practical padding oracle attacks
play

Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat - PowerPoint PPT Presentation

Dec 21, 2023 •235 likes •1.33k views

Introduction Finding Padding Oracles Basic PO attacks Advanced PO attacks Summary Practical Padding Oracle Attacks J. Rizzo T. Duong Black Hat Europe, 2010 J. Rizzo, T. Duong Practical Padding Oracle Attacks Introduction Finding Padding

  1. Introduction Finding Padding Oracles Review of CBC Mode Basic PO attacks Padding Oracle attacks Advanced PO attacks Summary Padding Oracle attacks Last word decryption algorithm pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . if ð ( r | y ) = 0 then increment i and go back to previous step. replace r b by r b ⊕ i . for n = b down to 2 take r = r 1 ... r b − n ( r b − 1 + 1 ⊕ 1 ) r b − n + 2 ... r b 1 if ð ( r | y ) = 0 then stop and output ( r b − n + 1 ⊕ n ) ... ( r b ⊕ n ) 2 output r b ⊕ 1. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  2. Introduction Finding Padding Oracles Review of CBC Mode Basic PO attacks Padding Oracle attacks Advanced PO attacks Summary Padding Oracle attacks Last word decryption algorithm pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . if ð ( r | y ) = 0 then increment i and go back to previous step. replace r b by r b ⊕ i . for n = b down to 2 take r = r 1 ... r b − n ( r b − 1 + 1 ⊕ 1 ) r b − n + 2 ... r b 1 if ð ( r | y ) = 0 then stop and output ( r b − n + 1 ⊕ n ) ... ( r b ⊕ n ) 2 output r b ⊕ 1. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  3. Introduction Finding Padding Oracles Review of CBC Mode Basic PO attacks Padding Oracle attacks Advanced PO attacks Summary Padding Oracle attacks Last word decryption algorithm pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . if ð ( r | y ) = 0 then increment i and go back to previous step. replace r b by r b ⊕ i . for n = b down to 2 take r = r 1 ... r b − n ( r b − 1 + 1 ⊕ 1 ) r b − n + 2 ... r b 1 if ð ( r | y ) = 0 then stop and output ( r b − n + 1 ⊕ n ) ... ( r b ⊕ n ) 2 output r b ⊕ 1. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  4. Introduction Finding Padding Oracles Review of CBC Mode Basic PO attacks Padding Oracle attacks Advanced PO attacks Summary Padding Oracle attacks Last word decryption algorithm pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . if ð ( r | y ) = 0 then increment i and go back to previous step. replace r b by r b ⊕ i . for n = b down to 2 take r = r 1 ... r b − n ( r b − 1 + 1 ⊕ 1 ) r b − n + 2 ... r b 1 if ð ( r | y ) = 0 then stop and output ( r b − n + 1 ⊕ n ) ... ( r b ⊕ n ) 2 output r b ⊕ 1. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  5. Introduction Finding Padding Oracles Review of CBC Mode Basic PO attacks Padding Oracle attacks Advanced PO attacks Summary Padding Oracle attacks Last word decryption algorithm pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . if ð ( r | y ) = 0 then increment i and go back to previous step. replace r b by r b ⊕ i . for n = b down to 2 take r = r 1 ... r b − n ( r b − 1 + 1 ⊕ 1 ) r b − n + 2 ... r b 1 if ð ( r | y ) = 0 then stop and output ( r b − n + 1 ⊕ n ) ... ( r b ⊕ n ) 2 output r b ⊕ 1. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  6. Introduction Finding Padding Oracles Review of CBC Mode Basic PO attacks Padding Oracle attacks Advanced PO attacks Summary Padding Oracle attacks Last word decryption algorithm pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . if ð ( r | y ) = 0 then increment i and go back to previous step. replace r b by r b ⊕ i . for n = b down to 2 take r = r 1 ... r b − n ( r b − 1 + 1 ⊕ 1 ) r b − n + 2 ... r b 1 if ð ( r | y ) = 0 then stop and output ( r b − n + 1 ⊕ n ) ... ( r b ⊕ n ) 2 output r b ⊕ 1. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  7. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Outline Introduction 1 Review of CBC Mode Padding Oracle attacks Finding Padding Oracles 2 Find potential padding oracles Confirm the existence of padding oracles Basic PO attacks 3 Cracking CAPTCHA Decrypting JSF view states Advanced PO attacks 4 Using PO to encrypt Distributed cross-site PO attacks J. Rizzo, T. Duong Practical Padding Oracle Attacks

  8. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Finding potential padding oracles Blackbox testing. Google hacking. Source code auditing. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  9. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Finding potential padding oracles Blackbox testing. Google hacking. Source code auditing. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  10. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Finding potential padding oracles Blackbox testing. Google hacking. Source code auditing. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  11. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Finding potential padding oracles Blackbox testing. Google hacking. Source code auditing. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  12. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Outline Introduction 1 Review of CBC Mode Padding Oracle attacks Finding Padding Oracles 2 Find potential padding oracles Confirm the existence of padding oracles Basic PO attacks 3 Cracking CAPTCHA Decrypting JSF view states Advanced PO attacks 4 Using PO to encrypt Distributed cross-site PO attacks J. Rizzo, T. Duong Practical Padding Oracle Attacks

