Exploiting Cryptographic Misuse - An Example

Dr. Dharma Ganesan, Ph.D.

Disclaimer● Opinions are my own and not the views of my employer

2

Agenda and Goal● Demonstrate a concrete attack on a small, non-trivial system

○ which (mis)uses cryptographic constructs○ Part of an online Capture-the-Flag (CTF) Cryptography challenge○ I try to play CTF if I have some free time during weekends

● Demonstrate how to attack a specific Cryptographic construct○ OFB (Output Feedback) with Rijndael 256 as the underlying block cipher○ More details on this later

● The goal of the hacker in this case is to become an admin ○ by carefully manipulating the ciphertext (i.e. encrypted text) as part of the user interface

● Conclusion○ Some random thoughts on preventing this attack

3

Prerequisites of this attack● The attacker is given access to the source code of the system under attack

○ We will analyze the code shortly to identify the vulnerability and exploit it○ The source code is in PHP, but the vulnerability is broadly applicable to other languages

● The attacker has a regular user account (but will escalate to admin)● But the attacker is not given the cryptographic key (of course)

○ The source code (given to the public) sanitize the passphrase secret

● The attacker knows some fundamentals of Cryptography○ I will explain just enough Crypto for everyone to follow this attack

4

Tools needed to replicate this attack● Nothing to install on your computer!● Pencil and paper● XOR (exclusive bitwise OR) calculator

○ http://xor.pw/

● Base64 encoder and decoder○ http://tomeko.net/online_tools/base64.php?lang=en

● ASCII table○ http://www.asciitable.com/

● I will present my simple algorithm; an utility tool can be developed○ Chosen ciphertext attack is the Crypto lingo for this category of attack

5

System under attack● Client-Server architecture● Client runs on a browser

○ (the attack is applicable for non-web apps, too)

● Client submits a login/password over https (using Transport Layer Security)○ Server authenticates the client

● Server sends a cryptographic token to the client (part of the URL)● If the user is an admin, the system takes to the admin page● Otherwise, the system takes to a default user page

6

System (after valid login)Base64 encoded cryptographic token

I do not have admin privilege.I like to be an admin

The source code for this webpage

7

Messing with Cryptographic token (part of the URL)

New error message

Attacker can corrupt the token (part of the URL).Token is the only input parameter (attack surface).

8

Brief analysis of the source code

● When the token is not part of the URL, the system redirects to a new URL (line 15)● The system generates a token after encrypting the text “user=anonymous|ts=”

appended with the current time plus 10 seconds● The system decrypts the incoming token to decide the user privilege (line 4)● To become an admin, the decrypted token should have a valid timestamp and admin text

9

CryptToken class (relevant fragment only)The secret is anonymized in the source code given to the public. No one knows it.

Symmetric block cipher 256 bits (or 32 bytes)

Initialization vector (IV) 32 bytes

Encryption key 32 bytes

10

OFB is encryption mode

CryptToken class (relevant fragment only) ...

● Decrypt the incoming token● Parse the decrypted token and extract the user type

and timestamp (ts)● If the user type is ‘admin’, admin check is successful● If ts is greater than the current time, timestamp check

is successful.● NOTE: The system does not keep track of the

encrypted token it send to the user ● No message authentication code (MAC)

○ Cryptographic checksum is absent 11

What should an attacker do to become an admin?● Recall that the encrypted token the attacker receives is from the string:

○ “user=anonymous|ts=” + (time() + 10 seconds)

● The attacker must modify the encrypted token string (part of the URL)● When the modified token string is decrypted it should result in this format:

○ “user=admin|ts=” + t■ Timestamp t must be greater the current time of the server

● Recall the constraint that the attacker does not have the encryption key● One possibility is to attack the underlying Cryptographic construct

○ The system uses a block cipher (Rijndael in OFB mode)○ Famous AES symmetric crypto algorithm is a subset of Rijndael

● How to modify the token to become an admin with a valid timestamp?○ Chosen Ciphertext attack (more details next)

