This presentation was on “Cryptography for Penetration Testers” and was by Chris Eng, the Senior Director of Security Research at VeraCode.<\/p>\n
The Premise<\/strong><\/span><\/p>\n How much do you really have to know about cryptography in order to detect and exploit crypto weaknesses in web apps.<\/p>\n Goals<\/strong><\/span><\/p>\n The Crypto that Matters in 6 Short Slides<\/p>\n Types of Ciphers<\/strong><\/span><\/p>\n Block Ciphers: Electronic Code Book (ECB) Mode<\/strong><\/span><\/p>\n Bliock Ciphers: Cipher Block Chaining (CBC) Mode<\/strong><\/span><\/p>\n Stream Ciphers<\/strong><\/span><\/p>\n Common Crypto Mistakes<\/strong><\/span><\/p>\n Analysis Techniques<\/strong><\/p>\n Dealing with Gibberish Data<\/strong><\/span><\/p>\n What do you do when you are pen testing a web application and you encounter data that is not easy to interpret?<\/p>\n How random is it?<\/p>\n Observe Characteristics<\/strong><\/span><\/p>\n Is the length a multiple of a common block size?<\/p>\n Is the length the same as a known hash algorithm?<\/p>\n Stimulus, Response<\/strong><\/span><\/p>\n Does the length of the token change based on the length of some value that you can supply?<\/p>\n For a block cipher, you can determine the block size by incrementing input one byte at a time and observing when the encrypted output length jumps by multiple bytes (ie, the block size)<\/p>\n How does the token change in response to user-supplied data?<\/p>\n Deeper Block Cipher Inspection<\/strong><\/span><\/p>\n Are there any blocks of data that seem to repeat in the same token or over multiple tokens?<\/p>\n EXAMPLE<\/strong><\/span><\/p>\n Context:\u00a0 A public-facing web portal for a large ISP.\u00a0 Used an encrypted cookie to authenticate identity.\u00a0 A new cookie is issued on each request.\u00a0 Base64 decoded EE cookies.\u00a0 Divided by 8 and found 8 byte blocks.\u00a0 Noticed some repetition in the same position.\u00a0 The only variable blocks are the last two (possibly a “last accessed” timestamp or similar timeout mechanism).\u00a0 Register a new account with a username of ‘c’ x 32, the maximum length permitted, and observe the value of the EE cookie.<\/p>\n ‘c’ x 32 is Perl notation for “cccccccccccccccccccccccccccccccc”<\/p>\n The token is longer, meaning the username is probably stored in the cookie.\u00a0 Still noticed repition in same position.\u00a0 Register another account with a username of ‘c’ x 16 and compare to the EE cookie generated in the previous step.\u00a0 Didn’t see two identical blocks for ‘c’ x 16 and four identical blocks for ‘c’ x 32.\u00a0 Reason is padding.\u00a0 The username doesn’t align perfectly with the block offset.\u00a0 Want to figure out what position in the cookie the usernaem is located.\u00a0 Additional user accounts were created with specific usernames in order to determine if there is any initial padding in the first block.\u00a0 Now you know where the username is in the ciphertext.<\/p>\n Able to successfully subvert the authentication mechanism without any knowledge of the algorithm or the key, based solely on observed patterns in the ciphertext.\u00a0 The root cause was the insecure cipher mode and the lack of a verification mechanism.\u00a0 ECB mode shoul dnot be used (use CBC instead).<\/p>\n EXAMPLE<\/strong><\/span><\/p>\n Token values observed in URLs.\u00a0 Changed every time we logged on to the application.\u00a0 Never the same for any two sessions or any two users.\u00a0 Base64 decoded values for several different “stmt” tokens.\u00a0 Statement numbers were displayed in the browser.\u00a0 Looked for correlations between statement number and cipher-text.\u00a0 Conclusion: It looks like a stream cipher.\u00a0 Use XOR to calculate 10 bytes of the keystream based on the known plain-text (ie. the statement number).\u00a0 Now try the same things against one of the other collected tokens, such as the one called “Ctxt”.\u00a0 Get ASCII text that allows you to infer what it would say.\u00a0 Expand it out more and more to get the keystream.\u00a0 Repeat over and over until you have enough of the key to figure out anything in the application.<\/p>\n Through this iterative process, we can obtain the entire keystream (or rather, a sufficient amount of the keystream to encrypt and decrypt all of the cipher-text we encounter).\u00a0 Can replace the statement number with another valid statement number and view the contents.<\/p>\n Able to subvert the encryption mechanism without any knowledge of the algorithm or the key based solely on observed patterns in the ciphertext.\u00a0 They were using RC4 with a unique key generated for each user session.\u00a0 Root cause of the vulnerability is the re-use of the keystream.<\/p>\n","protected":false},"excerpt":{"rendered":" This presentation was on “Cryptography for Penetration Testers” and was by Chris Eng, the Senior Director of Security Research at VeraCode. The Premise How much do you really have to know about cryptography in order to detect and exploit crypto weaknesses in web apps. Goals Learn basic techniques for identifying and analyzing cryptographic data Learn […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[127,4],"tags":[76,128,186,12,158,622,187],"class_list":["post-127","post","type-post","status-publish","format-standard","hentry","category-owasp-appsec-nyc-2008","category-web-app-sec","tag-application","tag-appsec","tag-cryptography","tag-owasp","tag-penetration","tag-security","tag-testers"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/pfI0c-23","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/127","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/comments?post=127"}],"version-history":[{"count":1,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/127\/revisions"}],"predecessor-version":[{"id":128,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/posts\/127\/revisions\/128"}],"wp:attachment":[{"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/media?parent=127"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/categories?post=127"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.webadminblog.com\/index.php\/wp-json\/wp\/v2\/tags?post=127"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n
\n