presentasjon.html

ï»¿<!DOCTYPE html>

<!--
  Google HTML5 slide template

  Authors: Luke Mahé (code)
           Marcin Wichary (code and design)

           Dominic Mazzoni (browser compatibility)
           Charles Chen (ChromeVox support)

  URL: http://code.google.com/p/html5slides/
-->

<html>
  <head>
    <title>Presentation</title>

    <meta charset='utf-8'>
    <script src='slides.js'></script>
	<script src='jquery-1.7.1.min.js'></script>
    <style>

      a {
        text-decoration: none;
      }

      .slides.template-bekk > article:not(.nobackground):not(.biglogo) {
        background: url(images/bekk-logo-small.png) 710px 625px no-repeat;
        background-color: white;
      }

      q.small {
        font-size: 1.1em;
      }
	  q.smaller {
		font-size: 1em;
		line-height: 1em;
	  }
	  .green li {
		color: #0a0;
	  }
	  .yellow li {
		color: #dd0;
	  }
	  .red li {
		color: #a00;
	  }
	 .cbc {
		width: 80%;
		margin: 100px auto;
	 }
	 ol {
		list-style: none;
	 }
	.cbc td {
		text-align: center;
		border-color: #444444;
		font-size: 80%;
		padding: 1px;
		width: 12.5%;
		font-family: monospace;
		vertical-align: middle;
	}
	.cbc tr.arrow td, .cbc tr.xor td{
		border: none;
	}
	.cbc .decrypt td {
		background: #444444;
		color: #fff
	}
	#padding td {
		font-weight: bold;
	}
	#padding td.pad {
		font-style: italic;
		font-weight: normal;
	}
	#result {
		margin: 70px auto;
	}
	.cbc th {
		font-weight: normal;
		border: none;
		font-family: 'Open Sans', Arial, sans-serif !important;
		min-width: 120px !important;
		overflow: hidden;
		vertical-align: middle;
	}
	.communication {
		margin-top: 20px;
	}
	.communication pre {
		margin-top: 4px;
	}
	.communication .server {
		text-align: right;
	}
	.communication .server pre {
		text-align: left;
	}
	.clickable {
		border: 1px solid #008A35;
		color: #008A35;
		cursor: pointer;
	}
	.found {
		color: #008A35;
	}
	.md5 {
		width: 100%;
		margin-top: 10px;
	}
	.md5 td {
		font-size: 90%;
		min-width: 30px;
		padding: 4px;
		width: 30px;
	}
	pre.inbetween  {
		margin: 10px 0px 10px 0px;
	}
	
	
    </style>
	<script>
	function drawCBC(container, cipher, intermediate, iv, plain) {
		$(function() {
			var table = $("<table>").appendTo(container).addClass("cbc");
			buildRow(cipher).appendTo(table).addClass("cipher");
			buildRow(makeBlock("&darr;")).appendTo(table).addClass("arrow");
			var tr = $("<tr>").appendTo(table).addClass("decrypt");
			$("<td>").attr("colspan", 8).appendTo(tr).text("Decrypt");
			buildRow(makeBlock("&darr;")).appendTo(table).addClass("arrow");
			buildRow(intermediate).appendTo(table).addClass("intermediate");
			buildRow(makeBlock("&oplus;")).appendTo(table).addClass("xor");
			buildRow(iv).appendTo(table).addClass("iv");
			buildRow(makeBlock("&darr;")).appendTo(table).addClass("arrow");
			buildRow(plain).appendTo(table).addClass("plain");
			});
	}
	function makeBlock(val) {
		var a = new Array();
		for (var i = 0; i < 8; i++) {
			a.push(val);
		}
		return a;
	}
	function makeLetterSubBlock(letter) {
		var a = new Array();
		for (var i = 0; i < 8; i++) {
			a.push(letter + "<sub>" + i + "</sub>");
		}
		return a;	
	}
	function buildRow(data) {
		var tr = $("<tr>");
		$(data).each(function(i,d) {
			$("<td>").html(d).appendTo(tr);
		});
		return tr;
	}
	function buildHexRow(data) {
		var tr = $("<tr>");
		$(data).each(function(i,d) {
			$("<td>").html(toHex(d)).appendTo(tr);
		});
		return tr;
	}
	function toHex(i) {
		return (i < 16 ? "0x0" : "0x") + i.toString(16);
	}
	$(function() {
		var table = $("#padding");
		for (var i = 1; i <= 8; i++) {
			var tr = buildRow(makeLetterSubBlock("p")).appendTo(table);
			for (var j = 1; j <= i; j++) {
				$(tr.children("td").get(8 - j)).text(toHex(i)).addClass("pad");
			}
		}
	});
	function addHeader(row, header) {
		$("<th>").html(header).prependTo(row);
	}
	$(function() {
		$(".source").each(function(i, e) {
			var link = $(e).text();
			$(e).html("").append($("<a>").text(link).attr("href", link));
		});
	});
	
