CS2107 Padding Oracle Attack

00:00

hey everyone in cs 107 one of the more

00:03

interesting attacks covered is the

00:04

padding oracle attack it's not

00:06

particularly easy to wrap your head

00:08

around the attack at first simply

00:09

because there are quite a few moving

00:11

parts and the xor operations involved

00:12

don't exactly lend themselves to quick

00:14

and easy interpretation this video aims

00:17

to provide an intuitive understanding

00:18

and explanation for the mechanics behind

00:20

the attack the padding oracle attack

00:22

really isn't that unapproachable once

00:24

you break it down the first part of this

00:25

video will be dealing with the context

00:27

and setup of the attack while the second

00:29

half will delve into the mechanics

00:30

behind the attack now let's begin what

00:33

exactly is the padding oracle attack

00:35

well it provides a way for an attacker

00:36

to retrieve the original plaintext from

00:38

just the ciphertext alone but this is a

00:40

rather generic definition a lot of

00:42

attacks aim to do this instead what

00:44

really defines a padding oracle attack

00:46

is the context in which it is set up and

00:48

there are four main parts in this

00:49

context the xor operation a block cipher

00:52

using cipher block training or cbc mode

00:54

the padding standard and as well and

00:56

last but not least an oracle

00:58

let's go through each of these parts in

00:59

turn firstly the xor operation now i'm

01:02

sure most of you will be familiar with

01:03

the xo operation it's a very simple bit

01:05

operation that computers do all the time

01:08

i provided the xor table in the top

01:09

right hand corner over here for your

01:10

reference but there are two things about

01:12

the xor operation that are pertinent to

01:14

our discussion today the first is the

01:16

fact that xor operations are done bit by

01:18

bit by by what i mean by this is that if

01:21

you xor two sequences of bytes as shown

01:23

in this diagram over here the output

01:25

obtained is determined by comparing the

01:27

bytes in each lane

01:28

now this might seem like a very obvious

01:30

thing in the most of you but the point

01:31

i'm driving towards is the fact that if

01:33

i change one of the operand bytes say

01:35

the one right over here

01:37

only the bytes in this particular lane

01:39

will be affected

01:40

all the other lanes remain unaffected so

01:42

this means that when we want to

01:43

manipulate bytes in an xor operation we

01:45

only need to focus our attention on the

01:47

particular lane of interest

01:49

the xor operation also has another

01:51

peculiar property well firstly it's a

01:53

binary operation so it takes two

01:55

operands and returns one result so let's

01:57

say we have a xo of b giving us c that's

02:00

a total of two plus one equals three

02:02

entities involved correct well the thing

02:04

about the xo operation is that if you

02:06

take any two of these three entities and

02:09

you xor them you'll always get back the

02:11

third entity if you don't believe me you

02:13

can try it out for yourself

02:14

in this case we can take b x or to c to

02:17

give us back a we can also take a x or c

02:20

to give us back b this peculiar property

02:23

of the xor operation is repeatedly used

02:26

when we understand when we try to

02:27

understand and analyze the padding

02:29

oracle attack

02:31

next up we have the block cipher let's

02:33

focus on how block ciphers perform

02:35

decryption the encryption process is

02:37

just the reverse of the decryption

02:38

process so i won't be spending much time

02:40

on that

02:41

block ciphers take a ciphertext as input

02:43

and it will break up this input into

02:45

blocks of a certain fixed size in my

02:47

diagram over here i broke up the

02:48

ciphertext into eight byte blocks where

02:50

each of these little squares over here

02:52

represents one byte

02:54

then the block cipher proceeds to run a

02:55

decryption algorithm on each of these

02:57

blocks

02:58

the output plain text blocks can then be

03:00

concatenated to retrieve the original

03:02

plaintext now block ciphers have

03:05

different modes of operation

03:06

one mode of operation that we're

03:08

interested in is the cvc mode or cipher

03:10

block chaining mode

03:12

during the decryption process in cbc

03:14

mode the decrypted cipher text block

03:16

will also be xor with the previous

03:18

ciphertext block in order to retrieve

03:20

the plaintext block now this is quite a

03:22

mouthful so i personally prefer to just

03:24

trace through the diagram it's quite

03:25

easy to understand such diagrams if you

03:27

interpret all of these arrows it's kind

03:29

of like pipes for which all of these

03:31

bytes can flow through if we focus our

03:33

