Cryptography in the Web: The Case of Cryptographic Design ...

1 Cryptography in the Web: The case of Cryptographic Design flaws in DuongVnsecurity/HVAO nlineHo Chi Minh City, RizzoNetiferaBuenos Aires, This paper discusses how Cryptography is misusedin the security Design of a large part of the Web. Our focusis on , the web application framework developedby Microsoft that powers 25% of all Internet web sites. Weshow that attackers can abuse multiple Cryptographic designflaws to compromise web applications. We describepractical and highly efficient attacks that allow attackers tosteal Cryptographic secret keys and forge authentication tokensto access sensitive information. The attacks combine decryptionoracles, unauthenticated encryptions, and the reuse of keys fordifferent encryption purposes. Finally, we give some reasonswhy Cryptography is often misused in web technologies, andrecommend steps to avoid these , Application Security, Web security,Decryption oracle attack, Unauthenticated INTRODUCTIONAt EuroCrypt 2004 Nguyen asked, How can one know ifwhat is implemented [in software] is good Cryptography ?

2 [1]. This is an important question because history has shownthat Cryptography is often used incorrectly in both opensource and proprietary software (see [1] [7]). Nevertheless,despite the important role of the WWW, there is limitedresearch available from both the Cryptographic and websecurity communities to answer Nguyen s question for thecase of Cryptographic implementations in web paper shows that badly implemented Cryptography isnot limited to traditional software, but is highly pervasive inweb applications as well. Since HTTP is a stateless protocol,web developers must either manage the user session statedata on the server or push it to the client. For performanceand scalability reasons, web developers tend to go withthe latter method. They want to keep session informationsecret, so they correctly turn to Cryptography . However,implementing crypto is error-prone. We observe that unau-thenticated encryption is often used to encrypt session statedata such as HTTP cookies and view states.

3 Unauthenticatedencryption is dangerous [7] [11], particularly when used inan authentication system. The ability to forge a ciphertextthat decrypts to a desired plaintext allows the attacker toimpersonate other users easily [7]. Web developers also tendto use the same keys for different encryption purposes. Thesecryptographic errors together make the Web become a goldmine for chosen-ciphertext this paper, we illustrate this point by examining the caseof Cryptographic implementations in web applications basedon [12]. The framework was first released inJanuary 2002 with version of the .NET Framework. Asof September 2010, it is believed that 25% of all the Internetweb sites are developed using we , which was the current stable version at thetime of submission. Our comments also apply to severalprevious versions of observe several Cryptographic flaws in most serious flaw (which turns out to have been presentin for almost three years) is a consequence ofunauthenticated encryption.

4 We present two practical andhighly efficient attacks that allow attackers to steal crypto-graphic secret keys, forge authentication tokens and destroythe security model of every are chosen-ciphertext attacks that combine decryptionoracles similar to the padding oracle introduced by Vaudenayat EuroCrypt 02 [13] and the CBC-R technique that Rizzoand Duong demonstrated at USENIX WOOT 10 [14]. Thenovelty of these attacks is that not only can the attackerdecrypt secret data in , but he also can createciphertexts that after being decrypted and processed , allow him to retrieve sensitive rest of the paper is organized as follows. In Section II,we give an overview of and the cryptographicvulnerabilities in the framework. In Section III, we providesufficient background on decryption oracle attacks and theCBC-R technique to make the paper self-contained. InSection IV, we describe our first attack exploiting paddingoracles in the framework. In Section V, we describe oursecond attack, which is faster than the first attack and doesnot require a padding oracle.

5 In Section VI, we consider thepractical impact of our attacks as well as countermeasuresthat prevent them. Our reflections on why Cryptography isoften misused in web technologies and our recommendationscan be found in Section IEEE Symposium on Security and PrivacyUnrecognized Copyright InformationDOI IEEE Symposium on Security and Privacy1081-6011/11 $ 2011 IEEEDOI ANOVERVIEW this section, we review some key concepts and termi-nology for We then describe how the frameworkmisuses Cryptography when attempting to tamper-proof andencrypt sensitive Key Concepts and TerminologyMachine Key:The machine key is a pair of global se-cret keys set in the web application configuration to beused for encryption and authentication. A key namedvalidationKeyis used to generate hashed messageauthentication codes (HMAC) to protect the integrity ofauthentication tickets and view states. A second key nameddecryptionKeyis used to encrypt and decrypt authenti-cation tickets and view State:An application is a collection of.