	</script>
  </head>

  <body style='display: none'>

    <section class='slides layout-regular template-bekk'>

      <article>
        <h1>
          Practical attacks on web crypto
        </h1>
        <p>
          Erlend Oftedal
          &mdash;
          <a href="http://twitter.com/webtonull">@webtonull</a>
          <br>
          Bekk Consulting
          <br>
          7. December 2011
        </p>
      </article>

	  <article>
		<table style="text-align: center; margin: 0px auto; width: 90%;">
			<tr class="build">
				<td style="height: 600px; background: url(images/sykkel-laas.png) top left no-repeat"></td>
				<td style="height: 600px; background: url(images/sykkel-laas.png) top right no-repeat"></td>
			</tr>
		</table>  
	  </article>
	  
	  <article>
		<h3>Who am I?</h3>
		<img src="images/erlend.jpg" style="position: absolute; bottom: 2.5em; right: 1em; " />
		<ul class="build">
			<li>Work as a developer</li>
			<li>Leader of Security Competency group at <a href="http://www.bekk.no">BEKK</a></li>
			<li><a href="https://www.owasp.org/index.php/Norway">OWASP Norway Chapter</a> lead</li>
			<li>Member of <a href="http://www.honeynor.no/">Norwegian Honeynet Project</a></li>
			<li>Above average interest in security</li>
		</ul>
	  </article>

	  <article>
		<h3>Agenda</h3>
		<ul class="build">
			<li>Hashing</li>
			<li>Attacks on hashes</li>
			<li>Attacks on encrypted values</li>
		</ul>
	  </article>
	  
      <article>
        <q class="question">
          What's the best way to anger a security guy?
        </q>
		<br>
		<div class="build">
			<span>Say something like: "We encrypt our passwords with MD5"</span>
		</div>
      </article>

	  <article>
		<h3>Hash functions</h3>
		<ul class="build">
			<li>Maps a large dataset to a smaller data set</li>
			<li>Low cost</li>
			<li>Deterministic</li>
			<li>Uniform</li>
		</ul>
        <div class='source'>
          http://en.wikipedia.org/wiki/Hash_function
        </div>
	  </article>

	  <article>
		<h3>Cryptographic hash functions</h3>
		<ul class="build">
			<li>Easy to compute for any given message</li>
			<li>Infeasable to generate a message for a given hash</li>
			<li>Infeasable to modify a message without changing the hash</li>
			<li>Infeasable to find two different messages with the same hash</li>
		</ul>
        <div class='source'>
          http://en.wikipedia.org/wiki/Cryptographic_hash_function
        </div>
	  </article> 
	  
	  <article>
		<h3>Hashing passwords</h3>
		<ul class="build green">
			<li>Infeasable to generate a message for a given hash</li>
			<li>Infeasable to modify a message without changing the hash</li>
			<li>Infeasable to find two different messages with the same hash</li>
		</ul>
		<ul class="build yellow">
			<li>Deterministic</li>
			<li>Low cost</li>
		</ul>
	  </article>

	  <article>
		<q class="question">Given a password hash, what is the easiest way to find the password?</q>
		<br>
		<h3>d8b36fa2ce602b7258ecaa289cf70aa1</h3>
	  </article>
	  