attention on ciphertext block number two

03:35

over here which i've drawn to be eight

03:36

bytes long and i'm representing it in

03:38

red

03:39

it will first be put through the block

03:41

cipher decryption algorithm let's treat

03:43

this algorithm as a black box the actual

03:45

algorithm and the implementation of it

03:47

does not matter do not matter for the

03:49

purposes of our discussion

03:51

after putting it through the

03:53

this particular black box we get an

03:55

output of eight bytes as well

03:57

note that this output will almost

03:59

certainly be different from the initial

04:00

ciphertext plot so i've drawn them in

04:02

different colors in this case blue

04:04

then we'll be taking the previous

04:06

ciphertext block the one illustrated in

04:08

green over here and we'll be performing

04:10

an xor operation giving us the plain

04:12

text block drawn here in yellow

04:15

now the same decryption process is

04:16

repeated for each and every single

04:18

ciphertext block so when we perform an

04:20

analysis we can simply focus our

04:22

attention to just this portion over here

04:25

because this entire portion is simply

04:27

repeated again and again and again for

04:29

all of the remaining blocks

04:31

next up we have the padding standard

04:33

since we're using a block cipher what

04:35

happens when our input can be nicely cut

04:37

out into these same size blocks in other

04:39

words what happens when our input size

04:41

isn't an integer multiple of the block

04:43

size such as this case here where we

04:45

only have six bytes in the last portion

04:48

which isn't enough to make an eight byte

04:49

block

04:50

the solution is very simple we can

04:52

simply add bytes at the end padding it

04:55

until we have enough bytes to form a

04:56

full block in this case we'll just be

04:58

adding two bytes but the question

05:00

remains what should these two added

05:02

bytes be we can't possibly fill them up

05:04

with random bytes right this is where

05:06

the padding standard comes in and there

05:08

are many different padding standards out

05:09

in existence but we'll focus on pkcs

05:12

number seven and the idea behind pkcs

05:14

number seven is actually very simple if

05:16

you have to pack one byte you'll pair it

05:18

with zero one if you have to pad two

05:20

bytes you pair it with zero two zero two

05:23

if you had the pad three bytes you

05:24

paired it with 030303

05:26

and so on i hope you get the idea

05:28

if the last block is full meaning it has

05:30

in our case a full 8 bytes then we have

05:33

to add an extra block of all zeros

05:36

finally we come to the last part of the

05:37

context the padding oracle now this is

05:40

the most interesting mechanism involved

05:42

but actually an oracle is very very

05:44

simple it's just a black box that

05:46

answers a certain question you give it

05:48

some input and

05:49

then oracle will answer yes or no

05:51

depending on the question that it's

05:52

designed to answer

05:54

in our case we're going to use a padding

05:56

oracle where we give the oracle some

05:58

ciphertext input and it will answer the

06:00

question on whether or not the decrypted

06:02

plain text has valid padding according

06:04

to the padding standard adopted in our

06:07

case we'll be using pkcs number seven as

06:09

was mentioned two slides ago

06:11

note this means that the padding oracle

06:13

actually performs decryption so it will

06:15

know the secret key and which encryption

06:17

algorithm to use it's just that it

06:19

doesn't reveal this key or anything else

06:21

that is sensitive it only reveals

06:23

whether or not the decrypted plain text

06:25

has valid padding nevertheless it is

06:27

important to recognize that a padding

06:28

oracle itself is capable of and will

06:31

perform decryption of the input cipher

06:33

text

06:35

so after all of this we now have a good

06:37

understanding of the context of the

06:38

attack but how does the attack actually

06:41

happen

06:42

let's focus our attention to a single

06:43

unit of the decryption process we've

06:45

seen this diagram before but let's first

06:48

agree on some notation

06:50

we want to obtain the plain text

06:51

corresponding to this ciphertext block

06:53

let's call this c2

06:55

c2 will be put through the block cipher

06:57

decryption algorithm generating some

06:59

kind of output let's call this output at

07:01

intermediate state and label it i2

07:04

we need the previous ciphertext block as

07:06

well let's call this c1 now c1 will be

07:09

x1 with i2 to give us the plain text

07:11

block let's call that p2

07:14

now for a very important fact

07:16

since this block cipher is a

07:18

deterministic algorithm

07:20

if we do not change c2

07:22

this means that i2 will also remain the

