This action might not be possible to undo. Are you sure you want to continue?
Cryptography in the Web: The Case of Cryptographic Design Flaws in ASP.NET
Thai Duong Vnsecurity/HVAOnline Ho Chi Minh City, Vietnam firstname.lastname@example.org
Abstract—This paper discusses how cryptography is misused in the security design of a large part of the Web. Our focus is on ASP.NET, the web application framework developed by Microsoft that powers 25% of all Internet web sites. We show that attackers can abuse multiple cryptographic design ﬂaws to compromise ASP.NET web applications. We describe practical and highly efﬁcient attacks that allow attackers to steal cryptographic secret keys and forge authentication tokens to access sensitive information. The attacks combine decryption oracles, unauthenticated encryptions, and the reuse of keys for different encryption purposes. Finally, we give some reasons why cryptography is often misused in web technologies, and recommend steps to avoid these mistakes. Keywords-Cryptography, Application Security, Web security, Decryption oracle attack, Unauthenticated encryption.
Juliano Rizzo Netifera Buenos Aires, Argentina email@example.com cryptographic errors together make the Web become a gold mine for chosen-ciphertext attacks. In this paper, we illustrate this point by examining the case of cryptographic implementations in web applications based on ASP.NET . The framework was ﬁrst released in January 2002 with version 1.0 of the .NET Framework. As of September 2010, it is believed that 25% of all the Internet web sites are developed using ASP.NET.1 Here we review ASP.NET v4.0, which was the current stable version at the time of submission. Our comments also apply to several previous versions of ASP.NET. We observe several cryptographic ﬂaws in ASP.NET v4.0. The most serious ﬂaw (which turns out to have been present in ASP.NET for almost three years) is a consequence of unauthenticated encryption. We present two practical and highly efﬁcient attacks that allow attackers to steal cryptographic secret keys, forge authentication tokens and destroy the security model of every ASP.NET v4.0 application. Both are chosen-ciphertext attacks that combine decryption oracles similar to the padding oracle introduced by Vaudenay at EuroCrypt ’02  and the CBC-R technique that Rizzo and Duong demonstrated at USENIX WOOT ’10 . The novelty of these attacks is that not only can the attacker decrypt secret data in ASP.NET, but he also can create ciphertexts that after being decrypted and processed by ASP.NET, allow him to retrieve sensitive information. The rest of the paper is organized as follows. In Section II, we give an overview of ASP.NET v4.0 and the cryptographic vulnerabilities in the framework. In Section III, we provide sufﬁcient background on decryption oracle attacks and the CBC-R technique to make the paper self-contained. In Section IV, we describe our ﬁrst attack exploiting padding oracles in the framework. In Section V, we describe our second attack, which is faster than the ﬁrst attack and does not require a padding oracle. In Section VI, we consider the practical impact of our attacks as well as countermeasures that prevent them. Our reﬂections on why cryptography is often misused in web technologies and our recommendations can be found in Section VII.
I. I NTRODUCTION At EuroCrypt 2004 Nguyen asked, “How can one know if what is implemented [in software] is good cryptography?” . This is an important question because history has shown that cryptography is often used incorrectly in both open source and proprietary software (see –). Nevertheless, despite the important role of the WWW, there is limited research available from both the cryptographic and web security communities to answer Nguyen’s question for the case of cryptographic implementations in web technologies. This paper shows that badly implemented cryptography is not limited to traditional software, but is highly pervasive in web applications as well. Since HTTP is a stateless protocol, web developers must either manage the user session state data on the server or push it to the client. For performance and scalability reasons, web developers tend to go with the latter method. They want to keep session information secret, so they correctly turn to cryptography. However, implementing crypto is error-prone. We observe that unauthenticated encryption is often used to encrypt session state data such as HTTP cookies and view states. Unauthenticated encryption is dangerous –, particularly when used in an authentication system. The ability to forge a ciphertext that decrypts to a desired plaintext allows the attacker to impersonate other users easily . Web developers also tend to use the same keys for different encryption purposes. These
1081-6011/11 $26.00 © Information Unrecognized Copyright2011 IEEE DOI 10.1109/SP.2011.42 481