12

Some algebraic properties of XOR (needed for us)● You may skip this if you know about XOR ⨁ already● XOR of two bits b1 and b2:

○ b1 ⨁ b2 = 0 if b1 == b2 (if b1 and b2 are equal, then xor will be zero)○ = 1 otherwise

● If c = a ⨁ b where a, b, and c are bytes (i.e. 8 bits), then○ c ⨁ d = (a ⨁ d) ⨁ b

○ If we replace a by (a ⨁ d), then the result will also be xored with d

● If c = a ⨁ b, then a = c ⨁ b (or b = c ⨁ a)● Commutative: a ⨁ b = b ⨁ a● (a ⨁ b) ⨁ a = b because xor is associative and commutative

13

Output Feedback (OFB) mode encryption

● Input plaintext P is cut into multiple blocks● Each block Pi is encrypted using a block cipher encryption E● First block: E(Key, IV) maps to an intermediate keystream KS0● For other blocks i: E(Key, KS(i-1)) = KSi● Ciphertext for block i: Ci = Pi ⨁ KSi

Role of IV:● Unique (IV, Key) pair for each

message to avoid leakage of patterns in the plaintext

● For example, if two messages are the same, the ciphertext will be different due to IV

● Or, if two blocks in a message are the same, their ciphertext will be different due to repeated encryption of IV

Keystream

Bitwise XOR

Figure Source: Wikipedia

14

Recovering the Keystream (not the symmetric key)

● What happens if the attacker knows a block’s plaintext and ciphertext?○ Attacker can recover the keystream KS (not the symmetric Key though)○ See the previous slide

○ Ci = Pi ⨁ KSi

○ KSi = Pi ⨁ Ci

● Recall: attacker knows most of the first block’s plaintext except the time() of the server● Attacker also knows the ciphertext - part of the URL token after base64 decryption● This means that the attacker can recover parts of the keystream using the above formula

15

Output Feedback (OFB) mode decryption

● Input plaintext P is cut into multiple blocks● Each block Pi is encrypted using a block cipher encryption E● First block: E(Key, IV) maps to an intermediate keystream KS0● For other blocks i: E(Key, KS(i-1)) = KSi● Plaintext for block i: Pi = Ci ⨁ KSi

Keystream

Bitwise XOR

16

Core idea of the attack: Manipulating the ciphertext

● In our case, the attacker has recovered most of the keystream bytes (not the key)● Critical observation: If a byte of ciphertext is manipulated, it will affect only the

corresponding plaintext byte due to XOR● For example, to make the first byte of the plaintext as ‘x’ the attacker computes:

○ C0[0] = KS0[0] ⨁ ‘x’ (attacker has already recovered the keystream KS)○ P0[0] = C0[0] ⨁ KS0[0]

= (KS0[0] ⨁ ‘x’) ⨁ KS0[0] = ‘x’

Bitwise XOR

17

Time to apply the idea in action● We have all the math mechanics in place. Time to attack:

● Step 1: Recover the keystream● Step 2: Compute the new ciphertext that will decrypt to “user=admin|ts=” ● Step 3: Compute a good timestamp to satisfy timestamp check● Step 4: Do not forget to celebrate

18

Step 1: Recover the Keystream● Take the token in the URL and run base64 decoder● In my case the token (ciphertext) is:

0x927EC9D24AC0548BAB7B1A7B6B9A351A4512DBD8046149F940F2821B● Recall that this token is from a known plaintext:

○ “user=anonymous|ts=” time of the server + 10

● Since we do not know the time of the server, we can use the local time to approximate

○ We may be off by a few seconds or minutes (we can live with it you will see soon why)

● Number of bytes of the known plaintext = 28 bytes:○ “user=anonymous|ts=” need 18 bytes○ time() + 10 takes need 10 bytes in the string representation

19

Step 1: Recover the Keystream ...● XOR the plaintext with the token to obtain the keystream● Plaintext for “user=anonymous|ts=” + time() is shown in ascii● The keystream is recovered but the 1 to 3 least significant bytes (LSB) may

be wrong because I’m using my local time (I do not know the server’s time)