	  <article>
		<div class="build" style="text-align: center">
			<img src="images/google.png" style="margin: 0px -60px 0px -60px" />
		</div>  
	  </article>

	  <article>
		<h3>Someone actually built a tool</h3>
		<div class="build" style="text-align: center">
			<img src="images/bozocrack.png" style="margin: 100px auto" />
		</div>  
        <div class='source'>
		https://github.com/juuso/BozoCrack
        </div>	  
	  </article>
	  	  
	  <article>
		<h3>How to avoid these pitfalls</h3>
		<ul>
			<li>Use a cryptographically strong random salt unique for each user</a>
			<li>Hash the password together with the salt</li>
			<li>Run the hash function 1000 times</li>
			<li style="margin-top: 2em">Consider using <a href="http://www.tarsnap.com/scrypt.html">scrypt</a> or <a href="http://en.wikipedia.org/wiki/Bcrypt">bcrypt</a> instead</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>Signing data with hashes</h3>
		<div class="build communication">
			<div>Client:<pre>GET /</pre></div>
			<div class="server">Server:
				<pre>200 OK
... &lt;a href="/resource/?a=123&b=46&signature=LQWJDQOC21ASDiojoQ2e13lkajsd="&gt;&lt;/a&gt; ...</pre>
			</div>
			<div>Client:<pre>GET /resource/?a=123&b=46&signature=LQWJDQOC21ASDiojoQ2e13lkajsd=</pre></div>
			<div class="server">Server:
				<pre>200 OK
Data authorized by signature...</pre>
			</div>
		</div>
	  </article>
	  
	  <article>
		<h3>Signing data with hashes</h3>
		<ul class="build">
			<li>Naive approach:
				<pre>Signature = md5(secret + data_to_sign)</pre>
			</li>
			<li>
				MD5 is just an example. This next attack works on for instance SHA1 as well
			</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>Block based hash algorithms (MD)</h3>
		<ol class="build">
			<li>Starts with a constant value S</li>
			<li>First block of data D<sup>0</sup>:
				<pre class="inbetween">H<sup>0</sup> = MD5_round(s, D<sup>0</sup>)</li>
			<li>Consecutive blocks D<sup>n</sup>:
				<pre class="inbetween">H<sup>n</sup> = MD5_round(H<sup>n-1</sup>, D<sup>n</sup>)</li>
			<li>The last block is padded with a 1, some 0s and the length of the original string</li>
		</ol>
	  </article>
	  <article>
		<h3>Attacking the signature</h3>
		<ul class="build">
			<li>Consider the following layout:
				<pre class="inbetween">MD5(secret + data) = h(secret + data + padding)</pre>
			</li>
			<li>
				What if we wanted to hash data that was by coincedence (or not) equal to this:
				<pre class="inbetween">secret + data + padding + some other data</pre>
			</li>
			<li>
				The layout would become
				<pre class="inbetween">MD5(...) = h(secret + data + padding + some other data + padding)</pre>
			</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>Attacking the signature</h3>
		<ul class="build">
			<li>So if we have the output of:
				<pre class="inbetween">H<sup>x</sup> = MD5(secret + data)</pre>
			</li>
			<li>
				We can use H<sup>x</sup> as the starting value S in order to calculate:
				<pre class="inbetween">MD5(secret + data + padding + new data)</pre></li>
			<li>by running for the new data (D<sup>'0</sup>-D<sup>'n</sup>):
				<pre class="inbetween">H<sup>0</sup> = MD5_round(H<sup>x</sup>, D<sup>'0</sup>)</pre>
			</li>
			<li>
				We have to make sure the padding gets the correct length
			</li>
			<li>
				This is called a length extension attack
			</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>Any real-life examples?</h3>
		<ul class="build">
			<li>Thai Duong and Juliano Rizzo disovered a flaw like this in <a href="http://netifera.com/research/flickr_api_signature_forgery.pdf">Flickr's API Signature</a>
			</li>
			<li>Flickr's API signatures worked like this
				<ol>
					<li>Sort your URL parameters list into alphabetical order based on the parameter name:<br>
						<pre class="inbetween">bar=2&baz=3&foo=1</pre></li>
					<li>Concatenate the shared secret and parameter name-value pairs:<br>
						<pre class="inbetween">SECRETbar2baz3foo1</pre></li>
					<li>Calculate the md5() hash of this string and append to the list of parameters
					<pre class="inbetween">bar=2&baz=3&foo=1&signature=afb12318a0b9823bcd</pre></li>
				</ol>
			</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>Attack on the Flickr API</h3>
		<ul class="build">
			<li>The signature could not separate between:<br>
				<pre class="inbetween">bar=2&baz=3&foo=1</pre>
				and
				<pre class="inbetween">b=ar2baz3foo1</pre></li>
			<li>This allowed an attacker to build a new signed URI with arguments:
				<pre class="inbetween">b=ar2baz3foo10000020&bar=6&baz=5&foo=4</pre>
				and then length extend the signature to include the new parameters
			</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>Avoiding attacks on hash-based signatures</h3>
		<ul class="build">
			<li>Don't reinvent the wheel - use HMAC</li>
		</ul>
	  </article>
	  