it is not uncommon to see users generating their keys using online tools. 1) Padding Oracles In ASP. B. (i. 483 .3 Improper Use of Cryptographic Primitives: There are two issues in the way ASP. If this operation is successful. Beside forms authentication tickets. Since ASP. . It is important to stress that the padding oracle is just one kind of decryption oracle. The second issue is insecure key storage. In this and subsequent sections. In Section II-A. and we have found decryption oracles that are easier and faster to exploit in ASP. where b is the number of bytes in a block. The ﬁrst issue is the reuse of keys for different purposes. As previous work has demonstrated. the cryptographic API in ASP.NET: improper use of cryptographic primitives.NET application is one ﬁle disclosure. web resources and script resources.com/en-us/library/ff649308. Furthermore. decrypts it and replies to the sender whether the padding is valid or invalid. Insecure Key Management: There are three issues in how ASP. Users also typically don’t change default keys in applications downloaded from the Internet or installed by a third party. we follow the notation described in Section 4 of .axd is as follows: WebResource.NET We observe two sets of cryptographic ﬂaws in ASP. the framework uses the MAC-then-Encrypt mode for authenticated encryption. forms authentication tickets.NET developers and users.NET. plaintext cryptographic keys are stored in a ﬁle named web.aspx. users tend not to change keys during the lifetime of an application.NET uses cryptography.4 3 See 4 See http://aspnetresources.e. Finally. ASP. the handler will obtain the data from the resource stream and send it to the client together with the content type speciﬁed in the assembly attribute. The result is that attackers can recover the plaintext corresponding to any block of ciphertext using an average of 128 b oracle calls. the padding oracle attack requires an oracle that. In other words.NET.NET also uses MAC-thenEncrypt for role cookies and anonymous identiﬁcation that can also be used as padding oracles. The Padding Oracle Attack The padding oracle attack was ﬁrst introduced by Vaudenay at EuroCrypt ’02 . As explained in Paterson and Yau’s summary . on receipt of a ciphertext. an attacker can download arbitrary ﬁles inside the document root of ASP.axd and ScriptResource. we showed that web resources and script resources identiﬁers are encrypted without authentication. A. Based on the value of the web resource identiﬁer. they exist in every ASP. The last issue is that key management is left to developers and users. we showed that the framework uses cryptography to authenticate and encrypt view states. we discuss decryption oracle attacks and the CBC-R technique. The attack works under the assumption that the attackers can intercept padded messages encrypted in CBC mode and have access to the aforementioned padding oracle.NET applications given a valid encrypted d parameter. ASP.NET application).NET does not use authenticated encryption by default. but does not authenticate the ciphertext. but web resources and script resources identiﬁers do not include very sensitive information. and insecure key management. the handler then tries to load the assembly that contains this resource.microsoft. all it takes to steal these keys in any ASP.NET applications. however. we have a padding oracle here.NET provides no easy way to generate or revoke keys. D ECRYPTION O RACLE ATTACKS In this section. ASP.com/tools/machineKey http://msdn. We divide them into two different sets: 1) Authenticated encryption padding oracles: as discussed in Section II. Since this mode is vulnerable to chosen-ciphertext attacks.axd. III. They are all application independent.axd?d=encrypted_id&t=timestamp We observe two interesting things about the d parameter: 1) ASP. Websites to generate cryptographic keys are popular amongst ASP. First. Cryptographic Design Flaws in ASP.QueryString method of the Request object. encrypts all of them with the same cryptographic keys. We illustrate this point in Section V. 2) Due to a feature in ScriptResource. the handler will then look for the assembly attribute and load the resource stream from the assembly. In the last section.NET encrypts this parameter.NET. this mode is vulnerable to chosen-ciphertext attacks .NET manages cryptographic keys. . it is sometimes impossible to change keys because they are used to encrypt important information that is needed by the applications to operate properly. When forced to generate keys.config in the document root of ASP. These are pieces of information with different levels of importance. Forms authentication tickets and view states are critical to the security of ASP. Secondly. The request format for both WebResource. By default.NET uses the MAC-thenEncrypt mode to protect form authentication tickets.NET: There are several padding oracles in default components of the framework.
