how to submit a fake talk to a con not that crowley guy
TRANSCRIPT
![Page 1: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/1.jpg)
How to Submit a Fake Talk to a ConNot that Crowley guy
![Page 2: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/2.jpg)
Step 1: Choose a Con
• Small cons
• First year cons
• Cons run by guys with green hair
![Page 3: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/3.jpg)
Step 2: Pick a talk• Doesn’t have to be your own
• Know your panelists• EC-Council con?
• Use the word “cyber” as a noun AND a verb
• Super technical con?• Steal a real talk from another recent con
• Make sure it sounds all ninja• Crypto talks are good, nobody knows crypto
![Page 4: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/4.jpg)
Step 3: CFP• Is there a demo?
• Yes
• Is this about a new vulnerability?• Yes
• Are you releasing a tool or exploit?• Yes
• Are you just saying all the things I want to hear?• Yes
![Page 5: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/5.jpg)
Step 4: Get out of presenting• Need an excuse!
• Family emergency• Overused• Nobody will call you on it• Can’t stay at the con afterwards
• Fake lawsuit• Pretend some vendor is angry• Get talking slot replaced by some other chump
• Got chutzpah?• Give the talk anyway• If people don’t get it they’ll blame themselves
![Page 6: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/6.jpg)
Step 5: Party!
• Cons usually give speakers
• Free food
• Free booze
• Free swag
• Usually just t shirts
• Girlies love speaker badges
• Speakers get into more parties
![Page 7: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/7.jpg)
Step 6: Reveal joke• LOL I TROL JOO
![Page 8: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/8.jpg)
Speaking with Cryptographic OraclesDaniel “unicornFurnace” CrowleyApplication Security Consultant, Trustwave - Spiderlabs
![Page 9: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/9.jpg)
COPYRIGHT TRUSTWAVE 2012 SPEAKING WITH CRYPTOGRAPHIC ORACLES
The Speaker and the Presentation
A quick introduction and a few distinctions
![Page 10: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/10.jpg)
The Speaker
› Daniel Crowley
› Web application security d00d
› IANAC (I am not a cryptographer)
› [email protected]› @dan_crowley
![Page 11: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/11.jpg)
The Presentation Topic
› Finding and exploiting:
– Encryption Oracles
– Decryption Oracles
– Padding Oracles
› With little to no cryptographic knowledge
– More crypto knowledge, more useful attacks
![Page 12: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/12.jpg)
NOT the Presentation Topic
› The Oracle– We are not being harvested
for energy by robot overlords
• Maybe
› ORACLE– If you Google “<any crypto
word> oracle” it’s all you find
› Crypto g00r00s like Adi
Shamir
– While also awesome and
totally related, not the topic
![Page 13: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/13.jpg)
COPYRIGHT TRUSTWAVE 2012 SPEAKING WITH CRYPTOGRAPHIC ORACLES
A Primer on Cryptographic Terms
Basic cryptographic terms, concepts and mistakes
![Page 14: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/14.jpg)
Very Basic Terms
› Key
– A variable used to permute the cipher
› Initialization Vector (IV)
– A second variable used to randomize the cipher
› Plaintext
– The data in readable form
› Ciphertext
– The data in unreadable form
![Page 15: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/15.jpg)
Stream vs. Block Ciphers
Block› Encrypt X
characters at a time– X is the block size
› Key is used to directly transform plaintext to ciphertext
Stream› Encrypt one
character at a time› Key is used to
generate pseudo-random numbers
› Those numbers are used to transform plaintext to ciphertext
![Page 16: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/16.jpg)
Very Basic Mistakes
› Using a keyless cipher– Completely insecure if
cipher is ever discovered
› Reusing keys and/or IVs– Makes Oracle attacks far
more dangerous– IV reuse can seriously
weaken stream ciphers
• Think WEP› Leaking data from crypto
operations– Foundation for Oracle
attacks
Flickr Creative Commons - Rosino
![Page 17: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/17.jpg)
What is an Oracle?