	  
	  <article>
		<h3>Padding oracles</h3>
		<ul class="build">
			<li>First introduced in <a href="http://www.iacr.org/archive/eurocrypt2002/23320530/cbc02_e02d.pdf">Security Flaws Induced by CBC Padding
	Applications to SSL, IPSEC, WTLS...</a> by Serge Vaudenay in 2002</li>
			<li>In 2010 ASP.NET, Ruby on Rails and Apache Myfaces was <a href="http://netifera.com/research/poet/PaddingOracleBHEU10.pdf">found to be vulnerable</a> by Juliano Rizzo and Thai Duong</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>Padding oracles</h3>
		<div class="build communication">
			<div>Client:<pre>GET /</pre></div>
			<div class="server">Server:
				<pre>200 OK
... &lt;a href="/resource/LQWJDQOC21ASDiojoQ2e13lkajsd="&gt;&lt;/a&gt; ...</pre>
			</div>
			<div>Client:<pre>GET /resource/LQWJDQOC21ASDiojoQ2e13lkajsd=</pre></div>
			<div class="server">Server:
				<pre>200 OK
Secret data....</pre>
			</div>
		</div>
	  </article>

	  <article>
		<h3>Padding oracles</h3>
		<ul>
			<li>Reponses from server:
				<ul class="build">
					<li><strong>200 Ok</strong> - All ok </li>
					<li><strong>404 Not found/invalid</strong> - The value was decrypted ok, but the server could not process the result</li>
					<li><strong>500 Invalid padding</strong> - The server could not decrypt the value</li>
				</ul>
			</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>XOR</h3>
		<ul class="build">
			<li> A &oplus; A = 0</li>
			<li> A &oplus; 0 = A</li>
			<li> A &oplus; 1 = !A</li>
			<li style="margin-top: 2em">From this we can build more complex rules</li>
			<li> A &oplus; B &oplus; B = A</li>
			<li> A &oplus; B &oplus; B &oplus; A = 0</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>CBC based encryption</h3>
		<div class="build" style="text-align: center">
			<img src="images/encrypt.png" style="margin: 100px -60px 0px -60px" />
		</div>  
	  </article>
	  
	  <article>
		<h3>CBC based decryption</h3>
		<div class="build" style="text-align: center">
			<img src="images/decrypt.png" style="margin: 100px -60px 0px -60px" />
		</div>  
	  </article>
	  
  	  <article>
		<h3>PKCS#5/7 padding</h3>
		<table id="padding" class="cbc">
		</table>
		<script>

		</script>
	  </article>
	  
	  <article>
		<h3>Padding oracles</h3>
		<div id="c1" />
		<script>drawCBC($("#c1"), makeLetterSubBlock("c"), makeBlock("?"), makeLetterSubBlock("iv"), makeBlock("?"))</script>
	  </article>
	  