Suppose he wants to make Pi equal to some Px . If the victim expects the decrypted message to start with a standard header. The process is simple.. . Pi = O(Ci ) ⊕ Ci−1 he can correct by inserting a new ciphertext block Ci−3 . Algorithm 1 CBC-R. We will use them in our attacks described in Section IV and Section V.n. but it does not protect the produced ciphertext with an authentication code. pad the message. 5) Output IV and C =C1 | . ..n. . all he needs to do is to set Ci−1 = Px ⊕ O(Ci ). By repeating this operation. and set Ci−2 = Pi−1 ⊕ O(Ci−1 ).. the attacker has two consecutive plaintext blocks Pi−1 and Pi of his choice. B. if the attacker can set the IV. rb . If the attacker doesn’t control the IV. Although we are going to describe more powerful attacks in this paper.. and set Cn = r1 |r2 | . then the ﬁrst plaintext block will be random and meaningless. ASP. and other encrypted information in ASP. but the attacker can ﬁx Pi−1 by sending Ci−1 to the decryption oracle to get its intermediate plaintext.NET. For an overview of this process. P2 . First. then he can prepend the ciphertext to his CBC-R encrypted message But does this make Ci−1 decrypt to a garbled block Pi−1 ? Yes. Now. then the ﬁrst block is garbled.. Then. where the ﬁrst two characters of the decrypted identiﬁers must be in the limited set of deﬁned options. But.2) Unauthenticated encryption padding oracles: as noted in Section II. the attacker chooses a random ciphertext block Ci . Pn . Using Captured Ciphertexts as Preﬁx: If the attacker captures a ciphertext whose plaintext is a valid message. 2) Pick a few random bytes r1 . then the decrypted data will be exactly what he wants without any garbled blocks. r2 . a technique to turn a decryption oracle into an encryption oracle. CBC Decryption: Ci = CIP HK (Pi ⊕ Ci−1 ) for i=2. .NET applications. . 1) CBC-R: The CBC mode is deﬁned as follows: CBC Encryption: C1 = CIP HK (P1 ⊕ IV ). We have found two workarounds. . First introduced by Rizzo and Duong . attackers can use these padding oracles to decrypt and obtain secrets from view states. refer to Algorithm 1. |rb .. we review CBC-R. Since and the attacker can change Ci−1 . CBC-R. . Figure 1. and the attacker doesn’t control the IV. This introduces additional padding oracles into the framework. . . This is what happens with the resource identiﬁers in ASP. Turning Decryption Oracles into Encryption Oracles In this section. this technique is important because it allows attackers to create valid ciphertexts that are trusted by the target.. he can efﬁciently encrypt a complete message block by block. 2) CBC-R Without Controlling IV: We have shown that CBC-R allows the attacker to encrypt any message. the CBC-R technique allows attackers to create arbitrary ciphertexts to abuse the system. if he cannot set the IV.NET encrypts the references to script and web resources. 1) Choose a plaintext message P . then the victim will ignore the forged message constructed by CBC-R. and divide it into n blocks of b bytes denoted by P1 . starting from the last one. form authentication tickets. . −1 P1 = CIP HK (C1 ) ⊕ IV . 3) For i = n down to 1: Ci−1 = Pi ⊕ O(Ci ) 4) Set IV = C0 . |Cn . When a system assumes that a meaningful meassage obtained from the decryption of some ciphertext implies a trusted origin of it. . . and a leading garbled block Pi−2 that 484 . −1 Pi = CIP HK (Ci ) ⊕ Ci−1 for i=2. CBC-R turns a CBC decryption oracle into a CBC encryption oracle. he can make Pi equal to any arbitrary value.. He then sends Ci to the decryption oracle O to get its intermediate plaintext. Since the ﬁrst block of the CBC ciphertext stream depends on the IV.
. C1 chain. . C. .axd handler in Section II. . and set C1 = r1 |r2 | .. A. go back to step 3. This ﬁle is present in most applications and contains important secrets. including the keys necessary to forge authentication tickets and database passwords. 2) Use CBC-R and the oracle to build Cn . |Cn . Second. and Q#. hence changing C1 . Downloading the web. Or. . P2 . The attacker then uses Vaudenay’s last-bytedecryption algorithm to decrypt the last byte of Ctarget . See Algorithm 3 for a pseudo-implementation of this attack. . For an overview of this process. if the ﬁrst byte of P1 must match the message size. Using CBC-R to Attack ASP. . then generate a random C1 until a valid P1 is found. if the ﬁrst two bytes of P1 must match some magic numbers. This broken block causes the victim to reject the message. 1) Choose a plaintext message P . then we need on average 216 different C1 to get a valid message. In order to download ﬁles. In other words. Each of them can be used together with CBC-R to construct the d parameter as described in Section III-C. . .NET. this means that the ﬁrst few bytes of P1 must match some magic numbers. F IRST ATTACK : CBC-R WITH PADDING O RACLES As discussed in Section III-A1. 