  13. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Determine the block size b All padding oracle attacks need a correct b . Most common block sizes are 8 and 16 bytes. Of course we can use trial and error. How to determine the block size if len ( C )% 16 = 8, then stop and output 8. take y = C [ − 16 :] , i.e. y is the last sixteen bytes of C . if ð ( C | y ) = 1, then stop and output 8. output 16. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  14. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Determine the block size b All padding oracle attacks need a correct b . Most common block sizes are 8 and 16 bytes. Of course we can use trial and error. How to determine the block size if len ( C )% 16 = 8, then stop and output 8. take y = C [ − 16 :] , i.e. y is the last sixteen bytes of C . if ð ( C | y ) = 1, then stop and output 8. output 16. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  15. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Determine the block size b All padding oracle attacks need a correct b . Most common block sizes are 8 and 16 bytes. Of course we can use trial and error. How to determine the block size if len ( C )% 16 = 8, then stop and output 8. take y = C [ − 16 :] , i.e. y is the last sixteen bytes of C . if ð ( C | y ) = 1, then stop and output 8. output 16. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  16. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Determine the block size b All padding oracle attacks need a correct b . Most common block sizes are 8 and 16 bytes. Of course we can use trial and error. How to determine the block size if len ( C )% 16 = 8, then stop and output 8. take y = C [ − 16 :] , i.e. y is the last sixteen bytes of C . if ð ( C | y ) = 1, then stop and output 8. output 16. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  17. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Determine the block size b All padding oracle attacks need a correct b . Most common block sizes are 8 and 16 bytes. Of course we can use trial and error. How to determine the block size if len ( C )% 16 = 8, then stop and output 8. take y = C [ − 16 :] , i.e. y is the last sixteen bytes of C . if ð ( C | y ) = 1, then stop and output 8. output 16. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  18. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Determine the block size b All padding oracle attacks need a correct b . Most common block sizes are 8 and 16 bytes. Of course we can use trial and error. How to determine the block size if len ( C )% 16 = 8, then stop and output 8. take y = C [ − 16 :] , i.e. y is the last sixteen bytes of C . if ð ( C | y ) = 1, then stop and output 8. output 16. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  19. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles We want the target to reveal as many different reactions to the modified ciphertexts as possible. The most important thing is to analyse and understand the meaning of these reactions. In short, you need to know when the padding is VALID, and when it’s INVALID. POET a.k.a Padding Oracle Exploitation Tool will be released right after BH Europe 2010. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  20. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles We want the target to reveal as many different reactions to the modified ciphertexts as possible. The most important thing is to analyse and understand the meaning of these reactions. In short, you need to know when the padding is VALID, and when it’s INVALID. POET a.k.a Padding Oracle Exploitation Tool will be released right after BH Europe 2010. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  21. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles We want the target to reveal as many different reactions to the modified ciphertexts as possible. The most important thing is to analyse and understand the meaning of these reactions. In short, you need to know when the padding is VALID, and when it’s INVALID. POET a.k.a Padding Oracle Exploitation Tool will be released right after BH Europe 2010. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  22. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Want to write your own tool to detect Padding Oracle? Follow this guideline (which is based on the algorithm in slide 22): determine the block size b . pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . Send r | y to the target, where y is a valid ciphertext block. Record the value of i , content length, and content type of the response. Increment i , and go back to step 2 until i > 255. Now you have 256 responses. If all of them are the same, then the target is not easily showing you that it is vulnerable to Padding Oracle attack. Otherwise, look at each value of i where the responses are different from the rest. Examine carefully each response to see what happened. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  23. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Want to write your own tool to detect Padding Oracle? Follow this guideline (which is based on the algorithm in slide 22): determine the block size b . pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . Send r | y to the target, where y is a valid ciphertext block. Record the value of i , content length, and content type of the response. Increment i , and go back to step 2 until i > 255. Now you have 256 responses. If all of them are the same, then the target is not easily showing you that it is vulnerable to Padding Oracle attack. Otherwise, look at each value of i where the responses are different from the rest. Examine carefully each response to see what happened. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  24. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Want to write your own tool to detect Padding Oracle? Follow this guideline (which is based on the algorithm in slide 22): determine the block size b . pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . Send r | y to the target, where y is a valid ciphertext block. Record the value of i , content length, and content type of the response. Increment i , and go back to step 2 until i > 255. Now you have 256 responses. If all of them are the same, then the target is not easily showing you that it is vulnerable to Padding Oracle attack. Otherwise, look at each value of i where the responses are different from the rest. Examine carefully each response to see what happened. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  25. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Want to write your own tool to detect Padding Oracle? Follow this guideline (which is based on the algorithm in slide 22): determine the block size b . pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . Send r | y to the target, where y is a valid ciphertext block. Record the value of i , content length, and content type of the response. Increment i , and go back to step 2 until i > 255. Now you have 256 responses. If all of them are the same, then the target is not easily showing you that it is vulnerable to Padding Oracle attack. Otherwise, look at each value of i where the responses are different from the rest. Examine carefully each response to see what happened. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  26. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Want to write your own tool to detect Padding Oracle? Follow this guideline (which is based on the algorithm in slide 22): determine the block size b . pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . Send r | y to the target, where y is a valid ciphertext block. Record the value of i , content length, and content type of the response. Increment i , and go back to step 2 until i > 255. Now you have 256 responses. If all of them are the same, then the target is not easily showing you that it is vulnerable to Padding Oracle attack. Otherwise, look at each value of i where the responses are different from the rest. Examine carefully each response to see what happened. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  27. Introduction Finding Padding Oracles Find potential padding oracles Basic PO attacks Confirm the existence of padding oracles Advanced PO attacks Summary Confirm the existence of padding oracles Want to write your own tool to detect Padding Oracle? Follow this guideline (which is based on the algorithm in slide 22): determine the block size b . pick a few random words r 1 ,..., r b , and take i = 0. pick r = r 1 r 2 ... r b − 1 ( r b ⊕ i ) . Send r | y to the target, where y is a valid ciphertext block. Record the value of i , content length, and content type of the response. Increment i , and go back to step 2 until i > 255. Now you have 256 responses. If all of them are the same, then the target is not easily showing you that it is vulnerable to Padding Oracle attack. Otherwise, look at each value of i where the responses are different from the rest. Examine carefully each response to see what happened. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  28. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Outline Introduction 1 Review of CBC Mode Padding Oracle attacks Finding Padding Oracles 2 Find potential padding oracles Confirm the existence of padding oracles Basic PO attacks 3 Cracking CAPTCHA Decrypting JSF view states Advanced PO attacks 4 Using PO to encrypt Distributed cross-site PO attacks J. Rizzo, T. Duong Practical Padding Oracle Attacks

