easy to interpret? – Cookies – Hidden fields – Query string parameters – POST parameters – etc. How can you tell if that data is encrypted or trivially encoded? – Obviously check for common encodings first (Base64, hex)
  • 17. Test For Randomness How random is it? – Output of cryptographic algorithms should be evenly distributed, given a sufficiently large sample size – Tools such as ENT (http://www.fourmilab.ch/random) will calculate entropy per byte, chi-square distribution, arithmetic mean, serial correlation, etc. C:Documents and SettingscengDesktop>ent sha1.c Entropy = 4.761198 bits per byte. Arithmetic mean value of data bytes is 69.2602 (127.5 = random). Serial correlation coefficient is 0.385237 (totally uncorrelated = 0.0). C:Documents and SettingscengDesktop>ent sha1.c.pgp Entropy = 7.892304 bits per byte. Arithmetic mean value of data bytes is 123.4868 (127.5 = random). Serial correlation coefficient is -0.039927 (totally uncorrelated = 0.0).
  • 18. Observe Characteristics Is the length a multiple of a common block size? – Indicates that the application may be using a block cipher Is the length the same as a known hash algorithm? – For example, MD5 is usually represented as 32 hex characters – May also indicate the presence of an HMAC – Still may be worthwhile to hash various permutations of known data in case a simple unkeyed hash is being used, e.g. PasswordCookie = MD5(password)
  • 19. Stimulus, Response Does the length of the token change based on the length of some value that you can supply? Username Token For a block cipher, you can determine the block size by incrementing input one byte at a time and observing when the encrypted output length jumps by multiple bytes (i.e. the block size) Username Token
  • 20. Stimulus, Response How does the token change in response to user-supplied data? – Figure out how changing different parts of the input affects the output – Is more than one block affected by a single character change in the input? Username Password Token
  • 21. Deeper Block Cipher Inspection Are there any blocks of data that seem to repeat in the same token or over multiple tokens? – Possibly ECB mode, this doesn’t just happen by coincidence – Determine block size and try modifying single ciphertext blocks or swapping blocks between messages Do multiple tokens begin with the same block or series of blocks but then diverge? – Possibly CBC mode with a static IV – Remember, swapping ciphertext blocks is not possible because changing one block affects subsequent blocks
  • 23. Context A public-facing web portal for a large ISP (?) – can’t remember exactly Allowed subscribers to manage their accounts, check e-mail, etc. Used an encrypted cookie to track user identity
  • 24. Fetch of “My Account” Page This is the cookie used for authentication GET /jsp/showMyAcct.jsp HTTP/1.0 Cookie: EM=Zm9vQHN5bWFudGVjLmNvbQ==; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJ7ZIkik/ElDGk1AW4Q 2zd4M= Host: the.vulnerable.site User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1 Accept: text/css,*/*;q=0.1 Accept-Language: en-us,en;q=0.7,ja;q=0.3 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: close
  • 25. EE Cookie Is Re-Issued on Each Request EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJ7ZIkik/ElDGk1AW4Q2z d4M=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJzy7GW2GoU8aWteZ03Yh Z/8=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJzy7GW2GoU8aWteZ03Yh Z/8=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJ2un6iQdjT71hwonLp2O S84=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJ2un6iQdjT71hwonLp2O S84=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEftkiSKT8SUMYOxkt9oTzoJ2un6iQdjT71ILU+OyTd r7Q=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEfES6rl7qREhbICEdM7k4dxREuq5e6kRIWxzvofBNR gkk=; EE=dIjymAw4v/tdIF+0dDPDKIRJfovQEYEfES6rl7qREhbICEdM7k4dxWg3mgwT+ZCkkiYmqVxo grM=;
