Cryptography

• @yllan
• hypo
https://hypo.cc/
• SOLDA
https://solda.io/
•

Encryption System
• Block Cipher
•
• DES, AES, RSA, …
• block padding
block
• Block Mode: ECB / CBC / GCM / ……

Don’t Use ECB mode!
Block 1 Block 2 Block N…
Cipher 1 Cipher 2 Cipher N…

ECB: Cut & Paste
Cookie: auth=AES-ECB(username)
Cookie: auth=AES-ECB(1234567890123456admin)

ECB: Byte-by-Byte
• Oracle(m)=AES-ECB(m‖secret, key)
AES-ECB(123456789012345secret, key)
AES-ECB(123456789012345*secret, key)
AES-ECB(123456789012345ssecret, key)
AES-ECB(12345678901234s*secret, key)
AES-ECB(12345678901234sesecret, key)
A block: 16-bytes

comment=hello ,%20MOPCON. %26admin=true
&admin=true

comment=hello ,%20MOPCON. %26admin=true
&admin=true
comment=hello ?SDA(*H@*(#$& %2&admin=true
&⊕6

CBC Padding Oracle
• PKCS7 Padding
• xxxxxxxxxx01
• xxxxxxxxx0202
• xxxxxxxx030303

if (!bytes.takeRight(bytes.last)
.forAll(_ == bytes.last))
{
throw Exception(“Padding invalid!”)
}

030301
⊕02
valid padding!last byte ⊕ 02 = 01, last byte = 03

030303
valid padding!last byte ⊕ 02 = 01, last byte = 03

(Crypto) Hash
• MD5, SHA1, SHA2, SHA3……
• input n output
• One-Way: H(x) x
• 2nd Pre-Image Resistance: y H(x) = H(y)
• Collision Free: x ≠ y H(x) = H(y)

• user=yllan&rating=5&album=12345
• MD5(secretalbum12345rating5useryllan)
•
• Length Extension Attack

Length Extension Attack
• ????user=yllan&rating=5
• ????user=yllan&rating=5…&admin=true

data data paddata
1 length0…0
64bytes 64bytes 64bytes

data paddatadata
v1: 0x67452301
v2: 0xEFCDAB89
v3: 0x98BADCFE
v4: 0x10325476
v5: 0xC3D2E1F0

data paddatadata
v1: 0xAAAAAAAA
v2: 0xBBBBBBBB
v3: 0xCCCCCCCC
v4: 0xDDDDDDDD
v5: 0xEEEEEEEE

data paddatadata
v1: 0xFFFFFFFF
v2: 0xFFFFFFFF
v3: 0xFFFFFFFF
v4: 0xFFFFFFFF
v5: 0xFFFFFFFF

data paddatadata
v1: 0x00000000
v2: 0x11111111
v3: 0x22222222
v4: 0x33333333
v5: 0x44444444
SHA1: 0x0000000011111111222222223333333344444444

? ???
SHA1: 0x0000000011111111222222223333333344444444

? ???
SHA1: 0x0000000011111111222222223333333344444444
v1: 0x00000000
v2: 0x11111111
v3: 0x22222222
v4: 0x33333333
v5: 0x44444444

? ???
ytes 64bytes 64bytes
v1: 0x00000000
v2: 0x11111111
v3: 0x22222222
v4: 0x33333333
v5: 0x44444444
PadExtension

? ???
ytes 64bytes 64bytes
v1: 0x55555555
v2: 0x66666666
v3: 0x77777777
v4: 0x88888888
v5: 0x99999999
SHA1: 0x5555555566666666777777778888888899999999
PadExtension

MAC
• Message Authentication Code
• HMAC-SHA256(message, secret)
• m, MACk(m) n, MACk(n)

Comparison
public static boolean isEqual(byte digesta[], byte digestb[])
{
if (digesta.length != digestb.length)
return false;
for (int i = 0; i < digesta.length; i++) {
if (digesta[i] != digestb[i]) {
return false;
}
}
return true;
}
Java 6u15: MessageDigest.isEqual

Constant Time
Comparison ( )
public static boolean isEqual(byte[] a, byte[] b) {
if (a.length != b.length) {
return false;
}
int result = 0;
for (int i = 0; i < a.length; i++) {
result |= a[i] ^ b[i];
}
return result == 0;
}

Side Channel
•
•
•
• HEARTBLEED

Cryptography

More Related Content

Cryptography