A system which takes queries and
provides answers
› Queries might be
– Plaintext
– Ciphertext
› Answers might be
– Corresponding plaintext
– Corresponding ciphertext
– Info about operation
– Sample from PRNGPicture by D Sharon Pruitt – Creative Commons
![Page 18: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/18.jpg)
COPYRIGHT TRUSTWAVE 2012 SPEAKING WITH CRYPTOGRAPHIC ORACLES
Seek the Oracle
How to identify cryptographic OraclesFrom a black-box perspective
![Page 19: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/19.jpg)
General Methodology
› Look for ciphertext
– Ciphertext as input
• Possible decryption/padding oracle
– Ciphertext as output
• Possible encryption oracle
![Page 20: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/20.jpg)
General Methodology
› Fiddle about
– Ciphertext input: Potential decryption or padding oracle
• Provide modified ciphertext
• Provide no ciphertext
• Provide ciphertext from another part of
application
– Ciphertext output: Potential encryption oracle
• Modify input and monitor ciphertext
![Page 21: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/21.jpg)
Identifying Ciphertext
› Encrypted data is generally encoded– Base64– ASCII hex– URL encoding– Other non-standard encodings
• Decimal
• UUEncode
• BaseX› Decoded data is likely encrypted
if seemingly random
› Modification of values may result in decryption-related errors
![Page 22: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/22.jpg)
Decryption Oracles
› Decrypted output may be
– Reflected
• Normal output
• Error
– May be given in later response
– May be inferred from modified
output
– May be stored and not shown
• Additional vulnerabilities may reveal
output
![Page 23: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/23.jpg)
Decryption Oracles: An Example
› Scenario› Consider “GetPage.php?file=<encrypted_stuff>”
– Opens a file to be included based on encrypted input
• Allows for quick page additions• Prevents file inclusion attacks…?• Assumes properly encrypted input is
sanitary– Errors are verbose
› Usage› Feed the script some ciphertext
– Record the “file” the error tells you wasn’t found
![Page 24: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/24.jpg)
Encryption Oracles
› Determine point of entry– Mostly guess-work
• Names help› Frequently encrypted
data– Client-side state variables– Passwords– Financial data– Anything sufficiently
sensitive
› Often found in– Cookies– Hidden variables– Databases– File resident dataFlickr Creative Commons – Gideon van der Stelt
![Page 25: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/25.jpg)
Encryption Oracles: An Example
› Scenario› Consider “auth” cookie, encrypted
– Username + “:” + password_hash + “:” + timestamp
› Assume usernames can’t contain “:” character– No delimiter injection
› Timestamp to control expiration
› Usage› Register with any username, log in› Copy cookie value and replace any encrypted input
with it– Can’t use colons or control suffix
• Might not matter
![Page 26: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/26.jpg)
Padding Oracles
› Input must be encrypted
› Must be a padded block cipher
› Valid vs. invalid padding is distinguishable
– This is the essence of a padding Oracle
– Modify ciphertext input, look for errors
› Padding Oracles can SOMETIMES be used as decryption Oracles
– Using the CBC-R technique they are also encryption Oracles
• May be limited in that the first block will be garbled
![Page 27: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/27.jpg)
COPYRIGHT TRUSTWAVE 2012 SPEAKING WITH CRYPTOGRAPHIC ORACLES
Exploiting Cryptographic Oracles
Breaking bad crypto and bad crypto usage
![Page 28: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/28.jpg)
Converting One Oracle Into Another
› Padding Oracles only tell you whether padding is valid
– This information can sometimes be used to decrypt or encrypt
› Decryption Oracles
– Can sometimes be converted to an encryption Oracle using brute
force
› Encryption Oracles
– Can sometimes be converted to decryption Oracles
• Easier if algorithm is deterministic
![Page 29: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/29.jpg)
Attack 0: Crypto Recon Examples