  29. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA A broken CAPTCHA system ERC = e K , IV ( rand ()) . ...<img src=”/captcha?token= ERC ” />... ERC is stored as either a hidden field or a cookie in the CAPTCHA form. Once a user submits, the server decrypts ERC , and compares it with the code that the user has entered. If equal, the server accepts the request; it denies the request otherwise. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  30. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA A broken CAPTCHA system ERC = e K , IV ( rand ()) . ...<img src=”/captcha?token= ERC ” />... ERC is stored as either a hidden field or a cookie in the CAPTCHA form. Once a user submits, the server decrypts ERC , and compares it with the code that the user has entered. If equal, the server accepts the request; it denies the request otherwise. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  31. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA A broken CAPTCHA system ERC = e K , IV ( rand ()) . ...<img src=”/captcha?token= ERC ” />... ERC is stored as either a hidden field or a cookie in the CAPTCHA form. Once a user submits, the server decrypts ERC , and compares it with the code that the user has entered. If equal, the server accepts the request; it denies the request otherwise. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  32. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA A broken CAPTCHA system ERC = e K , IV ( rand ()) . ...<img src=”/captcha?token= ERC ” />... ERC is stored as either a hidden field or a cookie in the CAPTCHA form. Once a user submits, the server decrypts ERC , and compares it with the code that the user has entered. If equal, the server accepts the request; it denies the request otherwise. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  33. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA Bypass the broken CAPTCHA system Since the system decrypts any ERC sent to it, it is vulnerable to Padding Oracle attack. The only remaining problem now is to know when padding is VALID, and when it’s not. Fortunately, most CAPTCHA systems would send back an error notification when they fail to decrypt ERC , i.e. padding is INVALID. In addition, when we modify ERC so that the padding is VALID, most systems would display an image with a broken code. Now we have a Padding Oracle, and we can use it to decrypt any ERC , thus bypass the CAPTCHA completely. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  34. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA Bypass the broken CAPTCHA system Since the system decrypts any ERC sent to it, it is vulnerable to Padding Oracle attack. The only remaining problem now is to know when padding is VALID, and when it’s not. Fortunately, most CAPTCHA systems would send back an error notification when they fail to decrypt ERC , i.e. padding is INVALID. In addition, when we modify ERC so that the padding is VALID, most systems would display an image with a broken code. Now we have a Padding Oracle, and we can use it to decrypt any ERC , thus bypass the CAPTCHA completely. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  35. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA Bypass the broken CAPTCHA system Since the system decrypts any ERC sent to it, it is vulnerable to Padding Oracle attack. The only remaining problem now is to know when padding is VALID, and when it’s not. Fortunately, most CAPTCHA systems would send back an error notification when they fail to decrypt ERC , i.e. padding is INVALID. In addition, when we modify ERC so that the padding is VALID, most systems would display an image with a broken code. Now we have a Padding Oracle, and we can use it to decrypt any ERC , thus bypass the CAPTCHA completely. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  36. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA Bypass the broken CAPTCHA system Since the system decrypts any ERC sent to it, it is vulnerable to Padding Oracle attack. The only remaining problem now is to know when padding is VALID, and when it’s not. Fortunately, most CAPTCHA systems would send back an error notification when they fail to decrypt ERC , i.e. padding is INVALID. In addition, when we modify ERC so that the padding is VALID, most systems would display an image with a broken code. Now we have a Padding Oracle, and we can use it to decrypt any ERC , thus bypass the CAPTCHA completely. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  37. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA Bypass the broken CAPTCHA system Since the system decrypts any ERC sent to it, it is vulnerable to Padding Oracle attack. The only remaining problem now is to know when padding is VALID, and when it’s not. Fortunately, most CAPTCHA systems would send back an error notification when they fail to decrypt ERC , i.e. padding is INVALID. In addition, when we modify ERC so that the padding is VALID, most systems would display an image with a broken code. Now we have a Padding Oracle, and we can use it to decrypt any ERC , thus bypass the CAPTCHA completely. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  38. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA CAPTCHA with secret IV Since P 0 = IV ⊕ d ð ( C 0 ) , we need to know the IV to get P 0 . If the IV is secret, we can’t know P 0 , thus can’t crack CAPTCHA systems whose P 0 contains part of the random code. The solution is: IV = Human ⊕ d ð ( C 0 ) , where Human denotes that somebody reads P 0 from the CAPTCHA image. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  39. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA CAPTCHA with secret IV Since P 0 = IV ⊕ d ð ( C 0 ) , we need to know the IV to get P 0 . If the IV is secret, we can’t know P 0 , thus can’t crack CAPTCHA systems whose P 0 contains part of the random code. The solution is: IV = Human ⊕ d ð ( C 0 ) , where Human denotes that somebody reads P 0 from the CAPTCHA image. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  40. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Cracking CAPTCHA CAPTCHA with secret IV Since P 0 = IV ⊕ d ð ( C 0 ) , we need to know the IV to get P 0 . If the IV is secret, we can’t know P 0 , thus can’t crack CAPTCHA systems whose P 0 contains part of the random code. The solution is: IV = Human ⊕ d ð ( C 0 ) , where Human denotes that somebody reads P 0 from the CAPTCHA image. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  41. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Outline Introduction 1 Review of CBC Mode Padding Oracle attacks Finding Padding Oracles 2 Find potential padding oracles Confirm the existence of padding oracles Basic PO attacks 3 Cracking CAPTCHA Decrypting JSF view states Advanced PO attacks 4 Using PO to encrypt Distributed cross-site PO attacks J. Rizzo, T. Duong Practical Padding Oracle Attacks