07:25

same

07:26

in other words if we keep c2 we don't

07:29

ever change it that means i2 will also

07:31

be the same

07:33

since we have the notation nailed down

07:34

now let's move forward and try to think

07:36

like an attacker the intuition behind

07:38

the panic oracle attack is reviewed when

07:39

you ask yourself a couple of questions

07:41

and make a couple of observations

07:43

firstly a yes from the panic oracle is

07:46

more helpful than a note because we

07:48

actually know the format of the last few

07:49

bytes of the plain text if it has a

07:51

valid padding it could be 0 1 it could

07:53

be 0 2 0 2 or it could be 0 3 0 3 03 etc

07:57

we still have a couple of options but

07:58

it's a very limited subset if it's a no

08:02

those last few bytes could literally be

08:03

anything else

08:05

next as an attacker we already have our

08:07

hands on the ciphertext plots we can

08:09

also control what ciphertext is provided

08:11

as input to the padding oracle

08:14

most importantly we can change what

08:17

ciphertext we input to the padding

08:18

oracle

08:19

lastly by changing this ciphertext input

08:21

we can also change the decrypted

08:23

plaintext that the patent oracle seeds

08:25

so here's the key insight we need to try

08:28

and introduce some kind of change so

08:30

that the padding oracle tells us the

08:32

decrypted plaintext has valid padding in

08:35

other words we can try to force the

08:36

plaintext decrypted by the parent oracle

08:38

to have some kind of desired valid

08:41

padding by manipulating the ciphertext

08:43

we provide as input to the padding

08:45

oracle

08:46

before we continue i want to emphasize

08:48

that we are dealing with two distinct

08:50

scenarios here the first is our original

08:52

decryption scenario over here we're

08:54

dealing with the original ciphertext

08:56

blocks and we never introduced any

08:58

changes but the thing is we're stuck

09:00

because we don't know the key for the

09:02

cipher text but for the block cipher

09:03

decryption algorithm over here so we

09:05

can't find the plain text

09:07

the second scenario we're dealing with

09:09

is the padding oracle scenario which as

09:11

we've mentioned a couple of slides ago

09:13

is fully capable of performing

09:15

decryption on the input ciphertext

09:18

we want to introduce some kind of change

09:20

in this padding oracle scenario over

09:21

here

09:23

but what kind of change should we

09:24

introduce so here is the clock sodium

09:26

type we are going to change c1

09:28

and we are going to leave c2 unchanged

09:30

as compared to the original decryption

09:32

scenario

09:33

and as i mentioned just now if we if we

09:36

leave c2 unchanged and since the block

09:38

cipher decryption algorithm is

09:39

deterministic this means that i2 will

09:42

also remain unchanged as well as

09:44

compared to the original decryption

09:46

scenario on the right hand side over

09:47

here

09:48

so let's focus our attention on the

09:50

padding oracle scenario first

09:52

for starters let's try and force the

09:54

very last byte of the plain text to be 0

09:56

1. we want and the thing is this is

09:58

valid padding

10:00

and in the original scenario the plain

10:02

text wouldn't have been decrypted to

10:03

become 0 1 but we're trying to force the

10:06

plaintext decrypted to have a 0 1

10:09

as its last byte

10:11

and we're going to achieve this by

10:13

introducing some kind of change to c1

10:15

while keeping c2 unchanged

10:17

so let's label the last part of i2 as x1

10:20

remember we kept c2 in its original form

10:23

when providing the ciphertext blocks as

10:25

input to the panning oracle since c2

10:27

remains unchanged that means that x1

10:29

remains unchanged as well but it's just

10:31

that we don't know its value

10:34

then we're going to try and change c1 we

10:36

only need to change the last part of c1

10:38

since we're only trying to change the

10:39

last part of the plane text to become

10:40

zero one so let's call this last part of

10:43

c1

10:44

t1

10:46

but thing is what should we change this

10:49

value of t1 to

10:51

this is where an exhaustive search comes

10:52

in and you have to recognize that t1 is

10:55

only one byte long so it can only take

10:57

on values from 0 to 255 or 0 0 to ff for

11:01

those of you who prefer hexadecimals

11:03

instead

11:04

so we only need a simple for loop

11:07

looping through and searching through 0

11:09

to 255 for the last few for the last

11:12

fight

11:13

and when the padding oracle finally

11:14

outputs cs then we'll know what value t1

11:17

needs to be

11:18

at this point in time we'll know the

11:20

value of t1

11:22

we also know the value of the last part

11:24

of p2 because we're forcing it to become

11:26

0 1.

