SlideShare a Scribd company logo

Poodle

Download as PPTX, PDF
S
Samit Anwer

Null Meet Talk 18/3/2017

Engineering
1 of 11
POODLE This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz Presented By: Samit Anwer
Padding Oracle On Downgraded Legacy Encryption • If attacker interferes with a handshake offering TLS 1.0 or later, clients will downgrade to SSL 3.0 • Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher (AES/DES) in CBC mode • We will be taking a running example of AES in CBC mode of operation • Assumption: • the attacker can modify network transmissions between client and server
• Attacker sends link to victim (http://evil.com) • When victim visits the link, the Javascript embedded on evil.com starts making cookie bearing requests to https://example.com A HTTP request looks like: POST /path Cookie: name=value...rnrn body • The attacker can MITM the encrypted traffic and attacker controls data in “path” and “body”. Attack Scenario
POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn Pi Pn P1 CiC1 Cn Ci = EK(Pi Ꚛ Ci-1) C0 = IV Cipher Block Chaining Encryption EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF AES block size is 16 bytes DES block size is 8 bytes
Cipher Block Chaining Decryption Pi = DK(Ci) Ꚛ Ci-1 C0 = IV C1 CnCi P1 Pi Pn C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF Back
POST /path Cookie: sessionid=value...rnrnbody ‖ 20byte MAC ‖ padding Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC The attacker controls the request path & request body & hence can forge requests such that: 1. The padding fills an entire block (encrypted into Cn). 2. The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which gets encrypted into Ci). • The attacker replaces Cn by any earlier ciphertext block Ci • the ciphertext will be accepted if DK(Ci) ⊕ Cn-1 happens to have 15 as its final byte, • otherwise, it will be rejected  giving rise to a padding oracle attack The attack Ci Cn
Attack Contd. Assuming L=16 (AES) and ciphertext gets accepted: From (a): 15 = DK(Ci) [15] ⊕ Cn-1[15] , which can be written as => DK(Ci) [15] = 15 ⊕ Cn-1[15] --------- (1) We know: Pi = DK(Ci) ⊕ Ci-1 and hence Pi[15] = DK(Ci) [15] ⊕ Ci-1[15] --------- (2) By replacing DK(Ci) [15] from (1) in (2) we get Pi[15] = 15 ⊕ Cn-1[15] ⊕ Ci-1[15] Unknown entity Known entity C1 Cn /CiCn-1 P1 Pn-1 Pn From CBC decryption (here) we know: Pi = DK(Ci) Ꚛ Ci-1  Pn = DK(Cn) Ꚛ Cn-1  Pn[15] = DK(Cn)[15] Ꚛ Cn-1[15] ----- (a) C1 C2 Ci Cn-1 Cn/Ci DK(Cn /Ci)
Overall Effort • 256 SSL 3.0 requests per byte Recommendation • disabling the SSL 3.0 protocol in the client or in the server or both • TLS_FALLBACK_SCSV • when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection Problem with SSL 3.0 in CBC mode: The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
Demo Overview src: https://patzke.org/implementing-the-poodle-attack.html
Attack Steps: • Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. • Justify the URL and POST length such that the last block of the ciphertext is padding. • Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet.
References • This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf • Attack of the week: POODLE, https://blog.cryptographyengineering.com/2014/10/15/attack-of- week-poodle/ • Implementing the POODLE Attack, https://patzke.org/implementing-the-poodle-attack.html

Recommended

Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBusiness Link Krakow
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...HackIT Ukraine
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Fast HTTP string processing algorithms
Fast HTTP string processing algorithmsFast HTTP string processing algorithms
Fast HTTP string processing algorithmsAlexander Krizhanovsky
 
Packet flow on openstack
Packet flow on openstackPacket flow on openstack
Packet flow on openstackAchhar Kalia
 
Creating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationCreating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationRavi Babu
 
Secure LXC Networking
Secure LXC NetworkingSecure LXC Networking
Secure LXC NetworkingMarian Marinov
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017Xoxzo Inc.
 