  • 26. Base64 Decoded EE Cookies 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce827b64892293f1250c6935016e10db37783 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce8273cbb196d86a14f1a5ad799d3762167ff 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce8273cbb196d86a14f1a5ad799d3762167ff 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce8276ba7ea241d8d3ef5870a272e9d8e4bce 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce8276ba7ea241d8d3ef5870a272e9d8e4bce 7488f2980c38bffb5d205fb47433c32884497e8bd011811fb64892293f1250c60ec64b7da13 ce8276ba7ea241d8d3ef520b53e3b24ddafb4 7488f2980c38bffb5d205fb47433c32884497e8bd011811f112eab97ba911216c808474cee4 e1dc5112eab97ba911216c73be87c13518249 7488f2980c38bffb5d205fb47433c32884497e8bd011811f112eab97ba911216c808474cee4 e1dc568379a0c13f990a4922626a95c6882b3
  • 27. Base64 Decoded EE Cookies 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 b64892293f1250c6 935016e10db37783 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 3cbb196d86a14f1a 5ad799d3762167ff 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 3cbb196d86a14f1a 5ad799d3762167ff 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 870a272e9d8e4bce 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 870a272e9d8e4bce 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 20b53e3b24ddafb4 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f 112eab97ba911216 c808474cee4e1dc5 112eab97ba911216 c73be87c13518249 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f 112eab97ba911216 c808474cee4e1dc5 68379a0c13f990a4 922626a95c6882b3
  • 28. Base64 Decoded EE Cookies – Repetition 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 b64892293f1250c6 935016e10db37783 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 3cbb196d86a14f1a 5ad799d3762167ff 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 3cbb196d86a14f1a 5ad799d3762167ff 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 870a272e9d8e4bce 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 870a272e9d8e4bce 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f b64892293f1250c6 0ec64b7da13ce827 6ba7ea241d8d3ef5 20b53e3b24ddafb4 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f 112eab97ba911216 c808474cee4e1dc5 112eab97ba911216 c73be87c13518249 7488f2980c38bffb 5d205fb47433c328 84497e8bd011811f 112eab97ba911216 c808474cee4e1dc5 68379a0c13f990a4 922626a95c6882b3
  • 29. Determining the Token Construct The only variable blocks are the last two (possibly a “last accessed” timestamp or similar timeout mechanism) Register a new account with a username of ‘c’ x 32, the maximum length permitted, and observe the value of the EE cookie – Note: ‘c’ x 32 is Perl notation for “cccccccccccccccccccccccccccccccc” – this syntax will be used throughout this case study dd73f765d6753fc0 1941f7f757f1ad49 1941f7f757f1ad49 1941f7f757f1ad49 294e437e2c142217 7da37ce1b09f2c9e 23945baf6847e94f 1ae0e1f8f4ba4c61 b893a5d48de9826c 0afc64f82d4b4a5d 11a9ec13975ae99b The token is longer, meaning the username is probably stored in the cookie The repetition of the cipher-text blocks mirrors the repeated ‘c’ characters in the plaintext of the username
  • 30. Determining the Token Construct Register another account with a username of ‘c’ x 16, and compare to the EE cookie generated in the previous step ‘c’ x 16 dd73f765d6753fc0 1941f7f757f1ad49 294e437e2c142217 7da37ce1b09f2c9e 23945baf6847e94f 2e62dc893303ec04 b893a5d48de9826c 03f261d8fd58bd87 11a9ec13975ae99b
  • 31. Determining the Token Construct Register another account with a username of ‘c’ x 16, and compare to the EE cookie generated in the previous step ‘c’ x 16 dd73f765d6753fc0 1941f7f757f1ad49 294e437e2c142217 7da37ce1b09f2c9e 23945baf6847e94f 2e62dc893303ec04 b893a5d48de9826c 03f261d8fd58bd87 11a9ec13975ae99b This must be the ‘c’ x 32 encrypted form of ‘c’x8 dd73f765d6753fc0 1941f7f757f1ad49 1941f7f757f1ad49 1941f7f757f1ad49 294e437e2c142217 7da37ce1b09f2c9e 23945baf6847e94f 1ae0e1f8f4ba4c61 b893a5d48de9826c 0afc64f82d4b4a5d 11a9ec13975ae99b Why don’t we see two identical blocks for ‘c’ x 16 and four identical blocks for ‘c’ x 32? Padding! The username doesn’t align perfectly with the block boundaries – so where does it actually start?