3) Pick a few random bytes r1 . |Pn . For example. There are also systems that accept a message if the ﬁrst byte of P1 matches its size. IV.config ﬁle is the best ﬁrst step for an attacker. CBC-R can produce many different ciphertexts that decrypt to the same plaintext block chain Pn ...NET As noted in the description of the ScriptResource. to get a valid header after decrypting: −1 Pvalid = CIP HK (Cknown |IVCBC−R |CCBC−R ). . . he can use CBC-R with the approach used in Algorithm 2 and Section III-C to build the d parameter. the ﬁnal block Cn is a random block. root directory of ASP. C2 . |Cn decrypts to Pgarbage |P2 |P3 | . Ctarget is the block that he wants to decrypt. the attacker needs to build a block decryption algorithm similar to the one described by Vaudenay . He then brute-forces the ﬁrst block until he gets one of the magic byte values.NET applications. the attacker has to ﬁgure out a reliable way to detect padding information from the WebResource. rb . The attacker wants P1 to contain a valid header. . This is a perfect application for CBCR. we will use the padding oracle in WebResource. If this is the case. Brute-Forcing C1 : The attacker can also brute-force the ﬁrst block C1 . q#. there are many application independent padding oracles in ASP.axd responses. trying an average 256 different C1 is enough to obtain a valid message. denote them ∗ P1 . the attacker has to craft a d parameter that decrypts to a string with the following format R#anything|||~/path/to/file The ﬁrst two bytes can be one of these four values r#. until a valid P1 is found. |Pn . . 4) Test if C1 |C2 | . The attacker needs Cvalid to ensure that the decryption of his message is correctly formatted as a resource identiﬁer. the attacker changes Crandom again.axd will return a 500 HTTP response if the padding is invalid and a 404 HTTP response otherwise.. .. . . if an attacker supplies a valid encrypted d parameter to the handler. Attack Implementation First. . The attacker constructs a three-block message = Cvalid |Crandom |Ctarget . . .. The attacker can use the method of Section III-B2 and Algorithm 2 to construct d with a three block message so that the last two blocks will be decrypted to garbage|||~/path/to/file. C1 so that C1 |C2 | .NET would return a 500 HTTP response even if the padding is valid. |rb . it still has a garbled block at the position of IVCBC−R . the attacker can try his luck by brute-forcing C1 . .Algorithm 2 Brute-forcing C1 . after the attacker has a reliable implementation of the block decryption algorithm. . The only difference is the ﬁrst plaintext block. A faster technique is to use CBC-R to build a chain Cn−1 . . Cvalid is a valid resource identiﬁer that is easily found in ASP.axd. which indicates that a valid padding has been found. which is computed as follows: −1 P1 = CIP HK (C1 ) ⊕ IV. |Cn decrypts to Pheader |Pgarbage |P3 |P4 | . . .. Third.NET applications. r2 .. The attacker changes Crandom until he gets a 404 HTTP response. In some systems. pad the message. . In CBC-R. 5) Output C = C1 |C2 | . C2 . Pn where P1 = Pheader |P1 . After obtaining the last byte. refer to Algorithm 2. and uses Vaudenay’s block decryption algorithm to obtain the rest of Ctarget .. unless the attacker carefully chooses a preﬁx such that the garbled block becomes part of some component that doesn’t affect the semantics of the message. While the resulting forged plaintext message will have a valid header. R#. Each different Cn yields a different Cn−1 . . If not. or ASP. In this ﬁrst attack. he can abuse the ﬁle retrieval functionality to download any ﬁle located inside the 485 . and divide it into n blocks of b bytes. . He can easily do this because WebResource. P2 . One way to do this is to change Cn .
The conversion function is non-injective. q#. Cn−1 . There is one minor issue with this approach. we describe a solution to this problem. . .axd. As described in Section V-A. 1) Pad the messsage |||~/path/to/file according to the PKCS#5 padding scheme. If not. Although here we only perform a cost analysis for the case where the attacker wants to download web. |Pn . The attacker can ensure a valid padding by appending the last two blocks of any known ciphertext to what he sends to ScriptResource. the same method can be applied to other ﬁles. 1) Find a known ciphertext in the target application. |rb . the attacker has to ﬁnd a T-block whose ﬁrst byte after decryption is “T”.config (which is 15 bytes). the attack needs on average 214 + 128 ∗ b = 214 + 128 ∗ 16 = 18432 HTTP requests.axd. C1 chain and to ﬁnd C0 as described in Section III-C.|Cn . go back to step 3. 1 2 denote its last two blocks as Cknown and Cknown . it was not possible to avoid losing a signiﬁcant number of bytes.NET. . R#. . . In the next section. the next steps are to build the CBC-R Cn . 5) Set d = C0 |C1 |. In order to trigger this decryption oracle. and set the whole result as the target P . 2) Divide P into n blocks of b bytes. the attacker needs on average 214 HTTP requests to brute-force the ﬁrst two bytes of C0 .Algorithm 3 Downloading ﬁles using CBC-R and the padding oracle in WebResource. After getting a T-block oracle. we consider the T-block oracle to be a kind of “noisy oracle” with a high signalto-noise ratio. some bits of the plaintext are lost in the T-block oracle responses. we need to ﬁgure out how to recover them. .BLOCK D ECRYPTION O RACLE A. r2 . C2 . . Since ScriptResource. . and set T = r1 |r2 | .. . Attack Cost As described in Algorithm 3. If no.