Recommended

Bartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBartosz Zaczyński (Grand Parade Poland) - WebSocket for Dummies
Bartosz Zaczyński (Grand Parade Poland) - WebSocket for DummiesBusiness Link Krakow
 
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...
Hacking cryptography: 0xdec0de01 cryptoCTF solutions and a bit more - Владими...HackIT Ukraine
 
0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutions0xdec0de01 crypto CTF solutions
0xdec0de01 crypto CTF solutionsVlad Garbuz
 
Fast HTTP string processing algorithms
Fast HTTP string processing algorithmsFast HTTP string processing algorithms
Fast HTTP string processing algorithmsAlexander Krizhanovsky
 
Packet flow on openstack
Packet flow on openstackPacket flow on openstack
Packet flow on openstackAchhar Kalia
 
Creating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationCreating qmgr and allowing remote authorization
Creating qmgr and allowing remote authorizationRavi Babu
 
Secure LXC Networking
Secure LXC NetworkingSecure LXC Networking
Secure LXC NetworkingMarian Marinov
 
XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017XoxzoテレフォニーAPI入門2017
XoxzoテレフォニーAPI入門2017Xoxzo Inc.
 
Glomosim
GlomosimGlomosim
Glomosimbarodia_1437
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門Xoxzo Inc.
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromqDongmin Yu
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained상문 오
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentMarco Tusa
 
Glomosim introduction
Glomosim introductionGlomosim introduction
Glomosim introductionKathirvel Ayyaswamy
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical PartEduardo Triana
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocketLev Walkin
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* LoggingESUG
 
Blocks, procs && lambdas
Blocks, procs && lambdasBlocks, procs && lambdas
Blocks, procs && lambdasVidmantas Kabošis
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army ToolChandrapal Badshah
 
Tcpsockets
TcpsocketsTcpsockets
Tcpsocketsmcjayaprasanna8
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...NETWAYS
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsingCapIpad
 
Tcpdump
TcpdumpTcpdump
TcpdumpMohamed Gamel
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS Ghanshyam Patel
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags tablehughpearse
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurpraveenaS25
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2Kit Chan
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 
Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Subash SN
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 

More Related Content

What's hot

初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門Xoxzo Inc.
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromqDongmin Yu
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained상문 오
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentMarco Tusa
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical PartEduardo Triana
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocketLev Walkin
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* LoggingESUG
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...NETWAYS
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsingCapIpad
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags tablehughpearse
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurpraveenaS25
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2Kit Chan
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaRaghunath G
 

What's hot (20)

Glomosim
GlomosimGlomosim
Glomosim
 
初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門初心者のためのPythonによるWebAPI活用方入門
初心者のためのPythonによるWebAPI活用方入門
 
Zeromq anatomy & jeromq
Zeromq anatomy & jeromqZeromq anatomy & jeromq
Zeromq anatomy & jeromq
 
Casper FFG Explained
Casper FFG ExplainedCasper FFG Explained
Casper FFG Explained
 
Geographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deploymentGeographically dispersed perconaxtra db cluster deployment
Geographically dispersed perconaxtra db cluster deployment
 
Glomosim introduction
Glomosim introductionGlomosim introduction
Glomosim introduction
 
Nachos3 - Theoretical Part
Nachos3 - Theoretical PartNachos3 - Theoretical Part
Nachos3 - Theoretical Part
 
2016-tcpkali-websocket
2016-tcpkali-websocket2016-tcpkali-websocket
2016-tcpkali-websocket
 
Non-DIY* Logging
Non-DIY* LoggingNon-DIY* Logging
Non-DIY* Logging
 
Blocks, procs && lambdas
Blocks, procs && lambdasBlocks, procs && lambdas
Blocks, procs && lambdas
 
Netcat - A Swiss Army Tool
Netcat - A Swiss Army ToolNetcat - A Swiss Army Tool
Netcat - A Swiss Army Tool
 
Tcpsockets
TcpsocketsTcpsockets
Tcpsockets
 
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...OSMC 2018 | Handling messages and notifications from software and gadgets wit...
OSMC 2018 | Handling messages and notifications from software and gadgets wit...
 