  42. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Decrypting JSF view states Introduction JavaServer Faces (JSF) is a popular Java-based standard for building server-side user interfaces. Like ASP.NET, JSF stores the state of the view in a hidden field. Although JSF specification advises that view state should be encrypted and tamper evident, but no implementation follows that advice. In other words, we can use Padding Oracle attacks to decrypt the view states of most JSF frameworks. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  43. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Decrypting JSF view states Introduction JavaServer Faces (JSF) is a popular Java-based standard for building server-side user interfaces. Like ASP.NET, JSF stores the state of the view in a hidden field. Although JSF specification advises that view state should be encrypted and tamper evident, but no implementation follows that advice. In other words, we can use Padding Oracle attacks to decrypt the view states of most JSF frameworks. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  44. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Decrypting JSF view states Introduction JavaServer Faces (JSF) is a popular Java-based standard for building server-side user interfaces. Like ASP.NET, JSF stores the state of the view in a hidden field. Although JSF specification advises that view state should be encrypted and tamper evident, but no implementation follows that advice. In other words, we can use Padding Oracle attacks to decrypt the view states of most JSF frameworks. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  45. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Decrypting JSF view states Introduction JavaServer Faces (JSF) is a popular Java-based standard for building server-side user interfaces. Like ASP.NET, JSF stores the state of the view in a hidden field. Although JSF specification advises that view state should be encrypted and tamper evident, but no implementation follows that advice. In other words, we can use Padding Oracle attacks to decrypt the view states of most JSF frameworks. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  46. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Decrypting JSF view states Padding Oracle in JSF frameworks By default, all JSF frameworks would display a very detailed error message if it fails to decrypt a view state. Padding Oracle in default installations of JSF frameworks if we see javax.crypto.BadPaddingException , then it’s INVALID padding it’s VALID padding otherwise. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  47. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Decrypting JSF view states Padding Oracle in JSF frameworks By default, all JSF frameworks would display a very detailed error message if it fails to decrypt a view state. Padding Oracle in default installations of JSF frameworks if we see javax.crypto.BadPaddingException , then it’s INVALID padding it’s VALID padding otherwise. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  48. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Decrypting JSF view states Apache MyFaces error-page J. Rizzo, T. Duong Practical Padding Oracle Attacks

