Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Similar presentations


Presentation on theme: "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP Dallas Malicious Math: Recent Real-World Cryptographical and Computational Threats on the Web Derek Soeder Ridgeway Internet Security, L.L.C. derek August 1, 2012 Content copyright © Ridgeway Internet Security, L.L.C. Template copyright © The OWASP Foundation

2 OWASP Overview  Hash collision denial of service (Dec. 2011)  MD5 collision rogue cert. (July – Dec. 2008)  Debian weak SSL keys (Sept – May 2008)  Insuff. key randomness (Dec – Feb. 2012)  BEAST client-side SSL attack (Sept. – Dec. 2011)  Padding oracle decryption (Apr. – Sept. 2010)

3 OWASP Hash Collision Denial of Service

4 OWASP "Algorithmic complexity attacks" Crosby & Wallace paper (Aug. 2003) "Algorithmic complexity attacks": use knowledge of a system's algorithms to induce worst-case performance Many Web app frameworks keep field name-value pairs in hash tables ASP.NET, Java, PHP, Python, Ruby, etc. Hash tables use hash functions Attacker can abuse predictable hash functions to produce worst case

5 OWASP List: Looking up is slow Adding an item means looking for it first, if duplicate items are not allowed Hash table: Basically a bunch of lists Looking up is less slow, if lists are utilized evenly Hash function decides in which list each item belongs About Hash Tables

6 OWASP Hash Collision Denial of Service n.runs advisory (Dec. 2011): Send hundreds of KBs to MBs of field names that all hash to a single value Only one list of hash table is utilized  Looking up is slow  Adding is slow 100,000's of maximally inefficient look-ups and adds hog CPU time More bang for attacker's bandwidth

7 OWASP Hash Collision DoS – ASP.NET The hash function, MSCORWKS!HashString : for (dwhash = 5381; *pwch != 0; pwch++) dwhash = (dwhash * 33) ^ *pwch; Example collision: " 0_ "   " 1~ " 5381 * 33 = ^ 48 (' 0 ') = * 33 = ^ 95 (' _ ') = * 33 = ^ 49 (' 1 ') = * 33 = ^ 126 (' ~ ') =

8 OWASP Hash Collision DoS – ASP.NET (2) n.runs advisory presents tricks to make computing hash collisions feasible Proof of concept with 10,000's of field names that all hash to in ASP.NET: 3QBZJK5ZX=&NEUQ7BWAV6=&6902D0YP6J=&9PZGHCDJYD=&NU73S3KNV=&IF686 YJQJ8K=&9XUUCJEENJ=&FX4A75F91FM=&IGJKQVBZAVK=&LJVJV6J3UZ=&X7GJ5 MWXY=&6AVIZWTVK=&WQNIQ7OZMS=&IM1VKMZHK6F=&DO9WX2R9H=&RYLZSIQT8V =&KR9BBFUH2E=&UI8N4SWVWW=&TL5F6URVPP=&B1P81FWDSVV=&CM6Y80XSAO=& LE72GBPWB=&EEFMULEXC=&M6FKM13WB=&MGN8123XA2K=&ZMI35GXHMN=&LXQQO M138LL=&XXST36DRX=&JRYRV54TFZ=&LGG3X9MFN7=&MH1NI402I22=&MHFIKIM 0TEH=&BWPRVCQ4X3=&RM6K7V75WZ=&SMIAE6PAL4=&MOCGW14ZU7=&I0JKKKOG7 EN=&Q4B9V7L3VZ=&23UAYU5B31=&9TRJE0XRWQ=&3Q3LKPC2K0=&D3ACY8973E= &VGJPMCQHP=&AV6THWSCA7=&MH5SM8NPWB1=&P57KEP668X=&81C4LQ4DFY=&MP JBASYMRM=&25EWGNN5NE=&R1FFQRM5T=&28HUK0QHY=&HQN8TCEF8O=&...