Trip itparsing
Trip itparsingTrip itparsing
Trip itparsing
 
Tcpdump
TcpdumpTcpdump
Tcpdump
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Nmap flags table
Nmap flags tableNmap flags table
Nmap flags table
 
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavurS.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
S.Praveena,II-M.sc(Computer science),Bon Secours college for women,thanjavur
 
Benchmarking for HTTP/2
Benchmarking for HTTP/2Benchmarking for HTTP/2
Benchmarking for HTTP/2
 
Netcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beemaNetcat 101 by-mahesh-beema
Netcat 101 by-mahesh-beema
 

Viewers also liked

Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Subash SN
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Riyaz Walikar
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. Shubham Mittal
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheLeslie Samuel
 
Presentacion inclusion
Presentacion inclusionPresentacion inclusion
Presentacion inclusionJulio Jimenez
 
The theater of taormina
The theater of taorminaThe theater of taormina
The theater of taorminarobydellem
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Yen-Kuan Wu
 
Gävle kopia
Gävle kopiaGävle kopia
Gävle kopiaEdwjen
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For BeginnersRamnath Shenoy
 
La entrada de la cueva original
La entrada de la cueva originalLa entrada de la cueva original
La entrada de la cueva originalencararroyo
 
Null picture forensics using ghiro appliance
Null picture forensics using ghiro applianceNull picture forensics using ghiro appliance
Null picture forensics using ghiro applianceinvad3rsam
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellAditya Kamat
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekOWASP Delhi
 
2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_enle van hoa
 
Santa Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet ClubSanta Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet ClubFive Elements
 
Estabilidad Laboral
Estabilidad Laboral Estabilidad Laboral
Estabilidad Laboral miguel mendez
 

Viewers also liked (19)

Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17Null Bangalore Meet 18/03/17
Null Bangalore Meet 18/03/17
 
Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638Apache Struts2 CVE-2017-5638
Apache Struts2 CVE-2017-5638
 
DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet. DataSploit - Tool Demo at Null Bangalore - March Meet.
DataSploit - Tool Demo at Null Bangalore - March Meet.
 
How to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your NicheHow to Become a Thought Leader in Your Niche
How to Become a Thought Leader in Your Niche
 
Role of Technology in Recruitment
Role of Technology in Recruitment Role of Technology in Recruitment
Role of Technology in Recruitment
 
Aprendizaje
AprendizajeAprendizaje
Aprendizaje
 
Presentacion inclusion
Presentacion inclusionPresentacion inclusion
Presentacion inclusion
 
The theater of taormina
The theater of taorminaThe theater of taormina
The theater of taormina
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
 
Gävle kopia
Gävle kopiaGävle kopia
Gävle kopia
 
Owasp top 10
Owasp top 10 Owasp top 10
Owasp top 10
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
La entrada de la cueva original
La entrada de la cueva originalLa entrada de la cueva original
La entrada de la cueva original
 
Null picture forensics using ghiro appliance
Null picture forensics using ghiro applianceNull picture forensics using ghiro appliance
Null picture forensics using ghiro appliance
 
Exploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shellExploiting a vulnerability to gain a shell
Exploiting a vulnerability to gain a shell
 
Hostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit PrateekHostile Subdomain Takeover by Ankit Prateek
Hostile Subdomain Takeover by Ankit Prateek
 
2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en2c esp8266 non-os_sdk_api_reference_en
2c esp8266 non-os_sdk_api_reference_en
 
Santa Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet ClubSanta Barbara Polo & Racquet Club
Santa Barbara Polo & Racquet Club
 
Estabilidad Laboral
Estabilidad Laboral Estabilidad Laboral
Estabilidad Laboral
 

Similar to Poodle

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flawNate Lawson
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUICshigeki_ohtsu
 
13_TCP_Attack.pptx
13_TCP_Attack.pptx13_TCP_Attack.pptx
13_TCP_Attack.pptxAlmaOraevi
 
Tcp congestion control
Tcp congestion controlTcp congestion control
Tcp congestion controlAbdo sayed
 
Tcp congestion control (1)
Tcp congestion control (1)Tcp congestion control (1)
Tcp congestion control (1)Abdo sayed
 
What every Java developer should know about network?
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?aragozin
 
Lecture 5
Lecture 5Lecture 5
Lecture 5ntpc08
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdfssuserf7cd2b
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1mps125
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IPvijai s
 
KandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion controlKandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion controlGOKULKANNANMMECLECTC
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Hamidreza Bolhasani
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?Microsoft
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)iman darabi
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computingYongraeJo
 