  49. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Decrypting JSF view states Padding Oracle in JSF frameworks Most JSF frameworks allow developers to turn off error messages. Then we can use the following simple trick: Padding Oracle in JSF frameworks when error-page is turned off Say we want to decrypt block C i of an encrypted view state C 0 | C 1 | ... | C n − 1 , then we send C 0 | C 1 | ... | C n − 1 | C random | C i to the target. Since Java ignores those extra blocks while decrypting and deserializing view states, it’s VALID padding if the target returns the same page as when the view state is unaltered. And it’s probably INVALID padding if we see something else, e.g. a HTTP 500 error message. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  50. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Decrypting JSF view states Padding Oracle in JSF frameworks Most JSF frameworks allow developers to turn off error messages. Then we can use the following simple trick: Padding Oracle in JSF frameworks when error-page is turned off Say we want to decrypt block C i of an encrypted view state C 0 | C 1 | ... | C n − 1 , then we send C 0 | C 1 | ... | C n − 1 | C random | C i to the target. Since Java ignores those extra blocks while decrypting and deserializing view states, it’s VALID padding if the target returns the same page as when the view state is unaltered. And it’s probably INVALID padding if we see something else, e.g. a HTTP 500 error message. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  51. Introduction Finding Padding Oracles Cracking CAPTCHA Basic PO attacks Decrypting JSF view states Advanced PO attacks Summary Decrypting JSF view states Padding Oracle in JSF frameworks Most JSF frameworks allow developers to turn off error messages. Then we can use the following simple trick: Padding Oracle in JSF frameworks when error-page is turned off Say we want to decrypt block C i of an encrypted view state C 0 | C 1 | ... | C n − 1 , then we send C 0 | C 1 | ... | C n − 1 | C random | C i to the target. Since Java ignores those extra blocks while decrypting and deserializing view states, it’s VALID padding if the target returns the same page as when the view state is unaltered. And it’s probably INVALID padding if we see something else, e.g. a HTTP 500 error message. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  52. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Outline Introduction 1 Review of CBC Mode Padding Oracle attacks Finding Padding Oracles 2 Find potential padding oracles Confirm the existence of padding oracles Basic PO attacks 3 Cracking CAPTCHA Decrypting JSF view states Advanced PO attacks 4 Using PO to encrypt Distributed cross-site PO attacks J. Rizzo, T. Duong Practical Padding Oracle Attacks

  53. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt An introduction to CBC-R CBC-R turns a decryption oracle into an encryption oracle. We all know that CBC decryption works as following: P i = d K ( C i ) ⊕ C i − 1 C 0 = IV We can use a Padding Oracle to get d K ( C i ) , and we control C i − 1 . In other words, we can produce any P i as we want. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  54. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt An introduction to CBC-R CBC-R turns a decryption oracle into an encryption oracle. We all know that CBC decryption works as following: P i = d K ( C i ) ⊕ C i − 1 C 0 = IV We can use a Padding Oracle to get d K ( C i ) , and we control C i − 1 . In other words, we can produce any P i as we want. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  55. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt An introduction to CBC-R CBC-R turns a decryption oracle into an encryption oracle. We all know that CBC decryption works as following: P i = d K ( C i ) ⊕ C i − 1 C 0 = IV We can use a Padding Oracle to get d K ( C i ) , and we control C i − 1 . In other words, we can produce any P i as we want. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  56. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt How CBC-R works CBC-R pseudocode choose a plaintext message P 0 | ... | P n − 1 that you want to encrypt. pick a random C n − 1 . for i = n − 1 down to 1: C i − 1 = P i ⊕ d ð ( C i ) IV = P 0 ⊕ d ð ( C 0 ) output IV | C 0 | C 1 | ... | C n − 1 . This ciphertext would be decrypted to P 0 | ... | P n − 1 . J. Rizzo, T. Duong Practical Padding Oracle Attacks

  57. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt How CBC-R works CBC-R pseudocode choose a plaintext message P 0 | ... | P n − 1 that you want to encrypt. pick a random C n − 1 . for i = n − 1 down to 1: C i − 1 = P i ⊕ d ð ( C i ) IV = P 0 ⊕ d ð ( C 0 ) output IV | C 0 | C 1 | ... | C n − 1 . This ciphertext would be decrypted to P 0 | ... | P n − 1 . J. Rizzo, T. Duong Practical Padding Oracle Attacks

  58. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt How CBC-R works CBC-R pseudocode choose a plaintext message P 0 | ... | P n − 1 that you want to encrypt. pick a random C n − 1 . for i = n − 1 down to 1: C i − 1 = P i ⊕ d ð ( C i ) IV = P 0 ⊕ d ð ( C 0 ) output IV | C 0 | C 1 | ... | C n − 1 . This ciphertext would be decrypted to P 0 | ... | P n − 1 . J. Rizzo, T. Duong Practical Padding Oracle Attacks

  59. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt How CBC-R works CBC-R pseudocode choose a plaintext message P 0 | ... | P n − 1 that you want to encrypt. pick a random C n − 1 . for i = n − 1 down to 1: C i − 1 = P i ⊕ d ð ( C i ) IV = P 0 ⊕ d ð ( C 0 ) output IV | C 0 | C 1 | ... | C n − 1 . This ciphertext would be decrypted to P 0 | ... | P n − 1 . J. Rizzo, T. Duong Practical Padding Oracle Attacks

  60. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt How CBC-R works CBC-R pseudocode choose a plaintext message P 0 | ... | P n − 1 that you want to encrypt. pick a random C n − 1 . for i = n − 1 down to 1: C i − 1 = P i ⊕ d ð ( C i ) IV = P 0 ⊕ d ð ( C 0 ) output IV | C 0 | C 1 | ... | C n − 1 . This ciphertext would be decrypted to P 0 | ... | P n − 1 . J. Rizzo, T. Duong Practical Padding Oracle Attacks