› Check for static key, IV, and deterministic cipher– Encrypt the same plaintext twice– Check to see if they are identical
› Check for stream vs. block ciphers– Encrypt plaintexts of various sizes– Compare plaintext size to ciphertext size
› Check for ECB block cipher mode– Encrypt repeating plaintext blocks– Look for repetitive ciphertext
![Page 30: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/30.jpg)
Attack 1: Bad Algorithms
• Occasionally, people try to make their own algorithms• And they’re not cryptographers
• And it doesn’t end well
› Real homespun crypto seen in the wild:
• Each character is replaced with a “random” but unique selection of two or three characters
• Characters are separated by the letter “K”
› “hello” might become “KqIKefKPrPKPrPKuJXK”
![Page 31: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/31.jpg)
Attack 1: Bad Algorithms
› Is there substitution?› Submit “AAAA” : Get “KLoKLoKLoKLoK”
• There is!• We can already see patterns, too
› Is there transposition?› Submit “AABB” : Get “KLoKLoKaBeKaBeK”
• No transposition• We can see more patterns• The “K” seems to be a delimeter• Substitution doesn’t change on position
• One replacement per letter
![Page 32: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/32.jpg)
Attack 1: Bad Algorithms
› Submit “BABA” : Get “KaBeKLoKaBeKLoK”
• Exactly what we expected
› Submit “abcdefghi…XYZ0123456789” : Get entire
key!
• We now submit one of every character in sequence
• The Oracle tells us what each maps to
![Page 33: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/33.jpg)
Attack 1 and a half: Revenge of Bad Algorithms
› Others use a simple xor operation to encrypt data
P xor B = CC xor B = PC xor P = B
Wikimedia Commons - Herpderper
![Page 34: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/34.jpg)
Attack 1.75: Bride of Bad Algorithms
› For some simple ciphers like xor
› Encryption = Decryption
› THUS
› Encryption Oracle = Decryption Oracle
› THUS
› Such ciphers are made completely useless by leaking output
› THUS
› For God’s sake stop using xor
![Page 35: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/35.jpg)
Attack 1: Bad Algorithms
›DEMO
![Page 36: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/36.jpg)
Attack 2: Trusted Encrypted Input
› People tend to reuse keys and IVs– If we can encrypt arbitrary data in one place– It may work in another
› If devs don’t think you can mess with input– They probably won’t sanitize it– Encrypted inputs with MAC aren’t totally tamper-proof
![Page 37: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/37.jpg)
Attack 2: Trusted Encrypted Input
› Encrypted password with MAC in cookie– Checked against database on each request needing auth
› Find encryption Oracle with the same keys & IV– Use encryption Oracle to encrypt ‘ or 1=1--– Plug resulting value into cookie– Laugh all the way to the bank
![Page 38: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/38.jpg)
Attack 2: Trusted Encrypted Input
›DEMO
![Page 39: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/39.jpg)
Attack 3: Let the client have it, it’s encrypted
I. Find a decryption Oracle
II. Find encrypted data
III. Decrypt that sucka
IV. ?????
V. PROFIT!!!
›This attack also relies on key/IV reuse
![Page 40: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/40.jpg)
Attack 3: Let the client have it, it’s encrypted
›DEMO
![Page 41: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/41.jpg)
What encryption?
› If you can find
– An encryption Oracle
– A decryption Oracle
› You can encrypt or decrypt any data
– As long as keys and IVs are reused
• Algorithm doesn’t matter
• Padding doesn’t matter
• Cipher mode doesn’t matter
› All encryption which uses the same key and IV is now useless
![Page 42: How to Submit a Fake Talk to a Con Not that Crowley guy](https://reader038.vdocuments.mx/reader038/viewer/2022110206/56649cee5503460f949bbd6b/html5/thumbnails/42.jpg)
How Can I Fix My Code?
› Avoid giving away information about crypto operations– Output
• Not always plausible– Success/Failure
• Suppress or generalize errors– Timing
• Make code take the same time to finish no matter what happens
› Don’t reuse keys and IVs› Authenticate your crypto
– Encrypt then MAC