Similar to Poodle (20)

TLS/SSL MAC security flaw
TLS/SSL MAC security flawTLS/SSL MAC security flaw
TLS/SSL MAC security flaw
 
NE #1.pptx
NE #1.pptxNE #1.pptx
NE #1.pptx
 
Technical Overview of QUIC
Technical Overview of QUICTechnical Overview of QUIC
Technical Overview of QUIC
 
13_TCP_Attack.pptx
13_TCP_Attack.pptx13_TCP_Attack.pptx
13_TCP_Attack.pptx
 
TCP_Congestion_Control.ppt
TCP_Congestion_Control.pptTCP_Congestion_Control.ppt
TCP_Congestion_Control.ppt
 
Tcp congestion avoidance
Tcp congestion avoidanceTcp congestion avoidance
Tcp congestion avoidance
 
Tcp congestion control
Tcp congestion controlTcp congestion control
Tcp congestion control
 
Tcp congestion control (1)
Tcp congestion control (1)Tcp congestion control (1)
Tcp congestion control (1)
 
What every Java developer should know about network?
What every Java developer should know about network?What every Java developer should know about network?
What every Java developer should know about network?
 
Lecture 5
Lecture 5Lecture 5
Lecture 5
 
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
4.1.1.10 Packet Tracer - Configuring Extended ACLs Scenario 1.pdf
 
4.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 14.1.1.10 packet tracer configuring extended ac ls scenario 1
4.1.1.10 packet tracer configuring extended ac ls scenario 1
 
Troubleshooting TCP/IP
Troubleshooting TCP/IPTroubleshooting TCP/IP
Troubleshooting TCP/IP
 
KandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion controlKandR_TCP (1).ppt notes for congestion control
KandR_TCP (1).ppt notes for congestion control
 
Data Link Layer
Data Link LayerData Link Layer
Data Link Layer
 
Part5-tcp-improvements.pptx
Part5-tcp-improvements.pptxPart5-tcp-improvements.pptx
Part5-tcp-improvements.pptx
 
Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)Transport Layer in Computer Networks (TCP / UDP / SCTP)
Transport Layer in Computer Networks (TCP / UDP / SCTP)
 
How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?How (un)secure is SSL/TLS?
How (un)secure is SSL/TLS?
 
packet traveling (pre cloud)
packet traveling (pre cloud)packet traveling (pre cloud)
packet traveling (pre cloud)
 
blockchain-and-trusted-computing
blockchain-and-trusted-computingblockchain-and-trusted-computing
blockchain-and-trusted-computing
 

Recently uploaded

VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Bookingdharasingh5698
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxfenichawla
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXssuser89054b
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...roncy bisnoi
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueBhangaleSonal
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfankushspencer015
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapRishantSharmaFr
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...tanu pandey
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Bookingroncy bisnoi
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 

Recently uploaded (20)

VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 BookingVIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
VIP Call Girls Palanpur 7001035870 Whatsapp Number, 24/07 Booking
 
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptxBSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
BSides Seattle 2024 - Stopping Ethan Hunt From Taking Your Data.pptx
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
NFPA 5000 2024 standard .
NFPA 5000 2024 standard .NFPA 5000 2024 standard .
NFPA 5000 2024 standard .
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
Bhosari ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For ...
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 