|Cn . . For each block. go back to step 4. . 3) Use CBC-R to build Cn . Since each oracle call is equal to an HTTP request sent to the web server running ASP. |rb . Before sending the decrypted data to the client. |Cn decrypts to Pgarbage |P1 |P2 | .axd decrypts its input. Some pairs of bytes are converted to a single Unicode replacement character. 486 . we describe a faster attack that does not need a padding oracle. 6) Output d. . 1 2 3) Set d = T |Cknown |Cknown . The attacker needs to decrypt complete blocks to be able to encrypt using CBC-R. .axd. 2) Pick a few random bytes r1 . and the second step is to brute-force C0 . . ScriptResource. since the ﬁrst two bytes can be one of the four values r#.axd. Algorithm 4 describes this process. the attacker needs on average 128 ∗ b oracle calls for the ﬁrst step.config.NET. rb . . Since we lose some bytes in the output of the T-block oracle. An efﬁcient decryption process also accelerates the exhaustive search of the preﬁx required to download ﬁles. and send it to ScriptResource. In the next section. If the ﬁrst byte after decrypting the d parameter is “T”. V. denote them P1 . Suppose the block size b is 16.. Pn . . r2 . Although we tried reversing the framework to understand the conversion function. P2 . rb . . FASTER ATTACK : CBC-R WITH T. . The T-block Decryption Oracle in ScriptResource. The attacker generates a random block and sends that block to ScriptResource.axd performs a character encoding conversion.axd Besides the padding oracle in WebResource. Attack Implementation The attacker ﬁrst needs to ﬁnd a T-block whose ﬁrst byte after decryption is “T”. there are two independent steps in a CBC-R attack against ASP. . . . B. . The character conversion function causes two problems: • • Plaintext bytes with values larger than 0x7F are converted to the Unicode replacement character which in UTF-8 is encoded as the three bytes 0xEF 0xBF 0xBD. .axd to see if he gets an HTTP 200 response with HTML content including the decrypted data. 4) Pick a few random bytes r1 . we found another application independent decryption oracle in ScriptResource. The attacker needs just one block for |||~/web.axd to see if the HTTP response code is 200.. For the second step. What we describe in the next paragraph may not be the best possible solution to this issue. the attacker needs to ensure that the output is properly padded (or else he never gets a HTTP 200 response). . . The ﬁrst step is to construct C1 |C2 |. . Algorithm 4 Find a T-block.axd to see if /path/to/file is downloaded. . the handler will send all of the decrypted data to the client. . C1 so that C1 |C2 | . The T-block decryption oracle is much faster than any padding oracle because it requires only one HTTP request to decrypt several blocks.. and set C0 = r1 |r2 | . and Q#. 4) Output T . B. but it is efﬁcient enough for the purpose of using the T-block as part of CBC-R. so that the attacker cannot recover all the bits of the output of the T-block oracle. In this sense. and send it to ScriptResource.
config besides cryptographic keys. . The best attack requires less than 2. 4) Use T to ﬁnd a C0 whose the ﬁrst two bytes after decryption match one of the magic byte values. Note that for a particular target. Notice that Cknown would be decrypted as a known plaintext Pknown .0. a similar analysis applies to other ﬁles. the attacker needs on average 214 HTTP requests to brute-force the ﬁrst two bytes of C0 . The attacker needs just one block for |||~/web. denote them P1 . Although here we only perform cost analysis for the case where the attacker wants to download web. . P2 . C. the attack takes on average about 256+214 /10 = 1894 HTTP requests. the attacker can build a large query that contains the maximum number of blocks that ﬁt in a single HTTP request. he can then sign in as an administrator and seize control of the whole application.000 HTTP requests to steal secret cryptographic keys in ASP. |Pn . and accepts only those chunks that don’t lose any bytes.. which is equal to one HTTP request. The decryption process of the CBC mode ensures that if a byte in the decryption of the ﬁrst Ci is larger than 0x7f.) For each block. mail servers and directory services. 3) Use Algorithm 4 to ﬁnd a T-block. With these optimizations. the full ciphertext after conversion to BASE64  is approximately 2048 bytes long. He then calculates the length of each chunk. .NET. We have 487 . which is the maximum query size allowed by ASP. 5) Use CBC-R with T to build Cn . One way to solve the second problem would be to repeatedly perform requests to the oracle. 