Padding Oracle Attacks

Problem and Protection

The big ASP.NET vulnerability

o  Oracle attacks have been known about since 2002

o  Rizzo and Duong write a white paper for Usenix in May 2010

o  When companies do little to respond, they write POET and release details in September 2010

o  Attackers can gain access to any encrypted data on your website

o  September 17, 2010 Microsoft admits flaw o  September 20 The world goes into panic mode!

An Oracle give hints, but not answers.

o  From Greek mythology. A seer or diviner

Padding is needed for encryption.

o  A Blowfish encryption of "DoubleRainbow" is 948FB2E965F0CE6AC557088F123DA31B

o  A Blowfish encryption of "DoubleRainbowAll" is 948FB2E965F0CE6A50192C23AC24DFFD

o  Note: The clear strings are different sizes but the encrypted strings are the same size

o  Why?

Breaking encryption using an oracle

o  Data is encrypted using a key o  Attackers will bombard the oracle with

questions, using the hints to zero in on the key

o  Once they have the key, they can get anything they want from our sites including encrypted values in cookies and root access to the host machine

How attackers do it

o  Find Base64 strings in cookies, hidden fields o  Decode it. If it is random text and is 8, 16, or 32

bits, then it is likely a ciphertext o  Change the last character and send back o  If error message is a “Padding error”, then we

know for sure o  Send thousands of http requests using different

keys and look at the error codes returned o  Certain error codes give hints o  POET Simply automates the attack

How attackers do it

How we protect ourselves

o  Don’t allow your site to give hints! •  Don’t return actual errors. Instead, we return a

generic error page •  Return these generic errors irregularly

Don’t return actual errors

o  Change web.config (3.5 SP1 - up): <configuration>

<location allowOverride="false"> <system.web>

<customErrors mode="On" redirectMode="ResponseRewrite" defaultRedirect="~/ErrorPage.aspx" />

</system.web> </location>

</configuration>

o  Change web.config (1.1 - 3.5): <configuration>

<location allowOverride="false"> <system.web>

<customErrors mode="On" defaultRedirect="~/error.html" /> </system.web>

</location> </configuration>

Sleep irregularly

o  Add this to the page load of the error page: byte[] delay = new byte[1]; RandomNumberGenerator prng = new RNGCryptoServiceProvider(); prng.GetBytes(delay); Thread.Sleep((int)delay[0]); IDisposable disposable = prng as IDisposable; if (disposable != null) disposable.Dispose();

Summary

o  Padding Oracle Attacks are very dangerous because attackers can get up to root access on your server

o  Protection is as simple as hiding the real error messages and randomizing the wait time

o  Simply edit web.config and add a random wait to the error page’s load event

Further study

o  Rizzo and Duong’s Usenix white paper: •  http://bit.ly/PaddingOracleWhitePaper

o  A demo of POET •  http://bit.ly/POETDemo

o  Microsoft’s Security bulletin response: •  http://bit.ly/PaddingOracleResponse