Poodle

  • 1. POODLE This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz Presented By: Samit Anwer
  • 2. Padding Oracle On Downgraded Legacy Encryption • If attacker interferes with a handshake offering TLS 1.0 or later, clients will downgrade to SSL 3.0 • Encryption in SSL 3.0 uses either the RC4 stream cipher or a block cipher (AES/DES) in CBC mode • We will be taking a running example of AES in CBC mode of operation • Assumption: • the attacker can modify network transmissions between client and server
  • 3. • Attacker sends link to victim (http://evil.com) • When victim visits the link, the Javascript embedded on evil.com starts making cookie bearing requests to https://example.com A HTTP request looks like: POST /path Cookie: name=value...rnrn body • The attacker can MITM the encrypted traffic and attacker controls data in “path” and “body”. Attack Scenario
  • 4. POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn Pi Pn P1 CiC1 Cn Ci = EK(Pi Ꚛ Ci-1) C0 = IV Cipher Block Chaining Encryption EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF AES block size is 16 bytes DES block size is 8 bytes
  • 5. Cipher Block Chaining Decryption Pi = DK(Ci) Ꚛ Ci-1 C0 = IV C1 CnCi P1 Pi Pn C1 C2 Ci Cn-1 Cn P1 P2 Pi Pn-1 Pn POST /path Cookie: name=value...rnrnbody ‖ 20byte MAC ‖ padding EnCt29642a9666ee9dbc8c0306acacb63bf8dcf2c554d9642a9666ee9dbc8c0306acae2n1AGm0vgFHgpMKrFgwdWAEF Back
  • 6. POST /path Cookie: sessionid=value...rnrnbody ‖ 20byte MAC ‖ padding Padding of 1 to L bytes (where L is the block size in bytes) is added before performing blockwise CBC The attacker controls the request path & request body & hence can forge requests such that: 1. The padding fills an entire block (encrypted into Cn). 2. The cookie’s first (as of yet unknown) byte appears as the final byte in an earlier block (which gets encrypted into Ci). • The attacker replaces Cn by any earlier ciphertext block Ci • the ciphertext will be accepted if DK(Ci) ⊕ Cn-1 happens to have 15 as its final byte, • otherwise, it will be rejected  giving rise to a padding oracle attack The attack Ci Cn
  • 7. Attack Contd. Assuming L=16 (AES) and ciphertext gets accepted: From (a): 15 = DK(Ci) [15] ⊕ Cn-1[15] , which can be written as => DK(Ci) [15] = 15 ⊕ Cn-1[15] --------- (1) We know: Pi = DK(Ci) ⊕ Ci-1 and hence Pi[15] = DK(Ci) [15] ⊕ Ci-1[15] --------- (2) By replacing DK(Ci) [15] from (1) in (2) we get Pi[15] = 15 ⊕ Cn-1[15] ⊕ Ci-1[15] Unknown entity Known entity C1 Cn /CiCn-1 P1 Pn-1 Pn From CBC decryption (here) we know: Pi = DK(Ci) Ꚛ Ci-1  Pn = DK(Cn) Ꚛ Cn-1  Pn[15] = DK(Cn)[15] Ꚛ Cn-1[15] ----- (a) C1 C2 Ci Cn-1 Cn/Ci DK(Cn /Ci)
  • 8. Overall Effort • 256 SSL 3.0 requests per byte Recommendation • disabling the SSL 3.0 protocol in the client or in the server or both • TLS_FALLBACK_SCSV • when an incoming connection includes 0x56, 0x00 (TLS_FALLBACK_SCSV) in ClientHello.cipher_suites, compare ClientHello.client_version to the highest protocol version supported by the server. If the server supports a version higher than the one indicated by the client, reject the connection Problem with SSL 3.0 in CBC mode: The integrity of padding cannot be verified when decrypting as it is not covered by the MAC
  • 10. Attack Steps: • Degrade TLS protocol usage to SSLv3 by disruption of TLS handshake attempts. • Justify the URL and POST length such that the last block of the ciphertext is padding. • Perform the copy operation on every generated TLS packet and calculate the leaked byte if the server accepts the modified packet.
  • 11. References • This POODLE Bites: Exploiting The SSL 3.0 Fallback Bodo Möller, Thai Duong, Krzysztof Kotowicz https://www.openssl.org/~bodo/ssl-poodle.pdf • Attack of the week: POODLE, https://blog.cryptographyengineering.com/2014/10/15/attack-of- week-poodle/ • Implementing the POODLE Attack, https://patzke.org/implementing-the-poodle-attack.html

Editor's Notes

  1. An initialization vector (IV) or starting variable (SV)[5] is a block of bits that is used by several modes to randomize the encryption and hence to produce distinct ciphertexts even if the same plaintext is encrypted multiple times, without the need for a slower re-keying process.
  2. Now observe that if there’s a full block of padding and an attacker replaces Cn by any earlier ciphertext block Ci from the same encrypted stream, the ciphertext will still be accepted if DK(Ci) ⊕ Cn-1 happens to have L-1 as its final byte, but will in all likelihood be rejected otherwise, giving rise to a padding oracle attack