  • 32. Determining the Offset Location We want to figure out at what position in the cookie the username is located Additional user accounts were created with specific usernames in order to determine if there is any initial padding in the first block ccccccccccc dd73f765d6753fc0 b3671231259e657c 6d82dbfc2a54ced6 f2e835ed7d538576 b3089a21999468a9 29649aa77b9a5f17 aceab4efb11f7739 b1e6e08fb2288c2f cccccdddddd 197555b290c6a351 ba0dd4bd91dc2296 7da37ce1b09f2c9e 23945baf6847e94f 44de41ae0fec32a9 b893a5d48de9826c 3b47c51eeb93002a 11a9ec13975ae99b ccccccddddd dd73f765d6753fc0 ba0dd4bd91dc2296 7da37ce1b09f2c9e 23945baf6847e94f 44de41ae0fec32a9 b893a5d48de9826c f4cab32b1390799f 11a9ec13975ae99b
  • 33. Determining the Offset Location We want to figure out at what position in the cookie the username is located Additional user accounts were created with specific usernames in order to determine if there is any initial padding in the first block ? ? c c c c c c c c c c c ... dd73f765d6753fc0 b3671231259e657c 6d82dbfc2a54ced6 f2e835ed7d538576 b3089a21999468a9 29649aa77b9a5f17 aceab4efb11f7739 b1e6e08fb2288c2f ? ? c c c c c d d d d d d ... 197555b290c6a351 ba0dd4bd91dc2296 7da37ce1b09f2c9e 23945baf6847e94f 44de41ae0fec32a9 b893a5d48de9826c 3b47c51eeb93002a 11a9ec13975ae99b ? ? c c c c c c d d d d d ... dd73f765d6753fc0 ba0dd4bd91dc2296 7da37ce1b09f2c9e 23945baf6847e94f 44de41ae0fec32a9 b893a5d48de9826c f4cab32b1390799f 11a9ec13975ae99b
  • 34. Carrying Out the Impersonation Attack We know, via a separate user enumeration vulnerability in the application, that a user called ‘siteadmin’ exists To impersonate this user, we need to obtain the valid cipher-text blocks ? ? s i t e a d m i n ... xxxxxxxxxxxxxxxx yyyyyyyyyyyyyyyy zzzzzzzzzzzzzzzz ... So we register one user called ‘sitead11’ and another called ‘111111min’ and extract the cipher-text we need ? ? s i t e a d 1 1 ... 7e7efe1d694e66e8 0c7f1fde08ac0eed 7da37ce1b09f2c9e 23945baf6847e94f af904fcefe28814e b893a5d48de9826c 334ebd58bd579cc7 11a9ec13975ae99b ? ? 1 1 1 1 1 1 m i n ... 2b9eccd28b963000 7ede3268478cde61 7da37ce1b09f2c9e 23945baf6847e94f af904fcefe28814e b893a5d48de9826c dbb938a969645aec 11a9ec13975ae99b
  • 35. Carrying Out the Impersonation Attack Now we can impersonate the ‘siteadmin’ user! ... s i t e a d 1 1 ... 7e7efe1d694e66e8 0c7f1fde08ac0eed 7da37ce1b09f2c9e 23945baf6847e94f af904fcefe28814e b893a5d48de9826c 334ebd58bd579cc7 11a9ec13975ae99b ... 1 1 1 1 1 1 m i n ... 2b9eccd28b963000 7ede3268478cde61 7da37ce1b09f2c9e 23945baf6847e94f af904fcefe28814e b893a5d48de9826c dbb938a969645aec 11a9ec13975ae99b ... s i t e a d m i n ... 7e7efe1d694e66e8 7ede3268478cde61 7da37ce1b09f2c9e 23945baf6847e94f af904fcefe28814e b893a5d48de9826c dbb938a969645aec 11a9ec13975ae99b
  • 36. Recap We were able to successfully subvert the authentication mechanism without any knowledge of the algorithm or the key, based solely on observed patterns in the ciphertext The root cause of the vulnerability was the insecure cipher mode and the lack of a verification mechanism (not to mention poor design) ECB mode should not be used – Use CBC instead – CBC prevents the same block of plain-text from producing the same block of cipher-text – CBC also deters the ad-hoc substitution of inline blocks
  • 38. Context A public-facing multi-tenant web application for a major financial services company Allowed customers to manage their accounts and conduct transactions Aggressively utilized encryption for URL parameters