	  <article>
		<h3>Attacking the oracle</h3>
		<ol class="build">
		<li>The attacker wants to decrypt a secret value
			<pre>GET /resource/&lt;IV&gt;&lt;C<sup>0</sup>&gt;&lt;C<sup>1</sup>&gt;&lt;C<sup>2</sup>&gt;</pre>
		<li>The attacker creates a random block <em>R</em></li>
		<li>And sends it to the server together with a cipher text block:
			<pre>GET /resource/&lt;R&gt;&lt;C<sup>0</sup>&gt;</pre>
		</li>
		<li>This will probably result in a padding error</li>
		</ol>
	  </article>
	  
	  <article>
		<h3>Padding oracles</h3>
		<div id="c2" />
		<script>
			var rB =  [0xa9, 0x57, 0x34, 0x78, 0x12, 0xff, 0x75, 0x8f];
			var dec = [0xfe, 0xbd, 0x75, 0x46, 0x36, 0x32, 0x27, 0x41];
			drawCBC($("#c2"), makeLetterSubBlock("c"), makeBlock("?"), makeLetterSubBlock("R"), makeBlock("?"))
			$(function() {
				$("#c2 .iv td").last().addClass("clickable").one("click", function() {
					var r = rB[7];
					var val = dec[7];
					decrypt();
					function decrypt() {
						$("#c2 .iv td").last().text(toHex(r));
						if ((val ^ r) == 1) {
							$("#c2 .plain td").last().text("0x01");
							$("#c2 .intermediate td").last().text(toHex(val));
						} else {
							r = (r + 1) % 256;
							setTimeout(decrypt, 100);
						}
					}	
				});
			});
			
		</script>
	  </article>
	  
	  <article>
		<h3>Attacking the oracle</h3>
		<ol class="build">
		<li>To decrypt the byte next to the last, the attacker needs to find a valid padding of 2</li>
		<li>The attacker sets the last byte of R to:
			<pre>R<sub>7</sub> = R<sub>7</sub> &oplus; 0x01 &oplus; 0x02</pre>
			</li>
		<li>He then does the same trick for the second to last byte</li>
		</ol>
	  </article>
	  	  
	  <article>
		<h3>Padding oracles</h3>
		<div id="c3" />
		<script>
			drawCBC($("#c3"), makeLetterSubBlock("c"), makeBlock("?"), makeLetterSubBlock("R"), makeBlock("?"))
			$(function() {
				$("#c3 .plain td").last().text("0x01")
				$("#c3 .iv td").last().text("0x40")
				$("#c3 .intermediate td").last().text("0x41");
				$("#c3 .iv td").last().addClass("clickable").one("click", function() {
					$("#c3 .plain td").last().text("0x02");
					$("#c3 .iv td").last().text("0x43");
					$("#c3 .iv td").eq(6).addClass("clickable").one("click", function() {
						decryptValue(6, 50, goOn);

					});
				});
				function decryptValue(index, speed, callback) {
					var r = rB[index];
					var val = dec[index];
					for (var i = 7; i > index; i--) {
						$("#c3 .plain td").eq(i).text(toHex(8 - index));
						$("#c3 .iv td").eq(i).text(toHex(dec[i] ^ (8 - index)));
					}
					decrypt(r, val, index, speed, callback);
				}

				function decrypt(r, val, index, speed, callback) {
					$("#c3 .iv td").eq(index).text(toHex(r));
					if ((val ^ r) == 8 - index) {
						$("#c3 .plain td").eq(index).text(toHex(8 - index));
						$("#c3 .intermediate td").eq(index).text(toHex(val));
						callback();
					} else {
						r = (r + 1) % 256;
						setTimeout(function() { decrypt(r, val, index, speed, callback)}, speed);
					}
				}	
				function goOn() {
					$("#c3 .iv td").eq(5).addClass("clickable").one("click", function() {
						var speed = 20;
						decryptValue(5, speed, function() { 
							decryptValue(4, speed, function() {
								decryptValue(3, speed, function() {
									decryptValue(2, speed, function() {
										decryptValue(1, speed, function() {
											decryptValue(0, speed, function() {
											});
										});
									});
								});
							});	
						});
					});
				}
			});
			
