How the POODLE attack was used to exploit Security protocol SSL v3.0

-

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. It was a significant security vulnerability where SSL v3.0 can be attacked and the encrypted data between the computers and servers can be potentially intercepted and decrypted.
Too much tech grammar? ... Dont worry as I will demystify this as easy as possible to you. Just stay with me.

Encryption is an algorithm that converts plain-text to a chipher/encrypted text with the aid of a secret key. If encryption is properly done then there is assurance that the data is kept confidential as it cannot be easily decrypted by any malicious person since he has no knowledge of the secret key.

Poodle attacke on the other hans allows the malicious person to decrypt some of the SSL v3.0 trafic. With this they may then be able to get enough information to get access to the victims secured  online accounts
This is how the attack works.

1. Imagine you are browsing a secure web say your internet banking platform that is using SSL v3 security protocol. You enter your credentials and click login, the following happens:

2. In SSL v3, the first thing that is done in encrypting the data is to compute a Message Authentication Code (MAC). This serves a a cryptographic checksum ensuring the integrity and authenticity of the data. Note that the MAC can only be computed by parties that have access to the right cryptographic keys. These parties will of course be the client and the server.
So if a malicious person tries to modify the data through Man-in the Middle attack and he doesn't have the cryptographic key, he would be unable to update the MAC value and hence the system will detect that the data lacks integrity and throws it out.

3. After the MAC has been computed there are some paddings that have to be place after the MAC. Padding is placed because many popular encryption algorithms require that the data been encrypted should have a length which is a multiple of a particular size.
For example,
  • AES the length has to be a multiple of 16 bytes 
  • DES the length has to be a multiple of 8 bytes
4. So if the data being encrypted does not have the right length it can simply pad it up to the the exact length as per the encryption.

5. The padding approach used in SSL v3 is fairly simple. It is done as seen below
  • Generate a random byte values  and
  • Generating a final value that indicated the size of the padding ie how many bytes were padded.
6. With this we now have a full payload to be encrypted and sent to the server. These are:
  • The Original data
  • The Message Authentication Code (MAC)
  • The Padding with its padding size

There were however flaws in this method of padding

6. The full payload which we already know contains the actual data, the MAC and the padding are then encrypted.

7. The method used for the encryption is called the Cipher Block Chaining Mode (CBC mode)

8. CBC is achieved by breaking the entire data (which is the payload), and breaking them into chunks of blocks.

9. Each chunks of block is then encrypted. Now the interesting part is that all blocks relate and are dependent on each other. That is, the value of the encryption of the 1st block is used to compute the encryption of the 2nd block.etc. This method is called the Exclusive OR (XOR) operation

10. Decrypting the just requires the reverse of the entire process. Which is decrypting the last block and working all the way to the first block.

11.  After the decryption of the payload is done the recipients will then perform the following

  • Look at the length of the padding to know how much padding to remove
  • When the padding is removed the next value in the payload is the MAC value
  • The MAC is then checked to verify the authenticity and integrity of the data.
  • If the MAC check fails the recipient will drop the connection
  • However if the MAC check is successful a session is created for the communication.

How an Attacker takes advantage of these flaws
There are 2 types of errors in SSL v3 decryption which are

  • Padding error
  • MAC error

These errors are the give-aways in the PODDLE attack. A malicious person attacking using PODDLE  must be able to identify and mostly distinguish between these errors.
Let me explain

Supposes an attacker has intercepted an encrypted text and he wants to decrypt it he will perform the following

  • Submit a crafted encrypted text and send it to the server
  • The server will decrypt the encrypted text and check to see if the padding is valid
  • If the padding is invalid it will generate a Padding error and drop connection
  • If however, the padding is correct it will check to see if the MAC is valid. Now since it is not the original message but a crafted one, the MAC will be invalid and thus a MAC error is generated and connection is droped.

Now what the attacker is actually looking for is the MAC error. This is because the MAC error tells him that the Padding was successful.

This type of attack can also be referred to as a CHOSEN CIPHERTEXT ATTACK

This permutations will be continued by the attacker until he completes guessing out all the bytes making up the encrypted text.