  61. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Without Controlling IV CBC-R allows us to encrypt any message, but if we cannot set the IV , then first plaintext block P 0 will be random and meaningless. If the victim expects the decrypted message to start with a standard header, then it will ignore the forged message constructed by CBC-R. We have not found generic way to overcome this limitation. However, we have found workarounds for particular cases. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  62. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Without Controlling IV CBC-R allows us to encrypt any message, but if we cannot set the IV , then first plaintext block P 0 will be random and meaningless. If the victim expects the decrypted message to start with a standard header, then it will ignore the forged message constructed by CBC-R. We have not found generic way to overcome this limitation. However, we have found workarounds for particular cases. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  63. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Without Controlling IV CBC-R allows us to encrypt any message, but if we cannot set the IV , then first plaintext block P 0 will be random and meaningless. If the victim expects the decrypted message to start with a standard header, then it will ignore the forged message constructed by CBC-R. We have not found generic way to overcome this limitation. However, we have found workarounds for particular cases. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  64. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Without Controlling IV Using captured ciphertexts as prefix P valid = d K ( C captured | IV CBC − R | P CBC − R ) . The block at the position of IV CBC − R is still garbled. We can make the garbled block becomes part of some string that doesn’t affect the semantic of the message such as comment or textbox label. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  65. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Without Controlling IV Using captured ciphertexts as prefix P valid = d K ( C captured | IV CBC − R | P CBC − R ) . The block at the position of IV CBC − R is still garbled. We can make the garbled block becomes part of some string that doesn’t affect the semantic of the message such as comment or textbox label. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  66. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Without Controlling IV Using captured ciphertexts as prefix P valid = d K ( C captured | IV CBC − R | P CBC − R ) . The block at the position of IV CBC − R is still garbled. We can make the garbled block becomes part of some string that doesn’t affect the semantic of the message such as comment or textbox label. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  67. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Without Controlling IV Brute-forcing C 0 CBC-R can produce many different ciphertexts that decrypted to the same plaintext block chain P n − 1 ,..., P 1 . The only difference is the first plaintext block which is computed as following: P 0 = d K ( C 0 ) ⊕ IV A valid header means that the first few bytes of P 0 must match some magic numbers. There are also systems that accept a message if the first byte of its P 0 matches its size. If this is the case, and if the message is short enough, we can try our luck by brute-forcing C 0 . J. Rizzo, T. Duong Practical Padding Oracle Attacks

  68. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Without Controlling IV Brute-forcing C 0 CBC-R can produce many different ciphertexts that decrypted to the same plaintext block chain P n − 1 ,..., P 1 . The only difference is the first plaintext block which is computed as following: P 0 = d K ( C 0 ) ⊕ IV A valid header means that the first few bytes of P 0 must match some magic numbers. There are also systems that accept a message if the first byte of its P 0 matches its size. If this is the case, and if the message is short enough, we can try our luck by brute-forcing C 0 . J. Rizzo, T. Duong Practical Padding Oracle Attacks

  69. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Without Controlling IV Brute-forcing C 0 CBC-R can produce many different ciphertexts that decrypted to the same plaintext block chain P n − 1 ,..., P 1 . The only difference is the first plaintext block which is computed as following: P 0 = d K ( C 0 ) ⊕ IV A valid header means that the first few bytes of P 0 must match some magic numbers. There are also systems that accept a message if the first byte of its P 0 matches its size. If this is the case, and if the message is short enough, we can try our luck by brute-forcing C 0 . J. Rizzo, T. Duong Practical Padding Oracle Attacks

  70. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Applications sudo make me a CAPCHA J. Rizzo, T. Duong Practical Padding Oracle Attacks

  71. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Applications sudo make me a CAPCHA J. Rizzo, T. Duong Practical Padding Oracle Attacks

  72. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Applications Creating malicious JSF view states Which view states to create? How to solve the garbled block problem? J. Rizzo, T. Duong Practical Padding Oracle Attacks

  73. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Using PO to encrypt CBC-R Applications Creating malicious JSF view states Which view states to create? How to solve the garbled block problem? J. Rizzo, T. Duong Practical Padding Oracle Attacks

  74. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Outline Introduction 1 Review of CBC Mode Padding Oracle attacks Finding Padding Oracles 2 Find potential padding oracles Confirm the existence of padding oracles Basic PO attacks 3 Cracking CAPTCHA Decrypting JSF view states Advanced PO attacks 4 Using PO to encrypt Distributed cross-site PO attacks J. Rizzo, T. Duong Practical Padding Oracle Attacks

  75. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Distributed cross-site PO attacks All attackers need to exploit Padding Oracle is a single bit of information. Cross-domain information leakage bugs in web browsers can help. One example: <img> + onerror()/onload() events. if the image is loaded, then it’s VALID padding; otherwise, it’s INVALID padding. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  76. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Distributed cross-site PO attacks All attackers need to exploit Padding Oracle is a single bit of information. Cross-domain information leakage bugs in web browsers can help. One example: <img> + onerror()/onload() events. if the image is loaded, then it’s VALID padding; otherwise, it’s INVALID padding. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  77. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Distributed cross-site PO attacks All attackers need to exploit Padding Oracle is a single bit of information. Cross-domain information leakage bugs in web browsers can help. One example: <img> + onerror()/onload() events. if the image is loaded, then it’s VALID padding; otherwise, it’s INVALID padding. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  78. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Distributed cross-site PO attacks All attackers need to exploit Padding Oracle is a single bit of information. Cross-domain information leakage bugs in web browsers can help. One example: <img> + onerror()/onload() events. if the image is loaded, then it’s VALID padding; otherwise, it’s INVALID padding. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  79. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Distributed cross-site PO attacks We have decrypted all CAPTCHA on a web site using only JavaScript hosted locally. One can inject JavaScript code into popular web sites, and turn this into a distriubuted attack. It is possible to distributively build a code book. J. Rizzo, T. Duong Practical Padding Oracle Attacks

