The document discusses weaknesses in web application security related to encryption and random number generation. It describes how Electronic Code Book (ECB) mode and padding-based attacks can compromise confidentiality. It also explains how the use of deterministic random number generators and lack of integrity checks on encrypted data can enable side-channel attacks like the padding oracle attack. The document emphasizes the importance of using cryptographically secure random number generators and combining encryption with signatures to protect both confidentiality and integrity.
3. ! Confidentiality – Prevent the disclosure of
information to unauthorized individuals or
systems
! Integrity – Ensure that data cannot be
modified undetectably
! Authenticity - Validate that a party is who
they claim they are
3
4. ! Symmetric Crypto Attacks
! ECB Mode Usage
! Padding-Based Attacks
! Secure Random Number Generation
4
5. ! Most block ciphers support multiple modes of
operation
! The most common modes are :
! ECB – Electronic Code Book
! CBC – Cipher Block Chaining
! CFB - Cipher Feedback
! OFB - Output Feedback
! None provide integrity if used in isolation
5
17. ! Block Swapping will result in data corruption
BLOCK 1 BLOCK 3 BLOCK 2
17
18. ! “Padding Oracle” Attack
! Leverages byte flipping of ciphertext to generate
invalid padding exceptions
! Data can be decrypted (and encrypted too) without
knowledge of the secret key
18
22. ! Is the key the correct size?
! Invalid Key Exception
! Is the value (bytes) an even block multiple?
! Invalid Length Exception
! Is the decrypted block properly padded?
! Invalid Padding Exception CRITICAL
! Return the value
22
24. Call this “Byte X”
Call this “Byte Y”
Basic Premise:
• A change of Byte X (ciphertext) will change Byte Y (plaintext)
• There is a one-to-one correlation between Byte X values and Byte Y values
• Exception is thrown if plain-text does not end with a valid padding sequence
24
25. Byte X == 0x00
Byte Y == ???
Exception? YES
• Byte Y is not valid padding
25
26. Byte X == 0x01
Byte Y == ???
Exception? YES
• Byte Y is not valid padding
26
27. Byte X == 0x02
Byte Y == ???
Exception? YES
• Byte Y IS valid padding (must be 0x01)
27
28. ! What does that tell us?
! The altered byte value produced valid padding when
XOR’ed with the intermediate value
IF A ^ B = C
THEN A ^ C = B
AND C ^ B = A
28
29. ! What does that tell us?
! If the padding byte was 0x01:
! Our Byte (0x02) ^ Intermediate Byte (??) == 0x01
! Intermediate Byte == Our Byte (0x02) ^ 0x01
! The plain-text value is the intermediate value
XOR’ed with the prior ciphertext byte
29
31. ! As we’ve seen, encrypted data (while kept
private) is still susceptible to tampering
Message
Encryption
! We need to ensure PRIVACY and INTEGRITY
31
32. ! Encrypt + Sign the Ciphertext
Message
SIGNATURE
Encryption
! HMAC: Combines a cryptographic hash function
with a secret key
! Cannot be re-computed without the key
! Verifies the integrity and authenticity of a message
32
33. ! Why not HMAC within the ciphertext?
! Does not prevent against side channel attacks
during decryption
! Padding Oracle Attack in .NET Framework
! Discovered September 2010
! Viewstate and Forms Authentication Cookies were affected
even though an HMAC was included within the ciphertext
! Tampering was only be detected after decryption
33
34. ! When do you need a random number?
! Password Generator, Encryption Keys, Session
Identifiers, etc…
! How random is “random”?
Pseudo Random Number Generator
vs.
Cryptographically Secure Random Number Generator
34
35. ! Two common attacks against RNG’s
! Non-random Seed Values
! Formula used to produce random numbers
35
36. ! What do you think this code will produce?
// Generate First Series
byte[] bytes1 = new byte[100];
Random rnd1 = new Random();
rnd1.NextBytes(bytes1);
Console.WriteLine("First Series:");
for (int ctr = bytes1.GetLowerBound(0); ctr <= bytes1.GetUpperBound(0); ctr++) {
Console.Write("{0, 5}", bytes1[ctr]);
if ((ctr + 1) % 10 == 0) Console.WriteLine();
}
// Generate Second Series
byte[] bytes2 = new byte[100];
Random rnd2 = new Random();
rnd2.NextBytes(bytes2);
Console.WriteLine("Second Series:");
for (int ctr = bytes2.GetLowerBound(0); ctr <= bytes2.GetUpperBound(0); ctr++) {
Console.Write("{0, 5}", bytes2[ctr]);
if ((ctr + 1) % 10 == 0) Console.WriteLine();
}
36
38. ! If you don’t seed the random number
generator, it will automatically be seeded
! With what?
“By default, the parameterless constructor of the Random class
uses the system clock to generate its seed value”
http://msdn.microsoft.com/en-us/library/system.random.aspx
38
39. ! What if this code was in ResetPassword.aspx?
StringBuilder password = new StringBuilder();
// Define all upper and lower chars with special chars
char[] lCase = new char[] { 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h, 'i', 'j', 'k', 'l',
'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x, 'y', 'z', 'A', 'B', 'C', 'D',
'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V',
'W', 'X', 'Y', 'Z', '!', '@', '#', '$', '%', '^', '&', '*', '(', ')', '-', '_' };
int lCaseIndex = 0;
Random rand = new Random();
// Randomly select 12 characters from the values above
for (int cnt = 0; cnt < 12; cnt++)
{
lCaseIndex = rand.Next(0, lCase.Length - 1);
password.Append(lCase[lCaseIndex]);
}
string newPassword = password.ToString();
39
40. ! Seed Race Condition Attack (Seed Racing)
! Based on a research experiment conducted in 2008
! 67,000 HTTP requests to a server with a random
password generator similar to the one shown
! Results: 208 unique passwords
! 322 duplicated in one or more accounts
40
41. ! Is Java.Random any better?
! Uses a Linear Congruential Formula for
generating random data (LCG)
One Dimensional LCG Plot
41