  • 39. Crypto Example: What Am I Looking At? Token values observed in URLs – Changed every time we logged on to the application – Never the same for any two sessions or any two users Stmt=Ct9X4RWkQZ2L1vmKYd70D2gnCKN7y1PqgUuOytUYW/X3u1qk0xh8HyE= Stmt=Ct9X4RWkQZ2K0f6Pa9X2Cm4gCKN7y1PqgUuOytUYW/Xxu1qk0wVYO1w= Stmt=Ct9X4RWkQZ2L1vmKYd71CG0iCKJ4wl3igUuFyd0YWPH3u1qk0zB/Nwg= Stmt=Ct9X4RWkQZ2K0f6Pa9X2CGgmCKFwy1frgUuHytwYWPDyu1qk0w0jZxE= Stmt=Ct9X4RWkQZ2K0f6Pa9X2CWgjCKFxy1fqgUuHyNoYWPP7u1qk029kMC4= Stmt=Ct9X4RWkQZ2K0f6Pa9X3BG8mCKB7zlTjgUyAyNQYWPLxu1qk03N9EDg= Stmt=Ct9X4RWkQZ2L1vmKYd72D28kCKZwzlfvgU2Azd8YUfW+9lujrTZ4Dw== Stmt=Ct9X4RWkQZ2L1vmKYd73DmIpCKZ6wlGmzEiDy5BWWrrz91ykrSVk . . File=eNU81UH7AKLZiLnbILCEUjd8G/oVqgWjnhfTmocX Ctxt=CN9RqBTrIITOlaLQM4DndDR3G+ . . (at least seven other tokens in a similar format)
  • 40. Crypto Example: What Am I Looking At? Base64-decoded values for several different “Stmt” tokens Statement #7044323226 0adf57e115a4419d8bd6f98a61def40f682708a37bcb53ea814b8ecad5... Statement #6731991741 0adf57e115a4419d8ad1fe8f6bd5f60a6e2008a37bcb53ea814b8ecad5... Statement #7044322573 0adf57e115a4419d8bd6f98a61def5086d2208a278c25de2814b85c9dd... Statement #6731991527 0adf57e115a4419d8ad1fe8f6bd5f608682608a170cb57eb814b87cadc... Statement #6731991422 0adf57e115a4419d8ad1fe8f6bd5f609682308a171cb57ea814b87c8da... Statement #6731990957 0adf57e115a4419d8ad1fe8f6bd5f7046f2608a07bce54e3814c80c8d4... Statement #7044321255 0adf57e115a4419d8bd6f98a61def60f6f2408a670ce57ef814d80cddf... Statement #7044320388 0adf57e115a4419d8bd6f98a61def70e622908a67ac251a6cc4883cb90...
  • 41. Detecting Patterns Looked for correlations between statement number and cipher-text 7044323226 704432 0adf57e115a4419d8bd6f98a61de 8bd6f98a61def40f682708a37bcb53ea814b8ecad5... 6731991741 673199 0adf57e115a4419d8ad1fe8f6bd5 8ad1fe8f6bd5f60a6e2008a37bcb53ea814b8ecad5... 7044322573 704432 0adf57e115a4419d8bd6f98a61de 8bd6f98a61def5086d2208a278c25de2814b85c9dd... 6731991527 673199 0adf57e115a4419d8ad1fe8f6bd5 8ad1fe8f6bd5f608682608a170cb57eb814b87cadc... 6731991422 673199 0adf57e115a4419d8ad1fe8f6bd5 8ad1fe8f6bd5f609682308a171cb57ea814b87c8da... 6731990957 673199 0adf57e115a4419d8ad1fe8f6bd5 8ad1fe8f6bd5f7046f2608a07bce54e3814c80c8d4... 7044321255 704432 0adf57e115a4419d8bd6f98a61de 8bd6f98a61def60f6f2408a670ce57ef814d80cddf... 7044320388 704432 0adf57e115a4419d8bd6f98a61de 8bd6f98a61def70e622908a67ac251a6cc4883cb90...
  • 42. Detecting Patterns Conclusion: It looks like a stream cipher 7044323226 2 0adf57e115a4419d8bd6f98a61def40f68 682708a37bcb53ea814b8ecad5... 6731991741 1 0adf57e115a4419d8ad1fe8f6bd5f6 f60a6e2008a37bcb53ea814b8ecad5... 7044322573 5 0adf57e115a4419d8bd6f98a61def508 086d2208a278c25de2814b85c9dd... 6731991527 1 0adf57e115a4419d8ad1fe8f6bd5f608682608a170cb57eb814b87cadc... f6086826 6731991422 1 2 0adf57e115a4419d8ad1fe8f6bd5f6 682308a171cb57ea814b87c8da... f60968 6731990957 0 5 0adf57e115a4419d8ad1fe8f6bd5f7 6f26 f7046f2608a07bce54e3814c80c8d4... 7044321255 1 5 0adf57e115a4419d8bd6f98a61def6 6f2408a670ce57ef814d80cddf... f60f6f 7044320388 0 0adf57e115a4419d8bd6f98a61def7 f70e622908a67ac251a6cc4883cb90...
  • 43. Deriving Part of the Keystream Use XOR to calculate 10 bytes of the keystream based on the known plain-text (i.e. the statement number) 7044322573 0adf57e115a4419d8bd6f98a61def5086d22 8bd6f98a61def5086d2208a278c25de2814b85c9dd1858f1... XOR 37303434333232353733 7 0 4 4 3 2 2 5 7 3 = bce6cdbe52ecc73d5a11 Partial keystream? bce6cdbe52ecc73d5a11 6731991422 XOR 0adf57e115a4419d8ad1fe8f6bd5f6096823 8ad1fe8f6bd5f609682308a171cb57ea814b87c8da1858f3... = 36373331393931343232 6 7 3 1 9 9 1 4 2 2 Checks out!