9 OWASP Hash Collision DoS – ASP.NET Demo

10 OWASP MD5 Collision Rogue Certificate

11 OWASP A Brief History of MD5 1992: MD5 published as the latest cryptographic (secure) hash function 1993: early indication of weaknesses 1996: serious indication of weakness; switching to another algorithm recommended 2004: broken—collision computed in hour 2005: "clearly broken"—colliding documents and certificates demonstrated BROKEN 2006: BROKEN —collision computed in minute

12 OWASP 2008: CAs still issuing digital certificates with signed MD5 hash

13 OWASP Certificate Constraints – End Entity

14 OWASP Certificate Constraints – CA

15 OWASP MD5 Collision Rogue Certificate Did you know: MD5 is broken? Chosen-prefix collision: Real certificate and rogue certificate can start with whatever bytes (P and P') Control of real and rogue middle bytes (A/B/NC and A'/B'/NC') produces collision Any end bytes (S) after NC and NC' need to be identical

16 OWASP MD5 Collision Rogue Certificate - P and P'

17 OWASP MD5 Collision Rogue Certificate - B and B'

18 OWASP MD5 Collision Rogue Certificate - NC and NC'

19 OWASP MD5 Collision Rogue Certificate - S

20 OWASP MD5 Collision Rogue Certificate – Attack 1.Predict all CA-determined fields Serial number Validity period (date and time in seconds) 2.Generate B/NC and B'/NC' B/NC are buried in public key submitted to CA B'/NC' are hidden in ignored part of rogue certificate Only after CA MD5's everything—serial no., validity period, public key, etc.—is there a collision, or not 3.Request certificate at exact right time With luck, CA signs predicted MD5 hash

21 OWASP It helps to have this handy: MD5 Collision Rogue Certificate – No Demo

22 OWASP MD5 Collision Rogue Certificate – Coda June 2012: Microsoft stated Flame malware " used a cryptographic collision attack in combination with the terminal server licensing service certificates to sign code as if it came from Microsoft " SRD blog reported " signature algorithm on this certificate was md5RSA " with " validity periods and certificate serial numbers that could be predicted with high probability " Did you know: MD5 is broken?

23 OWASP Public Service Announcement Microsoft to ban < 1024-bit RSA keys in August: 12/rsa-keys-under-1024-bits-are-blocked.aspx 12/rsa-keys-under-1024-bits-are-blocked.aspx 512-bit RSA keys rumored to have been factored (meaning attacker determines private key from public key) and used in attacks in : certificates-abused-in-the-wild/ certificates-abused-in-the-wild/

24 OWASP Debian Weak SSL Keys

25 OWASP Debian Weak SSL Keys In May 2006, a Debian developer commented out a line of OpenSSL code: static void ssleay_rand_add(const void *buf, int num, double add) {... MD_Init(&m); MD_Update(&m,local_md,MD_DIGEST_LENGTH);... MD_Update(&m,buf,j); MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c)); MD_Final(&m,local_md); The change was accepted and shipped. In May 2008, someone realized an issue…

26 OWASP Debian Weak SSL Keys – Before and After BeforeAfter

27 OWASP Debian Weak SSL Keys – Before and After BeforeAfter 7,666,726,705,127,208,895,288,919,735, 890,970,459,757,624,643,589,421,069, 830,971,849,657,209,631,459,735,242, 109,416,344,392,422,976,093,333,584, 038,500,684,593,076,852,885,189,507, 438,580,455,743,147,134,485,294,679, 832,330,915,083,423,208,473,608,681, 157,031,292,292,705,768,087,781,588, 880,163,985,620,734,654,395,339,047, 311,829,034,293,966,831,987,336,710, 942,003,535,010,235,278,994,988,677, 963,820 + / - 98,301 Number of possible 1024-bit RSA keys

28 OWASP Debian Weak SSL Keys – How Bad? With crippled PRNG, number of possible keys is: 32767possible Process IDs × 3OpenSSL.rnd file states 98301keys per arch (x86, x64, PowerPC, etc.) per key size (512, 1024, 2048, etc.) Feasible to build a database of all possible keys Know the public key  Look up private key

29 OWASP Debian Weak SSL Keys – Repercussions All keys generated by affected build are weak Debian OpenSSL over roughly two year period GnuPG unaffected (doesn't use OpenSSL) SSL/TLS communications negotiated using a weak key can be decrypted, forever Changing your key doesn't delete my.pcap SSH accounts using public-key authentication with a weak key can be accessed