11:28

and then we know that this is an xo

11:30

operation as i mentioned just now for an

11:32

excel operation if you know two of the

11:34

entities

11:35

you can simply xor them together to

11:37

retrieve the last entity

11:39

therefore we can now find out the value

11:41

of x1 initially we didn't know this it's

11:43

an unknown value but now through this

11:45

process we're able to find out the value

11:47

of x1 we just need the x or t1 together

11:50

with the value 0 1.

11:52

now let's sort back to our original

11:54

scenario where we didn't change the

11:55

cipher text

11:57

our aim is to find the last byte of the

11:59

original plain text

12:01

the one indicator and purple right over

12:02

here

12:03

we have our hands on all of the cypher

12:05

text blocks so that means we know the

12:07

last fight of the original ciphertext

12:09

block c1

12:11

on the previous slide we also found the

12:14

last byte of the intermediate state x1

12:17

of the intermediate state i2 and this

12:19

particular last fight will be x1

12:22

once again we have an xor operation over

12:24

here we know x1 our c1 as well as x1

12:27

over here so we can just x all these two

12:30

things together to get us p1 and just

12:33

like that we found the last byte of the

12:35

plain text

12:36

from now onwards we just need to repeat

12:38

this process for the rest of the bytes

12:40

moving from right to left

12:41

just to make things clear i'll go

12:43

through how to obtain the second last

12:45

bite of the plain text as well

12:48

back to the original sorry back to the

12:50

padding oracle scenario we now want to

12:52

force the plain text to have 0 2 0 2 for

12:55

the padding which is valid padding

12:57

according to the pkcs number 7 standard

12:59

once again we're going to keep c2

13:01

unchanged and make changes to c1 we're

13:04

only concerned with the last two bytes

13:06

of the intermediate state let's label

13:08

them as x1 and x2

13:10

we already found the value of x1

13:12

as was covered in the previous two

13:14

slides for x2 we don't know its exact

13:16

value but we know that since we didn't

13:18

change c2 that means i2 remains

13:20

unchanged as well so x2 will also remain

13:23

unchanged otherwise in other words it's

13:25

unknown its value is unknown but we know

13:28

that it's unchanged

13:30

let's also label the last two bytes of

13:32

c2 of c1 as t2 and t1 respectively

13:36

let's focus our attention on just the

13:38

xor operation involving all of these

13:41

last two bytes

13:43

over in this diagram over here

13:45

since we have both x1 and 02

13:49

we can easily find the value of t1 by

13:52

xoring x1 and 02

13:54

so just like that we know the value of

13:56

t1 now the question is what should t2 be

13:59

this is where similar to what was

14:00

covered two slides ago we have to

14:02

conduct an exhaustive search

14:04

t2 can only take on values from 0 to 255

14:06

we just do a simple for loop and the

14:08

moment the padding oracle outputs yes

14:10

we'll know what the value of t2 should

14:12

be

14:12

now we know the value of t2 we also know

14:15

the value 0 2 over here

14:18

we have two entities so we can simply x

14:20

or 0 2 with t2 to obtain the value of x2

14:26

now back to the original decryption

14:28

context we already know the last byte of

14:31

the plaintext but we're not interested

14:33

in the last bytes of this ciphertext

14:35

block or the intermediate state

14:38

we are interested in finding out the

14:39

second last byte of the plain text so do

14:41

you have our hands on the original

14:43

ciphertext blocks we know the second

14:45

last byte of c1

14:47

over here

14:49

we also found on the previous slide the

14:51

value of the second last byte of i2

14:53

which is x2 we found the value of x2 on

14:56

the previous slide once again this is an

14:59

xo operation so in order to retrieve the

15:01

second last part of the plain text over

15:03

here we simply need to x or c2 with x2

15:08

and just like that through these past

15:10

couple of times we have managed to find

15:11

out the last two bytes of the original

15:13

plain text in order to find out the rest

15:15

of the bytes

15:16

of the plain text we just need to repeat

15:18

this process for the rest of the blocks

15:20

i hope you guys get the idea by now

15:22

ultimately the padding oracle attack is

15:24

meant to illustrate the idea that

15:25

something as innocuous as revealing

15:27

whether the padding is valid when abused

15:29

in the right context can reveal a lot of

15:31

information

15:33

i hope you found this video helpful

15:34

thank you