Technology sharing-reinterpreting the Padding Oracle attack in CBC (how to break through HTTPS ?)

Technology sharing-reinterpreting the Padding Oracle attack in CBC (how to break through HTTPS ?)

 

 

Why is it another explanation? Currently, the introduction of the Padding Oracle attack is based on this foreign language. However, this article does not mention a key question, that is, how to confirm the number of Padding digits, which makes many real readers have great doubts. This is also true for me. Therefore, I want to sort out my ideas.

1. group password and fill

Common symmetric encryption algorithms, such as DES and AES, can only encrypt data with the same length as the key when encrypting data with a key. For ultra-long data, we need to split it into blocks. This poses a problem. The last block may not be "aligned" with the key (Of course, this also includes the situation where the original data is actually shorter than the key ). This requires some data to fill in the last few digits. The common Filling Algorithm is PKCS #5. In data filling, the missing length of digits is used for uniform filling. If this is difficult to say, you can understand:

 

That is, if there are five missing digits, fill them with 0x05. If there are two missing digits, fill them with 0x02. If it is just right, expand a block and fill them with 0x08.

2. initial vector and CBC encryption and decryption process

If each block is encrypted with the same key, it is easy to use the statistical principle to analyze and crack the ciphertext (the principle is roughly as if e letters appear frequently in English words, therefore, through statistical analysis, we may probably guess that X represents e. Therefore, an initial vector is introduced in the CBC encryption process to enable the encryption key of each block, both of them include the feedback of the ciphertext of the previous block, which solves the problem of Statistical attacks. It is easy to understand, because only one exclusive or operation is involved, so it is not explained. The Encryption/Decryption is where the Encryption algorithm is located. However, the Padding Oracle attack just avoids the implementation details of this section, so you can ignore the rule box,

 

The solution to the puzzle is an anti-process.

 

Therefore, in addition to exchanging ciphertext, both parties also need to exchange the initial vector.

3. Padding Oracle attack Conditions

Not all services using CBC have vulnerabilities. We can imagine the following vulnerability server that can be exploited to explain its features: For requests, there will be the following feedback:

1. If the decryption process is normal and the plaintext authentication (such as user name and password verification) is also passed, the normal HTTP 200 is returned.

2. If there is no problem in the decryption process, but an error occurs in plaintext verification (such as username and password verification), HTTP 200 will still be returned, but the content prompts that the user name and password are incorrect.

3. If the decryption process goes wrong, for example, if the Padding rule cannot be checked, an HTTP 500 error occurs.

This example is just to show that the server that can be used is characterized by a special error message for exceptions in the decryption process, which is different from an error in plaintext verification.

4. Padding Oracle Attack Process

This example still follows the example in this foreign language.

Assume that a service request is as follows:http://sampleapp/home.jsp?UID=7B216A634951170FF851D6CC68FC9537858795A28ED4AAC6, Note that the first 8 bytes7B216A634951170FIs the initialization vector.

Let's take a look at how such a service encrypts and decrypts a string.BARIN;12;1(The encryption itself uses 3DES, but this is not the focus of the problem, you can ignore it ).

 

The decryption process is as follows:

 

Note:The final Padding is validated.

Through the decryption process, we can see that the initialization vector can be known. If we know the median value, that isIntermediary ValueWhen you do not need to know the encryption process, you can know what the plaintext is by simply exclusive or. Even, we can use the median to simulate arbitrary plaintext fields for brute force attacks.

Now suppose there is a man-in-the-middle who intercepts the packet, so it can do this: first, when sending a request to the server, set all the Initialization vectors to 0 × 00, only the first block is retained, and the final packet ishttp://sampleapp/home.jsp?UID=0000000000000000F851D6CC68FC9537. The decryption process is as follows:

 

Because the final filling check is incorrect, the server reports an error of HTTP 500.

Then, the man-in-the-middle increments the initial vector by 1 and useshttp://sampleapp/home.jsp?UID=0000000000000001F851D6CC68FC9537An error is also true if you try it out.

