8. One-Time Pad (OTP)
A plaintext is paired with random,
secret key (or pad) which have the
same length (or more) as message
Each bit or char of the plaintext is
encrypted by combining it with the
corresponding bit or char from the pad
using modular addition
9. Unbreakable One-Time Pad (OTP)
Key is truly random
Key and at least as long as the
plaintext
Key never reused in whole or in
part, and kept completely secret
12. Stream Ciphers
Key Stream is used (generated from Key)
Gamma (Key Stream) generator is pseudo
random with some period (bigger is better)
Works really fast ( XOR Key Stream with MSG)
13. Bit-Flipping Attack
Attacker know part and of
plaintext and place in encrypted
(for ex. amount of money)
Can change this part w/o
knowing key (nature of XOR)
14. Message Access Code (MAC)
Hash Functions (MD5, SHA, etc)
Encrypted data integrity check
Used not only in encryption
integrity check (web form data
validation, plaintext data, etc)
19. Cipher Block Chaining (CBC)
Added initialization vector (IV)
More secure (by design)
Still vulnerable for padding attack
20. Cipher Block Chaining (CBC)
M y V e r y S e c r e t T e x t
L G l h 3 l a 1 X E K h X r A c
1 2 3 4 5 6 7 8
Plain Text
IV
Encrypted
21. Padding Types
Bit Padding (add 1 bit and zeros)
Byte Padding (add some bytes and
length of padding, add number of bytes
which equal to padding length, etc)
Mixed Padding (add 1 bit and then
bytes, for ex. MD5 padding)
22. Byte Padding
A B C D 0x00 0x00 0x00 0x00
A B C D 0x04 0x04 0x04 0x04
A B C D 0xFF 0xFF 0xFF 0x03
Zero Bytes Padding
Padding Length Bytes
0xFF Bytes + Padding Length Byte
24. Padding Oracle
Oracle: something that can prove
or refute your assumptions
Padding: building blocks to make
things the same size
Together: are nightmare of
cryptography
25. Padding Oracle Nightmare
You don’t need a KEY
Almost doesn’t depends on
cipher algorithm (CBC mode)
Faster that brute force attack
28. The Magic XOR Rules
A A = 0
A 0 = A
A B = B A
(A B) C = A (B C)
29. Padding Oracle Attack: Details
M y M S G 3 3 3
L G l h 3 l a 1 X E K h X r A c
Plain M2
Encrypted C1 Encrypted C2
I K 7 u F Q s b
Intermediate I2
30. Padding Oracle Attack: Details
M2=C1 I2
I2=M2 C1
We CAN change result Plaintext M2 by
changing Encrypted C1 Message
31. Padding Oracle Attack: Last Byte
M y M S G 3 3 D
L G l h 3 l a A X E K h X r A B
I K 7 u F Q s C
C1[8] C2[8]
I2[8]
M2[8]
32. Padding Oracle Attack: Last Byte
1. Iterate byte PP from 0x00 to 0xFF (possible M2[8] byte)
2. Set A = C1[8] PP 0x01
3. Check Padding Oracle if we got correct padding (D = 0x01)
4. In case of correct padding we can calculate M2[8] last byte:
• M2[8] = C1[8] C
• Because C = D A
• Then C = 0x01 C1[8] PP 0x01
• We can simplify it to C = C1[8] PP
• In this case M2[8] = C1[8] C1[8] PP
• And finally M2[8] = PP, voila!
36. POODLE: Basic Info
Old Good Padding Oracle
Present in ALL SSLv3 realizations
(architecture issue)
Wrong MAC usage
37. POODLE: Possible Exploitation
1
2
3
Hacker uses MITM attack
User should send the same
plaintext requests
(eg. GET request via XSS)
Attacker want to steal cookie
(know possible structure of the
plaintext request)
38. • Disable SSLv3 on the server
– web server, openssl, etc
• Disable SSLv3 support on the client
– web browser, library, etc
• Really, disable this old buggy SSLv3!
How-to Mitigate?
39. Outline
• Padding Oracle attack is still alive
• Usage of OLD protocols could cause
a lot of security issues
• Disable SSLv3 in your
products/environment
