1 / 43

Crypto weakness in popular Web A pplications

OWASP AppSec Beijing/Asia 2011. Crypto weakness in popular Web A pplications. Hanqin Wu Aliyun.com axis@ph4nt0m.org. About Me. 2001 Founder of “Ph4nt0m” 2005 join alibaba corp. 2008 join aliyun.com t.qq.com/aullik5 Blog : hi.baidu.com/aullik5 Book:《 完美防线 》. Crypto in pentesting.

miyoko
Télécharger la présentation

Crypto weakness in popular Web A pplications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP AppSec Beijing/Asia 2011 Crypto weakness in popular Web Applications • Hanqin Wu • Aliyun.com • axis@ph4nt0m.org

  2. About Me • 2001 Founder of “Ph4nt0m” • 2005join alibaba corp. • 2008join aliyun.com • t.qq.com/aullik5 • Blog:hi.baidu.com/aullik5 • Book:《完美防线》

  3. Crypto in pentesting • ctk=moVQoAbeoXAtdR3BHGRFVA&chk=50f059614bb2977a9dda630cd727277a-50067753 • ID=5bfb08d687b3dee5:T=1303616991:S=ALNI_MZ46CtBJfBaUSGkdUlJmLEyTfwgPQ • http://passport.baidu.com/center? • auth=ead603c8bb7d4ea68f2812a497aa7f5c40c6eb438b3da9e1d8b5b3de6a82f30b7a3b

  4. Cipher analysis:encoding • Base64: • Hex: • ead603c8bb7d4e…… • = \xea\xd6\x04\xc8\xbb\x7d\x4e……

  5. Cipher analysis:cipher length • Stream cipher: arbitrary length • Block cipher:

  6. Cipher analysis:cipher mode • ECB-mode: • change 1 byte in plaintext • 1 block changed in ciphertext • CBC-mode: • change 1 byte in plaintext • whole ciphertext changed

  7. In developer’s mind • Third-party crypto library • performance • security– • only key length

  8. Failures • Using hash algorithm instead of crypto • No “salts” when using hash algorithm • Using “time” instead of random num. • Lack of knowledage about crypto • ……

  9. Crypto introduce

  10. Basic in crypto • IV:init vector • mode:ECB、CBC、CFB、OFB、CTR • blocksize:Blocksize • KEY

  11. Attack block cipher

  12. ECBmode

  13. Attack ecb mode

  14. CBCmode

  15. Padding Oracle • Padding:PKCS#5 • Oracle • Like “blind injection” • “side channel attack”

  16. Attackstream cipher

  17. Stream cipher

  18. Reused Key Attack E(A) = A xor C E(B) = B xor C E(A) xor E(B) = (A xor C) xor (B xor C) = A xor B xor C xor C = A xor B E(A) xor E(B) = A xor B

  19. PHPWind StrCode() • for ($i = 0; $i < $strLen; $i++) { • $k = $i % $keyLen; • $code .= $string[$i] ^ $key[$k]; • }

  20. PHPWind captcha generation • ck.php,chars: • $list = 'BCEFGHJKMPQRTVWXY2346789'; • "1315107631"."\t\t".md5("73669"."1315107631") timestamp captcha timestamp

  21. Gain captcha

  22. Set-Cookie

  23. Crack captcha • known: • plaintext1= time1 + md5(captcha1 + time1) A • ciphertext1 E(A) • ciphertext2 E(B) • want: ‖ • plaintext2 = time2 + md5(captcha2 + time2) B • MD5 Rainbow Table ! ⊕ ⊕

  24. Crack It!

  25. Bit-flipping Attack E(A) xor E(B) = A xor B A xor E(A) xor B = E(B)

  26. Captcha never expired Global.php: gdconfirm() Common.php: safecheck()

  27. construct • Bit-flipping Attack: • A xor E(A) xor B = E(B) • Never expired time: • $timestamp– $cookieData[0] < 0

  28. POC

  29. Discuz! authcode() • $keyc:IV • $ckey_length:IVlength • $keya: xor key • $keyb: HMACkey

  30. authcode()analysis IV • 79uz_d57e_auth=d08fwJQZGV/999z5qNLk5OIofp9dd2qDkWXVeg1RFQGwKicuAMaih5M5aefx0ycOfLAc2jtZL/y3J7TpUh2GsAPl; • 000000000067c38ee9eca0b04dccccbbbb timestamp(10bytes) HMAC(16bytes) plaintext (xx bytes)

  31. authcode()security consideration • Reused Key Attack: • IV makes xor key changed everytime • XOR_KEY = fn(IV, KEY) • Bit-flipping Attack: • HMACdefend against forgery • HMAC = fn(Plaintext, KEY)

  32. authcode() weak IV • Default length of IV is 4 bytes: • Collect an IV dicts(a-z0-9): • 364 = 1,679,616 个IV • The same iv, the same xor key • -- in WEPcracking,24bits IV will expired in 5 hours

  33. POC: • known: • test:crack($cipher2) == $plaintext2

  34. POC:

  35. Collect ciphers and IVs

  36. Birthday Attack • The possibilities in 30 person • Any 2 have the same specific birthday: • 1 − (364 / 365)30 ≈ 7.9% • Any 2 have the same birthday: • nearly70%

  37. Attack authcode()? • Reused Key Attack: • IV makes xor key changed everytime • brutefoce IVs • Bit-flipping Attack: • HMACdefend against forgery • still safe

  38. Other attack? • Discuz! Getwebshell: • http://www.oldjun.com/blog/index.php/archives/76/ • Phpcms cookiesql injection: • http://www.80vul.com/phpcms/phpcms_sys_auth.txt • ……

  39. Summary & Conclusion

  40. advice • Do not use ECBmode • Do not use stream cipher • Use AES-256 or blowfish in CBCmode • Do not use the same key to do different things • Use random IV • Use HMAC-SHA512instead of MD5

  41. Thanks!

More Related