  • 44. Deriving More of the Keystream Now try the same thing against one of the other collected tokens, such as the one called “Ctxt” Ctxt= 08df51a814eb2084ce95a2d03380e7743477 ce95a2d03380e77434771be6249b10b39211cad7c24b2194... XOR bce6cdbe52ecc73d5a11 = Known key material 72736f6e616c20496e66 r s o n a l I n f Ctxt= 08df51a814eb2084 2084ce95a2d03380e77434771be6249b10b39211 1be6249b10b39211cad7c24b2194... XOR 506572736f6e616c20496e666f726d6174696f6e 5065 6f726d6174696f6e P e r s o n a l I n f o r m a t i o n = 70e1bce6cdbe52ecc73d5a11749449fa64dafd7f 70e1 749449fa64dafd7f More keystream!
  • 45. Lather, Rinse, Repeat Now try the same thing against one of the other collected tokens, such as the one called “File” File= 78d53cd541fb00a2d988b9db20b08452377c1bfa15aa05a39e17 00a2d988b9db20b08452377c1bfa15aa05a39e17d39a871769c6... XOR 70e1bce6cdbe52ecc73d5a11749449fa64dafd7f = Known key material 7043656e7465725c436f6d6d6f6e5c5061796368 p C e n t e r C o m m o n P a y c h File= 78d53cd541fb d541fb00a2d988b9db20b08452377c1bfa15aa05a39e17d39a8717 d39a871769c6... XOR 48656c7043656e7465725c436f6d6d6f6e5c506179636865636b73 48656c 65636b73 H e l p C e n t e r C o m m o n P a y c h e c k s = 9d249770e1bce6cdbe52ecc73d5a11749449fa64dafd7fb6f9ec64 9d2497 b6f9ec64 More keystream!
  • 46. Token Poisoning Attempt Through this iterative process, we can obtain the entire keystream (or rather, a sufficient amount of the keystream to encrypt and decrypt all of the cipher-text we encounter) Fully decrypted “Stmt” tokens contain the following data: 107|131|7044336068|324070|20897|1161|107SWEL 107|131|7044335527|305353|20238|1101|107RyQC 107|131|7044334802|288149|19607|1041|107l7nS 107|131|7044333801|278718|19363|981|1070VN+ 107|131|7044333131|258265|17041|882|107HmoE So now, we can replace the statement number with another valid statement number, and view the contents… right? 107|131|1234567890 1234567890|324070|20897|1161|107SWEL 107|131|7044336068|324070|20897|1161|107SWEL
  • 47. Integrity Checking (Not Really) The application appears to be performing some sort of integrity check on the token content 107|131|7044336068|324070|20897|1161|107SWEL SWEL (49 61 0b) 107|131|7044335527|305353|20238|1101|107RyQC RyQC (47 24 02) 107|131|7044334802|288149|19607|1041|107l7nS l7nS (97 b9 ec) 107|131|7044333801|278718|19363|981|1070VN+ 107|131|7044333801|278718|19363|981|1070VN+ 0VN+ (d1 53 7e) 107|131|7044333131|258265|17041|882|107HmoE HmoE (1e 6a 04) Four Base64 encoded characters appended to the end of each token equate to three decoded bytes, or 24 bits This turned out to be a standard CRC-24 algorithm, for which reference code was quickly found via a Google search – Cyclic Redundancy Checksums (CRCs) are used to detect errors in the transmission and storage of data
  • 48. Step By Step: Building Tokens From Scratch Generate the desired plain-text of the token, or manipulate an existing token Calculate the CRC-24 of the plain-text and append it (in Base64 encoded form) to the end of the token Encrypt the token by performing an XOR of the plain-text with the recovered keystream Base64 encode the encrypted token
  • 49. Recap Once again, we were able to successfully subvert the encryption mechanism without any knowledge of the algorithm or the key, based solely on observed patterns in the ciphertext It turned out, after talking to the development team, that they were using RC4, with a unique key generated for each user session The root cause of the vulnerability is the re-use of the keystream combined with the lack of an integrity check – Stream cipher keystream should not be used to encrypt multiple plaintexts – Integrity checking should be performed via a keyed HMAC or similar algorithm that cannot be easily reproduced using reference code
  • 50. Q&A
  • 51. Contact Chris Eng Sr. Director, Security Research Veracode, Inc. ceng@veracode.com