Keystream KS(28 bytes)

These 3 LSBs may be wrong due to timestamp 20

Step 2: Manipulate the ciphertext token● Goal: decrypt(token’) should become "user=admin|ts=" + t● Timestamp t should be greater than the current time of the server● How do we construct the new token called token’?● Number of bytes of the desired plaintext: 24 bytes

○ “user=admin|ts=” 14 bytes○ Timestamp t needs 10 bytes (as a string)

● Great we do not need the last 4 LSBs of the keystream KS (previous slide)● The original plaintext prefix is “user=a”

○ We do not need to modify the first 6 bytes of the original token

21

Step 2: Manipulating the ciphertext token...token'[i] = token[i] for all 0 <=i <= 5;

token'[6] = 'd' ⨁ keystream[6]token'[7] = 'm' ⨁ keystream[7]token'[8] = 'i' ⨁ keystream[8]token'[9] = 'n' ⨁ keystream[9]

token[10] = ‘|’ ⨁ keystream[10]token'[11]= 't' ⨁ keystream[11]token'[12]= 's' ⨁ keystream[12]token'[13] = '=' ⨁ keystream[13]

● When the modified token is decrypted, we will have “user=admin|ts=”

● The reason to XOR with keystream is to cancel out the influence of the keystream during decryption

● This will allow us to get a plaintext of our interest

22

Step 3: Manipulating the timestamp● When the token is decrypted we want to pass this condition:

$this->context->ts >= time()

● One idea is to construct a new timestamp way into the future○ I replaced the last 6 digits of my local machine time to 999999, which means I will be able to

pass the above time check.

● 1483146303 (output of time() on my local laptop ~12/30/2016 8:04 PM)● We will xor the modified time with the keystream starting from keystream[14]

as follows (bytes in hex):○ 31 34 38 33 39 39 39 39 39 39 ⨁○ 49 6e 36 2f ea ec 3c 52 78 cd

23

Step 3: Manipulating the timestamp ...token'[14] = 0x31 ⨁ keystream[14]token'[15] = 0x34 ⨁ keystream[15]token'[16] = 0x38 ⨁ keystream[16]token'[17] = 0x33 ⨁ keystream[17]

token'[j] = 0x39 ⨁ keystream[j] for all 18<=j<=23.

● In the URL we submit the base64 encoding of token’○ I will not show you the full URL because it is easy to get points by just copy-and-paste○ Contact me if you are interested to know more

● The server will decrypt our token into an admin with a valid timestamp

24

Step 4: Celebrate the admin privilege✌

I sanitized my URL token and the flag, of course25

Concluding remarks● The system used a block cipher in the OFB mode● This mode assumes that the ciphertext is not editable● But the system misused the OFB - ciphertext is part of the URL (editable)

● There is one serious problem in this mode (chosen ciphertext attack):● Given a pair of plaintext and ciphertext (P, C) the attacker can construct a

new ciphertext C’ which can be decrypted into a new plaintext P’

○ Without knowing the symmetric encryption key though

● This serious problem allowed the attacker to become an admin● Another problem is that the incoming timestamp is not checked properly

26

Concluding remarks ...● To avoid this problem, the system should have used authenticated encryption

schemes (e.g. EAX, GCM, etc.)○ These schemes have both confidentiality and integrity as opposed to the OFB mode

■ Only confidentiality but not integrity was the main problem

● Or, attach a HMAC (Crypto checksum) to the ciphertext○ Attacker cannot easily construct the checksum without a key○ If the attacker modifies the ciphertext, the HMAC check will fail very likely

● This attack is not just relevant for web systems or PHP language○ In fact, there is nothing specific to web or PHP syntax

● Any system that misuses Crypto may be vulnerable to○ Chosen ciphertext attack, for example.

27

Acknowledgment & Contact● Mr. Un1k0d3r for constructing this Cryptography challenge

● Prof. Dan Boneh for teaching an online course on Cryptography

● Questions/comments: dharmalingam.ganesan11@gmail.com

28