 

Because of the fixed median value, that is,Intermediary ValueWhen there is a byte that is inconsistent with it, the Padding is 0 × 01 to satisfy the Padding rule. Therefore, as we continuously test, there must be an initial vector to make the last Padding rule meet the conditions, as shown in000000000000003C,

 

However, there is a problem here, which is not analyzed in several other articles. I will continue to explain it here.

Is it true that when we increase the last bit of the initial vector, if the server returns 200, the last bit of Padding is 0 × 01 ?? The answer is not

For example, when the last two digits of the median are0x02 0x00And the last two digits of the initial vector we test are0x00 0x02That is, the last part of the probe is0x02The last two digits of the final Padding are0x02 0x02And must also meet the Padding rules. Of course, the server will return 200. It can be seen that the final Padding cannot be confirmed as 0 × 01 only by increasing the last bit and testing whether the server returns 200.

So how can we confirm it? Observe the XOR process. We can see that if the padding value is 0 × 01, what is the second-to-last position does not affect the server test result (because it changes the second-to-last position, if the decoded plaintext is changed, the plaintext verification process is abnormal, but the decryption process is normal.) At this time, the server returns 200. However, if Padding is0x02 0x02, The second to last digit is changed, causing decryption exceptions. The server returns 500. Therefore, the last two digits of the test confirm that the Padding obtained during the test is 0 × 01.

With the final position of the fixed initial vector and the final position of the fixed Padding 0 × 01, we can release the final position of the fixed median.

Then, we hit the last two digits of Padding.0x02 0x02To test the second digit of the Intermediate Value. Here is a tip to note, because the last digit of the median has been collided, And the last digit of the Padding is 0 × 02, it is bound that the last bit of the initial vector is also fixed (that is, a simple exclusive or). Therefore, what we need to increment is the penultimate bit of the initial vector,

 

So far, we can finally confirm all the median values.

 

As mentioned above, with the intermediate values of confirmation and known Initialization vectors, we can know the plaintext of the first block. We can test the plain text of all the blocks.

5. About the Padding Oracle AttacK Defense of CBC in HTTPS

In HTTPS, how can we prevent CBC attacks. The answer is to disable SSLv3. However, for browser compatibility (for example, IE6 only supports SSLv3), the following CipherSuite can be disabled if SSLv3 cannot be abolished.

IDEA-CBC-SHA, EXP-DES-CBC-SHA, DES-CBC-SHA, DES-CBC3-SHA, EXP-DH-DSS-DES-CBC-SHA, DH-DSS-DES-CBC-SHA, DH-DSS-DES-CBC3-SHA, EXP-DH-RSA-DES-CBC-SHA, DH-RSA-DES-CBC-SHA, DH-RSA-DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA, EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC3-SHA, EXP-ADH-DES-CBC-SHA, ADH-DES-CBC-SHA, ADH-DES-CBC3-SHA, IDEA-CBC-SHA, EXP-DES-CBC-SHA, DES-CBC-SHA, DES-CBC3-SHA, EXP-DHE-DSS-DES-CBC-SHA, DHE-DSS-CBC-SHA, DHE-DSS-DES-CBC3-SHA, EXP-DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC-SHA, DHE-RSA-DES-CBC3-SHA, ADH-DES-CBC-SHA, ADH-DES-CBC3-SHA, AES128-SHA, AES256-SHA, DH-DSS-AES128-SHA, DH-DSS-AES256-SHA, DH-RSA-AES128-SHA, DH-RSA-AES256-SHA, DHE-DSS-AES128-SHA, DHE-RSA-AES128-SHA, DHE-RSA-AES256-SHA, ADH-AES128-SHA, ADH-AES256-SHA

Note,Not all contain the word "CBC", but some do not.

For more information, see this article.

6. Conclusion

First of all, I would like to thank users of the V2EX forum for their discussion. It is precisely because of the communication between them that I have figured out a very important point in the Padding Oracle attack: the confirmation of the Padding length.

Part of this article is from this article and its original article. I have added a chapter that I personally think is very important, that is, the confirmation of the Padding length just mentioned.