30 OWASP Debian Weak SSL Keys – Demo

31 OWASP Insufficient RSA Key Randomness

32 OWASP Insufficient RSA Key Randomness ~0.2% of RSA keys on the Web share a factor An RSA key has two secret, random prime factors If any two public keys share a prime factor, both private keys can be compromised

33 OWASP Insufficient RSA Key Randomness – How Public key n = secret prime p × secret prime q Let n 1 = p 1 × q 1 and n 2 = p 2 × q 2 If p 1 = p 2, then n 1 and n 2 share a divisor (p) Compute GCD(n 1, n 2 ) = p (way faster than factoring) n 1 ÷ p = q 1 n 2 ÷ p = q 2 We can now compute both private keys, given only two public keys related by coincidence

34 OWASP Insufficient RSA Key Randomness – Where 11.4 million RSA public keys collected Mostly SSL certificates, some PGP keys EFF SSL Observatory: 7.2 million SSL certs 26,965 (~0.2%) shared a prime factor This did not seem to be related to the Debian issue

35 OWASP Insufficient RSA Key Randomness – Why? No one knows for sure… Likely poor PRNG seeding Hypothesized that first prime is weak (low entropy), second is more random due to entropy accumulated in the process  Distinct key (p × q 1 ), but breakable when GCD'ed with another key (p × q 2 ) that happens to share first prime One study found embedded devices most affected "Ron was wrong, Whit is right"? Ronald Rivest – RSA, key uses two secrets Whitfield Diffie – DH, key uses one secret

36 OWASP Insufficient RSA Key Randomness – Demo

37 OWASP Insufficient RSA Key Randomness – Fix So what can you do about this? Nothing.

38 OWASP BEAST Client-Side SSL Attack

39 OWASP BEAST – Overview BEAST: Browser Exploit Against SSL/TLS Long-recognized vulnerability, finally exploited Impact: Decrypt cookies sent via HTTPS Attack requires: Man-in-the-Middle between victim and Internet Agent in victim's browser (JavaScript, Java, etc.) Able to send cookie-bearing request and append indefinitely Cipher Block Chaining encryption alg. for HTTPS 3DES, AES, IDEA, RC2, etc.; not RC4

40 OWASP About Block Ciphers N plaintext bytes  N ciphertext bytes N = block size, usually 8 or 16 Same plaintext  same ciphertext (if same key) Electronic Codebook (ECB) mode: Plaintext: Their Su rrogate may inte rrogate Ciphertext: RGVyZWtX c25lYWt5 YXNIZXJl c25lYWt5 Cipher Block Chaining (CBC) scrambles each plaintext block using previous ciphertext block: Plaintext: Their Su Ciphertext: RGVyZWtX SE9BSXQn c0FsbENo YW5nZWQh IlNjcmFt YmxlIj1YT1IgKF4p

41 OWASP BEAST – The Attack BEAST controls part of HTTP request (path) via in-browser agent, and wants to decrypt cookies "Blockwise Chosen-Boundary Attack" (BCBA) to obtain one byte of cookies at a time 1.Insert bytes to shift alignment of blocks, so that one block is [(N-1) known bytes + 1 unknown byte] 2.Agent sends guesses until encrypted guess = encrypted [(N-1) known bytes + 1 unknown byte] 3.Now that unknown byte is known, repeat for next unknown byte

42 OWASP BEAST – BCBA HTTP Requests POST /AA AAAA HTT P/1.1←↓C POST /AA AAA HTTP /1.1←↓Co POST /AA AA HTTP/ 1.1←↓Coo POST /AA A HTTP/1.1←↓Cook POST /AA HTTP/1. 1←↓Cooki POST /A HTTP/1.1 ←↓Cookie POST /AA AAAAAA H TTP/1.1← ↓Cookie: POST /AA AAAAA HT TP/1.1←↓ Cookie: □ POST /AA AAAA HTT P/1.1←↓C ookie: L POST /AA AAA HTTP /1.1←↓Co okie: LA

