Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: devel

OT: Padding Oracle Attacks

 

 

GnuPG devel RSS feed   Index | Next | Previous | View Threaded


nicholas.cole at gmail

Sep 18, 2010, 8:20 PM

Post #1 of 4 (589 views)
Permalink
OT: Padding Oracle Attacks

There has been quite a lot on the net lately about Padding Oracle
Attacks, said to affect many secure web applications.

http://www.theregister.co.uk/2010/09/14/web_apps_crypto_flaw

I was interested to see that the new Diaspora Social Networking
software, which uses gpg internally (though presumably not for all
things) is also said to suffer from this sort of flaw.

I've come across two interesting descriptions of the attack:

http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf

Am I right that this is exactly the sort of attack that the MDC in gpg
is designed to prevent?

Best wishes,

Nicholas

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


tom at ritter

Sep 20, 2010, 8:25 AM

Post #2 of 4 (556 views)
Permalink
Re: OT: Padding Oracle Attacks [In reply to]

> I've come across two interesting descriptions of the attack:
>
> http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
> https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf

The GDS blog post is the best visual example of how the Padding Oracle
can be used to decrypt data that I've seen. Thai and Julian's
presentation linked, as well as the recent one at Ekoparty, are
excellent weaponizations.

> Am I right that this is exactly the sort of attack that the MDC in gpg
> is designed to prevent?

I don't know much about the MDC in gpg - I'm curious how it differs
from a HMAC. If the MDC is checked before decryption is attempted, it
should thwart the attack, because gpg would fail with an error
indicating an incorrect MDC, rather than a message indicating the
padding is incorrect (for the 255 bad padding values) or the MDC is
incorrect (for the 1 good padding value but bad MDC). This ordering
is vital, and what leads to the ASP.Net encrypted viewstate being
vulnerable. There is an HMAC on the viewstate, but the HMAC is
checked _after_ the viewstate decryption is attempted.

Colin Percival has a good blog post explaining this concept as well:
http://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html

-tom

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


nicholas.cole at gmail

Sep 20, 2010, 2:13 PM

Post #3 of 4 (560 views)
Permalink
Re: OT: Padding Oracle Attacks [In reply to]

On Mon, Sep 20, 2010 at 4:25 PM, Tom Ritter <tom [at] ritter> wrote:
>> I've come across two interesting descriptions of the attack:
>>
>> http://www.gdssecurity.com/l/b/2010/09/14/automated-padding-oracle-attacks-with-padbuster/
>> https://media.blackhat.com/bh-eu-10/whitepapers/Duong_Rizzo/BlackHat-EU-2010-Duong-Rizzo-Padding-Oracle-wp.pdf
>
> The GDS blog post is the best visual example of how the Padding Oracle
> can be used to decrypt data that I've seen.  Thai and Julian's
> presentation linked, as well as the recent one at Ekoparty, are
> excellent weaponizations.
>
>> Am I right that this is exactly the sort of attack that the MDC in gpg
>> is designed to prevent?
>
> I don't know much about the MDC in gpg - I'm curious how it differs
> from a HMAC.  If the MDC is checked before decryption is attempted, it
> should thwart the attack, because gpg would fail with an error
> indicating an incorrect MDC, rather than a message indicating the
> padding is incorrect (for the 255 bad padding values) or the MDC is
> incorrect (for the 1 good padding value but bad MDC).  This ordering
> is vital, and what leads to the ASP.Net encrypted viewstate being
> vulnerable.  There is an HMAC on the viewstate, but the HMAC is
> checked _after_ the viewstate decryption is attempted.
>
> Colin Percival has a good blog post explaining this concept as well:
> http://www.daemonology.net/blog/2009-06-24-encrypt-then-mac.html

The workings of the MDC are set out here:

http://tools.ietf.org/html/rfc4880 (see section 5.13).

It isn't clear to me after reading that whether this kind of attack would
be thwarted by the MDC or not.

--Nicholas

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Sep 24, 2010, 1:13 AM

Post #4 of 4 (557 views)
Permalink
Re: OT: Padding Oracle Attacks [In reply to]

On Mon, 20 Sep 2010 23:13, nicholas.cole [at] gmail said:

> It isn't clear to me after reading that whether this kind of attack would
> be thwarted by the MDC or not.

First of all you can't mount a padding attack on an OpenPGP ciphertext
because CFB mode is used which does not need any padding by design.

The MDC was introduced to detect message manipulation for encrypted-only
messages. The more common case is to sign and encrypt a message which
adds an explicit manipulation detection and would not need for an MDC;
we use it anyway.

Thwarting oracle attacks is never easy but there are some simple rules
you can follow: Do not return detailed error codes, batch up requests
and responses, detect the use of your service as an oracle (similar to
DoS prevention). For OpenPGP this is in fact all easy doable because it
is not an online protocol. If you try to use it with an online protocol
(i.e. through CGIs) you need to take the above precautions. In any case
we tried to make it hard to use GPG as an oracle.


Salam-Shalom,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

GnuPG devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.