  80. Introduction Finding Padding Oracles Using PO to encrypt Basic PO attacks Distributed cross-site PO attacks Advanced PO attacks Summary Distributed cross-site PO attacks We have decrypted all CAPTCHA on a web site using only JavaScript hosted locally. One can inject JavaScript code into popular web sites, and turn this into a distriubuted attack. It is possible to distributively build a code book. J. Rizzo, T. Duong Practical Padding Oracle Attacks

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15 000 Messages Graham Steel joint work with R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, J. Kai-Tsay CRYPTO August 2012 BLUF (Bottom Line Up

584 views • 42 slides
Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15 000 Messages Graham Steel joint work with R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, J.-K. Tsay CRYPTO August 2012 BLUF (Bottom Line Up

602 views • 19 slides
Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a

Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a

Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a shelter? Si Gao Hua Chen Limin Fan Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences

442 views • 40 slides
Attacking GlobalPlatform SCP02-compliant Smart Cards Using a Padding Oracle Attack Gildas Avoine 1

Attacking GlobalPlatform SCP02-compliant Smart Cards Using a Padding Oracle Attack Gildas Avoine 1

Attacking GlobalPlatform SCP02-compliant Smart Cards Using a Padding Oracle Attack Gildas Avoine 1 , 2 Loc Ferreira 3 , 1 Univ Rennes, INSA Rennes, CNRS, IRISA, France Institut Universitaire de France Orange Labs, Applied Cryptography Group,

646 views • 33 slides
Padding and Stride Padding and Stride In [1]: from mxnet import nd from mxnet.gluon import nn #

Padding and Stride Padding and Stride In [1]: from mxnet import nd from mxnet.gluon import nn #

2/23/2019 padding-and-strides slides Padding and Stride Padding and Stride In [1]: from mxnet import nd from mxnet.gluon import nn # Takes convolution operation and applies it to X def comp_conv2d(conv2d, X): conv2d.initialize() # Add two extra

1.36k views • 3 slides
Practical 10 Minutes Security Audit Oracle Case Cesar Cerrudo Cesar Cerrudo Argeniss Argeniss

Practical 10 Minutes Security Audit Oracle Case Cesar Cerrudo Cesar Cerrudo Argeniss Argeniss

Practical 10 Minutes Security Audit Oracle Case Cesar Cerrudo Cesar Cerrudo Argeniss Argeniss Overview Introduction The technique Finding 0days in Oracle Getting technical Owning Oracle Conclusions References

814 views • 16 slides
The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida Braga Pierre-Alain Fouque Mohamed Sabt TCHES 2020 1 Overview Context Deterministic RSA Padding Padding Oracle Key Reuse Secure

681 views • 46 slides
The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida

The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida

Context Notation &amp; Reminders Deterministic RSA Padding Padding Oracle on Key Transport Key Reuse Secure Implementation Conclusion The Long and Winding Path to Secure Implementation of GlobalPlatform SCP10 Daniel De Almeida Braga

658 views • 46 slides
Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing

Discussion: Remote Timing Attacks are Practical 600.624 2/11/05 Outline Why are timing attacks important? Clarifications Zero-One Gap / Neighborhood Size etc. Problems Questions Extensions Contribution Discussion

645 views • 26 slides
Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in

Remote Timing Attacks are Practical by David Brumley and Dan Boneh Presented by Seny Kamara in Advanced Topics in Network Security (600/650.624) Outline Traditional threat model in cryptography Side-channel attacks Kochers

1.19k views • 77 slides
Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity

Practical Attacks on Implementations Juraj Somorovsky Ruhr University Bochum, HGI 3curity @jurajsomorovsky 1 Practi tical l Attacks on Real l World ld Crypto to Imple lementa mentati tion ons Juraj Somorovsky 1 Recent years

406 views • 29 slides
Oracle Buys AmberPoint Strengthens Oracle Fusion Middleware SOA Suite and Oracle Enterprise

Oracle Buys AmberPoint Strengthens Oracle Fusion Middleware SOA Suite and Oracle Enterprise

Oracle Buys AmberPoint Strengthens Oracle Fusion Middleware SOA Suite and Oracle Enterprise Manager with Best-in-Class SOA Management Capabilities February 12, 2010 Oracle is currently reviewing the existing AmberPoints product roadmap and

774 views • 19 slides
Sibyl A Practical Internet Route Oracle talo Cunha P. Marchetta, M. Calder, Y-C. Chiu B.

Sibyl A Practical Internet Route Oracle talo Cunha P. Marchetta, M. Calder, Y-C. Chiu B.

Sibyl A Practical Internet Route Oracle talo Cunha P. Marchetta, M. Calder, Y-C. Chiu B. Schlinker, B. Machado, A. Pescap V. Giotsas, H. Madhyastha, E. Katz-Bassett Traceroute is Widely Used The number one go - to tool is traceroute.

