September 12, 2017 Carl Svensson SEC-T 2017 Unauthenticated encryption in the wild
• Carl Svensson, 26 • MSc in Computer Science, KTH • Head of Security, Kry • CTF-player, HackingForSoju 1 About me • calle.svensson@zeta-two.com • @zetatwo • https://zeta-two.com
• Transform data • Maths, a lot of it • Many possible goals • Confidentiality (Hide) • Integrity (Verify) • Authentication (Identify) • Non-Repudiation (No take-backsies) • Modularity 2 Cryptography in 30 seconds
• Block cipher • Key • Basic building block • No known attacks* 3 AES - Very good, at one specific thing
4 Block cipher modes, when you have more data
• A priori, no way to differentiate • Has to accept all ciphertexts • Might be able to tell later • The Cryptographic Doom Principle 5 Encryption is not authentication
6 Bit flipping attack
• https://link.a.com/AAAA/BBBBBBBBBBBBBBBBBBBBBB • Known plaintext, just visit • Edit link contents 7 Example: Open redirect as a service • x ⊕ m 1 = m 2 ⇔ x = m 1 ⊕ m 2
• PKCS7 padding • bool oracle(input) { ... } • Differing error messages 8 Padding Oracle attack • x ⊕ g = t ⇔ x = g ⊕ t • 16 · 256 ≪ 256 16
• Backup data • File format: • Padding Oracle -> Key -> Craft zip • Zip relative paths -> RCE 9 Example: Extracting secrets -> RCE Enc Km ( key 1 ) || Enc Ks ( zipfile )
• Encryption AND authentication • Message Authentication Code 10 What to do? Authenticate! • HMAC k ( message ) = tag • Verify k ( tag , message ) ∈ True , False
10 Thanks for listening!
Recommend
More recommend