2) Divide P into n blocks of b bytes. which on average takes 256 HTTP requests.axd. then ending with 1 2 another pair of Cknown |Cknown .NET applications. The second part is the cost of CBC-R. C1 so that C1 |C2 | . which are described in this section. With 20 repetitions. |Cn . The attacker can solve the ﬁrst problem by modifying a ciphertext block to alter selected bits in the decryption of the next block. After obtaining those keys. . The attacker can then get the full plaintext of Ci by combining the bytes that he gets from the decryptions of the two Ci . Impact We have presented two attacks on ASP. . so the attacker can decrypt 10 blocks per request. In other words. then the byte at the same position in the decryption of the second Ci will be smaller than or equal to 0x7f. There is other important information inside web. and set the whole result as the target P . To reduce the number of requests. and if the attacker can gain access to those areas. 6) output d = C0 |C1 | . About half of these 20 repetitions would lose some bytes. Suppose the block size b is 16. Pn .config. . |Cn decrypts to Pgarbage |P1 |P2 | . A more efﬁcient aproach is to construct a large query such as C1 |Cknown |C2 |Cknown |C3 |Cknown | · · · |Cn |Cknown . users and developers tend to put a lot of sensitive information there. the attacker can send a ˜ four-block message in a format of Cr |Ci |Cr |Ci where Cr is ˜r is the result of changing the highest a random block and C bit of all bytes in Cr (i. In summary. . Algorithm 5 describes how the attacker can use the T-block oracle together with CBC-R to download ﬁles.Algorithm 5 Downloading ﬁles using CBC-R and the Tblock Decryption Oracle in ScriptResource. . until the output has as many bytes as expected. I MPACT AND COUNTERMEASURES A. 1 2 separated by 19 pairs of Cknown |Cknown . So. It is not uncommon to see connection strings with usernames and passwords to database stores. Attack Cost The cost of attack consists of three parts. each about 2048 bytes long. the cost of this part is negligible. he can XOR each byte with 0x80). Most applications have administration interfaces.NET v4. R#. changing part of the input. The third part is to ﬁnd a block C0 whose ﬁrst two bytes after decryption match one of the magic byte values.e. Aministration interfaces often allow unlimited ﬁle uploading. Further optimizations are possible using redudant information present in the incomplete chunks. The attacks are highly efﬁcient and have been demonstrated to work under realistic scenarios. then 20 repetitions of Cr |Ci |Cr |Ci . Since web. . The attacker can construct a ciphertext ˜ that contains a T-block. the attacker can easily create authentication tickets that he can use to sign in to any user account. . the attacker needs only one T-block oracle call. denote it as T .config (which is 15 bytes. ignores chunks that are losing some bytes.config is supposed to be private. The attacker can then split the output of the T-block oracle into chunks using Pknown as the separator. the attacker has to send a total of about 3MB of data to the server on average. the attacker can reuse T-block and C0 in subsequent attacks to download other ﬁles. Each repetition consumes 6 AES blocks. . Since the ﬁrst two bytes of C0 can be one of the four values r#. where Ci are groups of blocks that the attacker wants to decrypt and 1 2 1 2 Cknown = Cknown |Cknown . where Cknown |Cknown are the 2 last two blocks of any known ciphertext. . q#. The ﬁrst part is the cost of ﬁnding a T-block. C2 . . or 6*16 = 96 bytes. which would allow the attacker to achieve remote code execution. the attacker can use the T-block as an efﬁcient decryption oracle to attack the framework. To decrypt a block Ci . and Q#. 1) Pad the messsage |||~/path/to/file according to the PKCS#5 padding scheme. VI. .
especially the T-block attack. Canvel et al. Cryptography is difﬁcult to implement correctly.NET. Klima and Rosa  applied the idea of a “format correctness oracle” (of which the padding oracle is a special case) to construct a PKCS#7 validity oracle.NET is a hugely popular web framework.mono-project.NET. the open source implementation of ASP.vb ﬁles). are difﬁcult to detect.com/Vulnerabilities#ASP. This paper is the ﬁrst to describe step-by-step how to use decryption oracles and CBC-R to compromise any application using the ASP. our attacks. For many years. Related Work Black and Urtubia  have generalized Vaudenay’s attack to other padding schemes and modes of operations. The most serious vulnerability we discovered is the use of unauthenticated encryption.dotnetnuke. the security consequences of being able to forge JSF view states depend on how the application uses the view state information. the attack recovers the IMAP password within one hour. Most other popular web development frameworks 488 .microsoft. Using this oracle. ASP. After initial details of our attacks were released to the public . After all. therefore. and cryptographers often advise non-cryptographers not to develop their own cryptography.even seen web. the most popular public ASP.NET applications contains source code for shared classes and business objects (for example.config ﬁles that contain the password