478 views • 19 slides
Sibyl: A Practical Internet Route Oracle Ethan Katz-Bassett (University of Southern California)

Sibyl: A Practical Internet Route Oracle Ethan Katz-Bassett (University of Southern California)

1 Sibyl: A Practical Internet Route Oracle Ethan Katz-Bassett (University of Southern California) with: Pietro Marchetta (University of Napoli Federico II), Matt Calder, Yi-Ching Chiu (USC), Italo Cunha (UFMG), Harsha Madhyastha

707 views • 45 slides
Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 ,

Practical validation of several fault attacks against the Miller algorithm Nadia El Mrabet 1 , Jacques Fournier 2 , Louis Goubin 3 , Ronan Lashermes 2 , 3 , Marie Paindavoine 4 , 5 . 1 - LIASD, Paris 8, France. 2 - CEA Tech, DPACA/LSAS, Gardanne,

446 views • 22 slides
Daily backups should be performed on the Data Center servers. NC &amp; SC use rman

Daily backups should be performed on the Data Center servers. NC &amp; SC use rman

CISN/RSNs are currently running Oracle 10g Release 2. Oracle 11g Release 2 is the latest Oracle version. Oracle releases Critical Patch Updates on a quarterly basis. They contain security fixes and should be installed promptly.

330 views • 8 slides
Purchase Requisitions and Receiving Non Vendor Catalog Revised 12/06/2016 Ground Rules

Purchase Requisitions and Receiving Non Vendor Catalog Revised 12/06/2016 Ground Rules

Purchase Requisitions and Receiving Non Vendor Catalog Revised 12/06/2016 Ground Rules Please put cell phones on vibrate, dont answer in class. If urgent, please step outside the classroom. Please do not perform work including email

474 views • 22 slides
Prelim 1 tonight 7:30 PM NetID ends in 0-6: Olin Hall 155 NetID ends in 7-9: Olin Hall

Prelim 1 tonight 7:30 PM NetID ends in 0-6: Olin Hall 155 NetID ends in 7-9: Olin Hall

Try to leave every 3 rd row (mostly) empty Wall Wall usable seats empty seats Prelim 1 tonight 7:30 PM NetID ends in 0-6: Olin Hall 155 NetID ends in 7-9: Olin Hall 165 Previous Lecture: Introduction to 2-d array matrix

831 views • 42 slides
Outline I. Flags what is a flag? who cares? II. (commutative) Generic matrices

Outline I. Flags what is a flag? who cares? II. (commutative) Generic matrices

PO-set paths and q -commuting minors Aaron Lauve LaCIM - UQAM S eminaire de combinatoire et dinformatique math ematique le 7 avril 2006 http://www.lacim.uqam.ca/ lauve (Research) lauve@lacim.uqam.ca Outline I. Flags

819 views • 39 slides
Natural Language Processing with Deep Learning CS224N/Ling284 Christopher Manning Lecture 12:

Natural Language Processing with Deep Learning CS224N/Ling284 Christopher Manning Lecture 12:

Natural Language Processing with Deep Learning CS224N/Ling284 Christopher Manning Lecture 12: Information from parts of words: Subword Models Announcements (Changes!!!) Assignment 5 written questions Will be updated tomorrow

687 views • 58 slides
PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A.

PipeProof: Automated Memory Consistency Proofs for Microarchitectural Specifications Yatin A. Manerkar , Daniel Lustig*, Margaret Martonosi, and Aarti Gupta Princeton University *NVIDIA MICRO-51 http:/ ://check.cs.p .princeton.edu/ Memory

1.36k views • 80 slides
Data science for networked data Po-Ling Loh University of Wisconsin-Madison Department of

Data science for networked data Po-Ling Loh University of Wisconsin-Madison Department of

Data science for networked data Po-Ling Loh University of Wisconsin-Madison Department of Statistics AISTATS Okinawa, Japan April 16, 2019 Joint work with: Justin Khim (UPenn), Varun Jog (UW-Madison), Ashley Hou (UW-Madison), Wen Yan

1.49k views • 104 slides
Kanban vs Scrum Making the most of both QCon, San Francisco Nov 18, 2009 Henrik Kniberg

Kanban vs Scrum Making the most of both QCon, San Francisco Nov 18, 2009 Henrik Kniberg

Kanban vs Scrum Making the most of both QCon, San Francisco Nov 18, 2009 Henrik Kniberg Agile/Lean coach @ Crisp, Stockholm http://www.crisp.se/henrik.kniberg Background: developer, manager, entreprenuer Board of directors

999 views • 52 slides
FLP and RSMs The Consensus Trilogy - Part 1 FLP and RSMs The Consensus Trilogy - Part 1

FLP and RSMs The Consensus Trilogy - Part 1 FLP and RSMs The Consensus Trilogy - Part 1

FLP and RSMs The Consensus Trilogy - Part 1 FLP and RSMs The Consensus Trilogy - Part 1 Announcements Announcements No Lab 1. We will just skip ahead to Lab 2 in 2 weeks. Laziness. More time for you to spend on Lab 2 which looks

1.16k views • 52 slides

More recommend