SSL and earlier versions of TLS (1.0) echoed these error messages making them vulnerable to the PODDLE attack

So how does he really use the Padding error to arrive at the encrypted text
Recall that the full payload to be encrypted will be broken down into chunks of blocks and encrypted.
Also recall that I said the blocks are related to each other. Good.

  1. Lets assume the attacker intercepted a message and placed the letter "T" in the last byte of the first block.
  2. The attacker also adds a guess padding to the message say x02. Thus we have a complete crafted message of Tx02.
  3. Remember the encryption value of the first block will be used to encrypt the second block.
  4. When decryption is to be performed the 2nd padding will need the value and the padding constructed in the 1st block which it Tx02.
  5. If a padding error occurs during the decryption, then our guess "T" is wrong and our padding x02 is invalid.
  6. However if the padding is right it tells us that the MAC address is wrong because the guess "T" is not the entire encrypted text.
  7. But since the error we are now getting is the MAC, this means that the Padding was correct.
  8. For the padding to be correct means our guess of "T" is right.
  9. The attacker will continue with these guesses until all encrypted values are revealed.

 Now because of these attack most server have stepped up their prefered security protocols to TLS 1.1 and 1.2.
However for backward compatibility to some clients some server still keep the legacy security protocols (SSLv3 and TLS 1.0).
When a secure communication is to be established (HANDSHAKE) the prefered security protocol is negotiated between the client and the server (for clarity on this read my post on:
HTTPS Secure connection Handshake: 11 Steps on how its established

Attacker have found another way to ensure that the security protocol is always downgraded to SSLv3 for the handshake so that they can mount the PODDLE exploit on the unsuspecting victim.
This is why it is not advisable for a server servicing sensitive transaction and medical data to support SSLv3 and TLS1.0. Please note this.

How to prevent the PODDLE attack

  1. Avoid the use of obsolete browsers. Its important that you update your browser to teh most recent version.
  2. Ensure servers handling sensitive data have SSLv3 and TLS1.0 support disabled. With this implemented, such server will no longer be able to HANDSHAKE with the security protocols.
Wow this was a lot more complex than I thought. i hope you didn't sleep off on me.
Anyways thanks for reading my post.
Please do not hesitate to send me feedback through comments.

Cheers

Comments

Post a Comment

Popular posts from this blog

Auditing Virtualization

-
Image
Virtualization is the process of creating virtual, representation of an entity, such as virtual applications, servers, storage and networks. It is the single most effective way to reduce IT expenses by reducing hardware footprint while boosting efficiency and agility for all size businesses. However good as it is, virtualization can create a single point of failure if poor implementation introduced a security flaw to the system. In this post I will be sharing with you how to audit virtualization.
Read more

How to Identify if the capacity of your FLASH storage device is genuine or counterfeit

-
Image
Have you at some time purchased a flash drive  or memory card that always stored corrupt data? You paid for a 64gig memory card and all you stored in it is simply just got corrupted. I have been a victim several times even with reputable retailers. These counterfeit flash storages are low capacity in nature, devices that have been maliciously altered so that they appear to have much more capacity than its original. An example is the 64 gig memory card I purchased which ended up having actual capacity of 2gig. So I actually paid for 2gig. Now I didn't get to know this on time because I actually copied a video file inside it as a test which checked out fine. The video file size was 1.5gb. I was able to play the video with no issue of corruption. Thus I "Assumed" the flash was genuine. Boy was I wrong. Later in the week I decided to do a major backup of my mobile phone since I was purchasing another one. After the backup, I formatted ...
Read more

Address Resolution Protocol (ARP): Understanding the basics

-
Image
Address resolution Protocol or ARP for short is basically used to resolve an IP address to a MAC address. A MAC address is a unique identifier for any device. And since we are talking networking today, The mac address we will be concentration on is that of a network device. Its important to note that, no two device can have the same mac address. Whenever a network device needs to communicate with another network device in a Local Area Network, it needs the MAC address of that device. This is where ARP comes to play. Lets take a look at the scenario bellow to clearly understand this concept: 1. There are 2 computers say A and B on the network. 2. They have both been assigned an IP address as seen below:        A: 192.168.0.1        B: 192.168.0.2 3. Computer A needs to communicate with computer B. 4. It looks at a list for the IP address to see if it has a corresponding MAC address. This list is called an ARP Cache. 5. If the en...
Read more