		</script>
	  </article>
	  
	  <article>
		<h3>Attacking the oracle</h3>
		<ol class="build">
		<li>Now the attacker has the full output from the decrypt function</li>
		<li>To get the plain text, the attacker can simply:
			<pre>P<sup>n</sup> = R<sup>n</sup> &oplus; 0x08 &oplus; IV<sup>n</sup></pre>
			</li>
		<li>The process is then repeated for each block C<sup>n</sup>, but in this last step instead of IV, C<sup>n-1</sup> is used</li>
		</ol>
	  </article>
	  
	  <article>
		<h3>Example</h3>
		<table id="result" class="cbc">
		</table>
		<script>
			$(function() {
				var table = $("#result");
				buildRow(makeLetterSubBlock("P")).appendTo(table);
				buildRow(makeBlock("=")).appendTo(table).addClass("xor");
				var tr = buildRow(makeBlock("")).appendTo(table);
				for (var i = 0; i < 8; i++) {
					tr.children("td").eq(i).text(toHex(dec[i] ^ 8));
				}
				buildRow(makeBlock("&oplus;")).appendTo(table).addClass("xor");
				buildRow(makeBlock(toHex(8))).appendTo(table);
				buildRow(makeBlock("&oplus;")).appendTo(table).addClass("xor");
				var tr = buildRow(makeBlock("")).appendTo(table);
				var text = "HackPra!";
				for (var i = 0; i < 8; i++) {
					tr.children("td").eq(i).text(toHex(text.charCodeAt(i) ^ dec[i]));
				}
				buildRow(makeBlock("=")).appendTo(table).addClass("xor");
				var tr = buildRow(makeBlock("")).appendTo(table);
				for (var i = 0; i < 8; i++) {
					tr.children("td").eq(i).text(toHex(text.charCodeAt(i)));
				}
				buildRow(makeBlock("&darr;")).appendTo(table).addClass("arrow");
				buildRow(["H","a","c","k", "P","r","a","!"]).appendTo(table);
			});
		</script>
	  </article>
	  
	  <article>
		<h3>Padding Oracle Attacks</h3>
		<ul class="build">
		<li>Between 1 and 256 requests per byte of recovered plain text (mean = 128)</li>
		<li>The process can be reversed in order to encrypt data, but this requires a lot more requests</li>
		<li><a href="http://erlend.oftedal.no/blog/poet/">http://erlend.oftedal.no/blog/poet/</a></li>
		</ul>
	  </article>
	  
	  <article>
		<h3>Defense against Padding Oracle Attacks</h3>
		<ul class="build">
		<li>Have only two results - <strong>Ok</strong> and <strong>Not found</strong></li>
		<li>What's wrong with this code?
<pre>try {
	value = decrypt(inputValue);
	if (db.querySecretElement(value) != null) {
		return OK;
	} else {
		return NOT_FOUND;
	}
} catch(PaddingException ex) {
	return NOT_FOUND;
}</pre>
		</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>BEAST</h3>
		<ul class="build">
			<li>Yet another attack discovered by Juliano Rizzo and Thai Duong</li>
			<li>Published at ekoparty 2011</li>
			<li>An attack on SSL 3.0 and TLS 1.0</li>
		</ul>
	  </article>
	  
	  <article>
		<h3>The keys to this attack</h3>
		<ul class="build">
			<li>If two equal blocks P<sup>n</sup> and P<sup>m</sup> are encrypted using the same
			key and same IV, the resulting cipher text is the same.</li>
			<li>If the IV is different we can still get the same cipher text by altering the plain text 
				<pre>P<sup>m*</sup> = P<sup>m</sup> &oplus; IV<sup>n</sup> &oplus; IV<sup>m</sup></pre>
			</li>
			<li>What is sent to the encryption algorithm thus becomes:
				<pre>P<sup>m*</sup> &oplus; IV<sup>m</sup>  =  P<sup>m</sup> &oplus; IV<sup>n</sup> &oplus; IV<sup>m</sup> &oplus; IV<sup>m</sup>  =  P<sup>m</sup> &oplus; IV<sup>n</sup></pre>
			</li>
		</ul>
	</article>
	