of a Domain Administrator account in Microsoft Active Directory. To emphasize the real-world impact of our attacks. they eventually released a patch that did prevent all of our attacks .asp. This is not a problem speciﬁc to ASP. Besides web. and.com/blog/ 7 See http://forums. http://sharepoint. and it is believed that 25% of the applications online are built using it. all of those thousands of requests sent to the target are encrypted.cs and .asp. But if one looks more closely at the current situation. For the Web. However. We present two practical and highly efﬁcient attacks that allow an attacker to steal cryptographic secret keys.NET_Padding_Oracle 9 See http://weblogs.com was vulnerable.NET users and developers immediately install this ofﬁcial security update to protect against these attacks. This vulnerability is exacerbated by the reuse of keys to encrypt data with very different levels of importance. we analyze and efﬁciently exploit several cryptographic ﬂaws in ASP. Countermeasures Our attacks. It is strongly recommended that ASP. the described attacks can also be used to download source code and other intellectual property. The applications are even more exposed if they use the security features provided by ASP. that number is far higher in the corporate and ﬁnancial services sectors.NET developers still have to ﬁgure out on their own how to use cryptographic primitives correctly any time they want to build a secure cryptographic protocol. we note that ASP. In other words.NET. the widely-used web application framework developed by Microsoft. let alone prevent. was also affected.net/p/1605099/4096837. it is evident that web developers and users do not have much choice.NET applications.9 The workaround focused on padding oracles. 8 See http://www. Using CBC-R.NET framework.NET. Rizzo and Duong  used padding oracle attacks to crack CAPTCHAs as well as to decrypt view states and session state data in various popular web development frameworks. they were able to decrypt one PKCS#7 formatted ciphertext byte using an average of 128 oracle calls.config. Microsoft also acknowledged that Microsoft SharePoint. DotNetNuke CMS5 . and applications such as online banking and e-commerce are prime targets for this attack. it mitigated part of the ﬁrst attack. However.NET application with over 600. countermeasures such as web application ﬁrewalls or network security monitoring can hardly detect. this was the most pratical application of the attack published.aspx. In a typical setting. an attacker can create malicious JSF view states to attack web applications. generic and efﬁcient than any previous published results involving padding oracles.8 B. The new attacks described are more dangerous.aspx. 6 See 5 See presented a padding method that prevents the attack. and impersonate any user account in ASP. was vulnerable to these attacks. especially form based authentication. C ONCLUSIONS In this paper. one of the most popular enterprise collaboration applications. After we sent more information to Microsoft. The most vulnerable software studied in  is the JavaServer Faces (JSF) framework.  demonstrated the practicality of padding oracle attacks by implementing an attack against the IMAP protocol when used over SSL/TLS.net/scottgu/archive/2010/09/18/important-aspnet-security-vulnerability. and http://www. These attacks are performed by abusing components present in every application developed using the framework. and none of them cause any suspicious logging errors. The App_Code folder in ASP. 6 Even microsoft. C. it completely failed to address the second attack. Files within App_Code and any other ﬁles inside the document root of applications can be stolen.7 It is also worth noting that Mono. Microsoft released an immediate workaround. .000 installations.com. VII. has been demonstrated to be vulnerable to these attacks. However.
2005. Wagner. “Security in the Real World: How To Evaluate Security Technology.” in Proceedings of the 9th conference on USENIX Security Symposium-Volume 9. “Password Interception in a SSL/TLS channel. we would like to thank William Robertson. http://www.  H. “Cryptography in NaCl. pp.  V. K. R EFERENCES  P. pp. A. USENIX Security Symp.” in Proceedings of the Sixth Usenix Unix Security Symposium. Agustin Gianni and especially Huong Lan Nguyen for the care with which they reviewed the original draft. “Lessons Learned in Implementing and Deploying Crypto Software.  S. 66–71. 1. 2004. Namprempre. Python. Gutmann. Acknowledgments We are grateful to many people for their help in writing this paper.microsoft. PHP.” NIST Special Publication. The development and popularization of high-level cryptographic toolkits that include authenticated encryption such as Keyczar .  I. 12–29. 1992. pp. “Side Channel Attacks On CBC Encrypted Messages in the PKCS# 7 Format. Stubblebine and V. 2010. 180–189. “NIST Recommendation for Block Cipher Modes of Operation. and B.  E. “Intercepting Mobile Communications: The Insecurity of 802. The next step might be the integration of these cryptographic toolkits into mainstream web development frameworks. 