43 OWASP BEAST – The Attack (2) BEAST Man-in-the-Middle sees ciphertext Essential to attack—BEAST must pre-scramble each guess plaintext to cancel out CBC scramblings Remember: CBC scrambles plaintext using ciphertext BEAST attack in full: 1.Agent sends partial request containing BCBA bytes 2.MitM sees ciphertext, tells agent what to guess 3.Agent appends guess to request body 4.Repeat at Step 2 until unknown byte is guessed 5.Repeat at Step 1 until all cookie bytes are guessed

44 OWASP From the BEAST's mouth...

45 OWASP BEAST – The Catch Many ways to send cookie-bearing requests: JavaScript, Flash, HTML5, Java, Silverlight But fewer work for appending to request: JavaScript, Flash, HTML5, Java, Silverlight BEAST authors used Java, but needed a Same- Origin Policy bypass zero-day for agent to work Presumably Oracle has patched this by now Victim must run BEAST agent while logged in  My take: Great research, real vulnerability, but not as serious as browser-vuln-of-the-week

46 OWASP Padding Oracle Decryption

47 OWASP About Padding Oracles "Padding oracle" has nothing to do with It's referring to this oracle  Padding: Block ciphers operate on N-byte blocks Plaintext may not be multiple of N bytes PKCS#5 padding: pad last block with bytes containing padding count (1-N) e.g.,

48 OWASP About Padding Oracles (2) Oracle: Responds to questions with crypt[ograph]ic answers based on supranormal knowledge Padding oracle: Q: Does this decrypt with correct padding? c25lYWt5 YW5nZWQh A: No. Q: How about this one? c25lYWt4 YW5nZWQh A: No.... Q: How about this one? c25lYWtX YW5nZWQh A: Yes. Q: kthxbai~ ^o^

49 OWASP About Padding Oracles (3) Believe it or not, that's dangerous information Here's ASP.NET being obvious about it: But really any difference indicating decryption failure will suffice

50 OWASP Padding Oracle Attack "Security Flaws Induced by CBC Padding" (Vaudenay, 2002): Attacker has ciphertext blocks he wants to decrypt, sends crafted guesses to vulnerable server Server decrypts guesses (into garbage, but that doesn't matter) and checks for valid padding: One or two decrypted guesses will look correctly padded The rest (≤ 255) will have invalid padding Padding oracle indicates which is which to attacker  This lets attacker determine a byte of plaintext Attacker tweaks guesses to guess next byte; repeat

51 OWASP CBC Padding Oracle Attack Illustrated Ciphertext block Previous ciphertext block Decryption Is padding valid? Control block No Yes X Original scrambled plaintext Doubly scrambled plaintext Attacker Server

52 OWASP Padding Oracle Attack – ASP.NET WebResource.axd and ScriptResource.axd Used to retrieve resources in a way that should be opaque to user; e.g.: Encrypted d= string refers to these files when decrypted: Q|~/Scripts/Script1.js,~/Scripts/Script2.js, ~/Scripts/Script3.js|#|21c38a3a9b Other possibilities in.NET 3.5+ e.g., r#...|||~/Web.config Did I mention that the padding oracle can be used for encryption as well as decryption?

53 OWASP Padding Oracle Attack – ASP.NET Demo

54 OWASP Padding Oracle Attack – Whose Problem? ASP.NET ASP.NET itself: read arbitrary files DotNetNuke: remote code execution RubyOnRails Some captchas ( ) JavaServer Faces

55 OWASP Conclusion

56 OWASP Recap  Hash collision denial of service (Dec. 2011)  MD5 collision rogue cert. (July – Dec. 2008)  Debian weak SSL keys (Sept – May 2008)  Insuff. key randomness (Dec – Feb. 2012)  BEAST client-side SSL attack (Sept. – Dec. 2011)  Padding oracle decryption (Apr. – Sept. 2010)

57 OWASP Conclusion Uses fancy math safe As easy bugs decline, attackers are driven toward more exotic bugs where developers' security understanding is weaker Solutions: Enable automatic updates for everything Don't use MD5 for authentication (psst... it's broken) Try to only use keys generated on a trusted, high- entropy system; get used to replacing keys

58 OWASP Questions? Derek Soeder Ridgeway Internet Security, L.L.C.


Download ppt "Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations


Ads by Google