	 <article>
		<h3>Why does this matter?</h3>
		<ul class="build">
			<li><img src="images/beast.png"></li>
			<li>The communication is layed out like this:
			<pre>[A = attacker controlled data][S = secret data]</pre></li>
		</ul>
	 </article>
	 <article>
		<h3>The chosen boundary attack (cont.)</h3>
		<ul class="build">
			<li>Simplified - If A has the length of a block minus one, the last byte of the first block will be the first byte of the secret data
				<table id="beast1" class="cbc" style="margin: 10px auto;">
				</table>
			</li>
			<li>
				The layout of the SSL traffic is thus:
				<pre>[IV][C<sup>0</sup>=E(A + S<sub>0</sub>)][C<sup>1</sup>=E(S<sub>1</sub>-S<sub>8</sub>)][...]</pre>
			</li>
			<li>The attacker now knows the IV and C<sup>0</sup></li>
			<script>
				$(function() {
					var table = $("#beast1");
					var tr = buildRow(makeLetterSubBlock("A")).appendTo(table);
					tr.children("td").last().html("S<sub>0</sub>");
				});
			</script>
		</ul>
	 </article>
	 <article>
		<h3>The chosen boundary attack (cont.)</h3>
		<ul class="build">
			<li>If the connection is kept open and the attacker can send more data, the attacker knows the IV<sup>n</sup> (=C<sup>n-1</sup>) of the next block <em>n</em> to be encrypted</li>
			<li>This allows the attacker to find S<sub>0</sub>, by sending for i = 0 to 255:
				<pre>P<sup>n+i</sup> = [A + i] &oplus; IV &oplus; C<sup>n+i-1</sup></pre>
			</li>
			<li>If any C<sup>n+i</sup> = C<sup>0</sup>, the value of S<sub>0</sub> has been found, and the attacker can stop</li>
		</ul>
	 </article>
	 <article>
		<h3>The chosen boundary attack - Example</h3>
		<table id="beast-c0" class="cbc" style="margin: 40px auto;"></table>
		<script>
			var beast_c0 = [0x74, 0x98, 0xe4, 0x86, 0xa6, 0x3a, 0x45, 0x88];
			var beast_iv = [0x34, 0x83, 0xbf, 0x82, 0x85, 0x87, 0x27, 0x05];
			var beast_key = [0x21, 0x7a, 0x3a, 0x65, 0x42, 0xdc, 0x3, 0xc5];
			var beast_secret = "HackPra!";
			$(function() {
				var table = $("#beast-c0");
				var tra = buildRow(makeBlock("a")).appendTo(table);
				tra.children("td").last().text("?");
				addHeader(tra, "A= ");
				var trah = buildHexRow(makeBlock(0x61)).appendTo(table);
				trah.children("td").last().text("?");
				addHeader(trah, "A(hex)= ");
				var triv = buildHexRow(beast_iv).appendTo(table);
				addHeader(triv, "IV= ");
				var trc = buildHexRow(beast_c0).appendTo(table);
				addHeader(trc, "C<sup>0</sup>= ");
			});
		</script>
		<table id="beast-guess" class="cbc" style="margin: 40px auto;"></table>
		<script>
			var beast_ivn = [0x87, 0x72, 0x22, 0x34, 0x74, 0x18, 0x0f, 0x64];
			var beast_pn = makeBlock(0x61);
			$(function() {
				var table = $("#beast-guess");
				var tra = buildRow(makeBlock("a")).appendTo(table);
				tra.children("td").last().text("?");
				addHeader(tra, "");
				var trap = buildRow(makeBlock("a")).appendTo(table);
				trap.children("td").last().text("?");
				addHeader(trap, "");
				var trac = buildRow(makeBlock("a")).appendTo(table);
				trac.children("td").last().text("?");
				addHeader(trac, "");
				var trac1 = buildRow(makeBlock("a")).appendTo(table);
				trac1.children("td").last().text("?");
				addHeader(trac1, "");
				tryBlock(0, false);
				tra.children("td").last().addClass("clickable").one("click", function() {
					tryBlock(1, true);
				});
				function tryBlock(n, runAll) {
					beast_pn[7] = n;
					tra.children("th").html("A+" + n + "= ");
					trap.children("th").html("P<sup>n+" + n + "</sup>= ");
					trac.children("th").html("C<sup>n+" + n + "-1</sup>= ");
					trac1.children("th").html("C<sup>n+" + n + "</sup>= ");
					for (var i = 0; i < 8; i++) {
						tra.children("td").eq(i).html(toHex(beast_pn[i]));
						trac.children("td").eq(i).html(toHex(beast_ivn[i]));
					}
					var c = [];
					var c2 = [];
					var found = true;
					for (var i = 0; i < 8; i++) { //fake encrypt
						c[i] = Math.floor(Math.random()*256);
						c2[i] = (beast_pn[i] ^ beast_iv[i] ^ beast_key[i]); 
						if (beast_c0[i] != c2[i]) {
							found = false;
						}
					}
					for (var i = 0; i < 8; i++) {
						trac1.children("td").eq(i).html(toHex(found ? c2[i] : c[i]));
						trap.children("td").eq(i).html(toHex(beast_pn[i] ^ beast_iv[i] ^ beast_ivn[i]));
					}
					beast_ivn = c;
					if (runAll && !found && n < 256) {
						setTimeout(function() { tryBlock(n + 1, runAll) }, 100);
					}
					if (found) {
						$("#beast-c0 tr").eq(0).children("td").last().addClass("found").text("H");
						$("#beast-c0 tr").eq(1).children("td").last().addClass("found").text("0x48");
						trac1.children("td").addClass("found");
					}
				}
			});
		</script>
	 </article>
	<article>
		<h3>The chosen boundary attack</h3>
		<ul class="build">
			<li>Now the attacker knows the first letter of the secret</a>
			<li>Next:<ul>
				<li>Reduce size of A by 1 to bring in next byte from S</li>
				<li>Create new connection and rerun algorithm untill the new byte is found</li>
				<li>Repeat for entire secret</li>
				</ul>
			</li>
			<li><a href="http://erlend.oftedal.no/blog/beast/">http://erlend.oftedal.no/blog/beast/</a></li>
		</ul>
	 </article>