1995–1995.  B. Giang Duc Pho. Bellare and C. T.” in Research in Security and Privacy. 2.  S.do not provide their users and developers easy and secure ways to use cryptography . and D. Yu. http://www. Microsoft Security Bulletin MS10070 . “A Chosen-Ciphertext Attack against Several E-mail Encryption Protocols. ACM. Base32. “Cryptography in Theory and Practice: The Case of Encryption in IPsec. 2002. First of all. 18.” EKOPARTY. “Can We Trust Cryptographic Software? Cryptographic Flaws in GNU Privacy Guard v1. Canvel. 310–331. This is not just a theoretical problem. Mitchell. and R. USENIX Association. p. 9. 7. 2.  P.  T. Last visited. Springer. Rizzo. “RFC 3548-The Base16. “Padding Oracle Attacks on CBC-mode Encryption with Secret and Random IVs. vol. p. Bellovin. IETF. Hudson. pp. [Online]. 2001.” 2008.org/.” in Advances in CryptologyEUROCRYPT 2002. and Base64 Data Encodings. 2004. p. “Cryptlib Encryption Tool Kit. 241. “Security Flaws Induced by CBC PaddingApplications to SSL.” USENIX WOOT. vol. 85–104. IEEE. 15. 555– 570. 2006. and K. 2004. Cryptlib . vol. “Side-channel Attacks On Symmetric Encryption Schemes: The Case for Authenticated Encryption. Vuagnoux. 4. pp. “Implementation of Chosen-Ciphertext Attacks against PGP and GnuPG.  N. “Padding Oracles Everywhere.”  A. Nguyen. 90–101.” Information Security. Engelschall. 2001.” IACR ePrint Archive.” Computer Security Journal. Raeburn. 2008. “The Perils of Unauthenticated Encryption: Kerberos Version 4. We would also like to thank Kenneth Paterson and Serge Vaudenay for their encouragement and instruction. Citeseer.Vulnerability in ASP. provide cryptography libraries as bindings to OpenSSL . Unauthenticated encryption should be considered harmful. rather. Ned Bass and the anonymous reviewers for their work and valuable comments that have signiﬁcantly improved the quality of our initial manuscript. 1996.  J.” 2003. Vaudenay. Springer. Gutmann. no.  M.” 2008. Methods and Techniques. and for conversations that clariﬁed our thinking on this and other matters. 2011. 299– 319. 1992 IEEE Computer Society Symposium on.”  S. Paterson and A. An. 2003. 1996. “Authenticated Encryption: Relations Among Notions and Analysis of the Generic Composition Paradigm.” Advances in Cryptology-CRYPTO 2003. 2000.  M.com/technet/security/bulletin/ms10070. and M. 2002. “On Message Integrity in Cryptographic Protocols. no.NET. Dworkin. 2004.” in Proceedings of the 7th annual international conference on Mobile computing and networking.  K. T. 1999. Hartman. Schneier.” Journal of Cryptology. Bellare. Klima and T.NET Could Allow Information Disclosure. Our thanks to Michal Trojnara. “Randomness and the Netscape Browser. “On the Security of Joint Signature and Encryption. and C. 83–107. Goldberg. 583–599.  K. Gligor. “Problem Areas for the IP Security Protocols. “Breaking and Provably Repairing the SSH Authenticated Encryption Scheme: A Case Study of the Encode-then-Encrypt-and-MAC Paradigm. NDSS.” Topics in Cryptology–CTRSA 2004. Borisov. Duong and J.  A. Vaudenay.” in Advances in Cryptology-EUROCRYPT 2004. Springer.  ASP. Yau.” World Wide Web.  J. pp. 2002.3. including Ruby. 21. Available: http://www. vol.  S. 2002.” in Advances in Cryptology—CRYPTO 2001.asp. Any cryptographic API should use authenticated encryption whenever its users want to encrypt data. pp.net. Namprempre. “Practical Padding Oracle Attacks.  M. vol. 2002. pp. While OpenSSL is powerful. Wagner. “The Order of Encryption and Authentication for Protecting Communications (or: How Secure Is SSL?). Bernstein. Krawczyk. Rabin. unauthenticated encryption has repeatedly led to devastating attacks against real systems. S. 21. “OpenSSL: The Open Source Toolkit for SSL/TLS. Goldberg and D. pp. Dodis. Springer. Josefsson. Young. 98. 1. p.” ACM Transactions on Information and System Security (TISSEC). vol. and NaCl  is the ﬁrst step to providing secure cryptographic software libraries to the general public. pp. pp. Luciano Notarfrancesco.  J. no. Peter Gutmann. pp. pp. it is a low-level library that again requires its users to know how to use cryptographic primitives securely. Black and H.11. Rosa. Dey and S. pp. Paterson. Urtubia. 489 . Springer.” in Proc. Schneier. vol.. and C. Hiltgen. 469–491. 2003.  T. 4.”  K.” Dr Dobb’s Journal-Software Tools for the Professional Programmer. Duong. Katz.  P. 534–545.  J.” Advances in Cryptology-EUROCRYPT 2006. I. Jallad. 2003. Agustin Azubel. Rizzo and T. 4. Schneier. J.mspx  B. Y. Proceedings. Matias Soler. and T. “Keyczar: A Cryptographic Toolkit.” in Proc. Yau. Kohno. “The Ofﬁcial Microsoft Web Development Framework. S. no. Katz and B.  D.  Microsoft. 2010.” in Fast Software Encryption. 205–214. Yau. Popular scripting languages.” in Advances in CryptologyEUROCRYPT 2002. Paterson and A. pp.openssl. Weis. “Padding Oracle Attacks On the ISO CBC Mode Encryption Standard. 315–325.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue listening from where you left off, or restart the preview.