6 NETpages, known officially as web forms . applica-tions are hosted by a web server and are accessed usingthe stateless HTTP protocol. As such, if an application usesstateful interaction, it has to implement state managementon its own. provides various functions for statemanagement, and view state is one of state refers to the page-level state management mech-anism utilized by the HTML pages emitted by to maintain the state of the web form controlsand widgets. The state of the controls is sent to the serverat every form submission in a hidden field known as__VIEWSTATE. The main use for this is to preserve forminformation when the page is reloaded. The hidden field isupdated by the server and is never modified by the default, thevalidationKeyis used to generate anHMAC from the view state content. This HMAC is storedas a hidden field in forms, and is verified onevery request. If receives a request with an invalidHMAC, the request is dropped. Because the view statecan contain sensitive data, allows developers toenable view state encryption on a server-wide or per-pagebasis.

7 Microsoft s documentation on view state encryptionis unclear as to whether the view state is still authenticatedif encryption is on our testing, we see either authenticates or encrypts view states,but it does not apply both operations at the same Authentication Tickets:Since aims to be-come a rapid web development framework, it provides built-in solutions for many common problems in web devel-opment. One of them is user account support. Providinguser account support for any site involves the same setof steps: creating a datastore, a login page and a registerpage; defining authentication and authorization mechanisms;2 See a page for the site s administrators to manage theuser accounts; and so forth. Prior to , developershad to decide how to implement all of these features ontheir own. To ease this burden, introduced theconcept of forms-based authentication. This feature providesaFormsAuthenticationclass that handles signing inand out of a site, as well as a protected authentication ticketto remember users login states across page authentication uses an authentication ticket thatis created when a user logs on to a site; thisticket is then used to track the user throughout thesite.

8 The forms authentication ticket is created by theFormsAuthenticationclass as follows. Once the useris validated, the FormsAuthentication class internally createsaFormsAuthenticationTicketobject by specifyinghis username; the version of the ticket; the directory path;the issue date of the ticket; the expiration date of the ticket;whether the ticket should be persisted; and, optionally, user-defined data. Next theFormsAuthenticationTicketobject is serialized, then an HMAC is generated from theserialized data using thevalidationKey. This HMACis appended to the end of the serialized data, then thewhole content is encrypted using AES or DES with thedecryptionKey. The resulting string is called the formauthentication ticket, and it is usually contained insidean HTTP cookie. However, supports cookie-lessforms authentication; in this case the ticket is passed in aquery time a subsequent request is received after authentica-tion, theFormsAuthenticationModuleclass retrievesthe authentication ticket from the authentication cookie orthe query string, decrypts it, computes the hash value, andverifies the HMAC value to ensure that the ticket has notbeen tampered with.

9 Finally, the expiration time containedinside of the forms authentication ticket is verified. If allchecks pass, will authenticate the request, andthe user is authenticated as the username contained in theauthentication ticket. Consequently, the ability to createvalid authentication tickets is sufficient for an attacker toimpersonate any user account in Resources and Script Resources:In the .NET frame-work, an assembly is a compiled code library used fordeployment, versioning and security. An assembly consistsof one ore more files. These files can be code modules,web resources ( , HTML, CSS, or images), or scriptresources ( , Javascript). Web developers reference thesestatic resources through a standard and script resources rely on special handlers , re-spectively, to serve resources to the web browser. When arequest comes in from the client ,the handler looks for the web resource identifier in the482482 QueryStringmethod of theRequestobject. Based onthe value of the web resource identifier, the handler thentries to load the assembly that contains this resource.

10 If thisoperation is successful, the handler will then look for theassembly attribute and load the resource stream from theassembly. Finally, the handler will obtain the data from theresource stream and send it to the client together with thecontent type specified in the assembly request format for as observe two interesting things about thedparameter:1) encrypts this parameter, but does not au-thenticate the ) Due to a feature , anattacker can download arbitrary files inside the doc-ument root of applications given a Cryptographic Design flaws in observe two sets of Cryptographic flaws in :improper use of Cryptographic primitives, and insecure Key Management:There are three issues in manages Cryptographic first issue is the reuse of keys for different the last section, we showed that the framework usescryptography to authenticate and encrypt view states, formsauthentication tickets, web resources and script are pieces of information with different levels ofimportance.