	 <article>
		<h3>Defense against BEAST</h3>
		<ul class="build">
			<li>TLS 1.1+ injects an empty frame before every new message
				<ul>
					<li> =&gt; Makes the IV unpredictable</li>
				</ul>
			</li>

			<li>Moving to non-CBC ciphers like RC4</li>			
		</ul>
	 </article>
	
	<article>
		<q>BONUS MATERIAL</q>
	 </article>
	 
	<article>
		<h3><a href="http://www.nds.rub.de/media/nds/veroeffentlichungen/2011/10/22/HowToBreakXMLenc.pdf">Attacks on XML encryption</a></h3>
		<ul class="build">
			<li>By Tibor Jager and Juraj Somorovsky here at RUB</li>
			<li>Is somewhat similar to padding oracles, but does not attack the padding</li>
			<li>XML encryption is padded with random values + length</li>
			<li>So what did they find?</li>
		</ul>
	 </article>
	 
	 <article>
		<h3><a href="http://www.nds.rub.de/media/nds/veroeffentlichungen/2011/10/22/HowToBreakXMLenc.pdf">Attacks on XML encryption (cont.)</a></h3>
		<ul class="build">
			<li>Errors in XML-layout may be detectable in the response from the web service</li>
			<li>By carefully manipulating the cipher text, we can disover when we break the XML layout</li>
			<li>This tells us enough about the cipher text to recover it</li>
		</ul>
	 </article>

	 <article>
		<h3>Todays inspirational quote</h3>
		<div class="build">
			<q>What doesn't kill you makes you smaller</q>
			<span style="float: right">Super Mario</span>
		</div>
		<div class="source">
			http://twitter.com/#!/hubs/statuses/143803181145665536
		</div>
	  </article>
	 
	 <article style="position: relative">
		<q class="question">Questions?</q>
		<ul style="position: absolute; bottom: 100px; right: 60px;">
			<li>Erlend Oftedal - <a href="http://www.twitter.com/webtonull">@webtonull</a></li>
			<li>erlend@oftedal.no</li>
		</ul>
	 </article>
  </body>
</html>