0x22bb/hacktricks
1
2
Fork 0
mirror of https://github.com/carlospolop/hacktricks.git synced 2023-12-14 19:12:55 +01:00
Code Releases Activity
hacktricks/cryptography/cipher-block-chaining-cbc-mac-priv.md
Mohammed Alshaboti 03555f03c4
Update cipher-block-chaining-cbc-mac-priv.md 
The final signature should be the last signature of m3 which is S32, as it is already including S31 in it (remember when we did `rator\00\00\00 XOR s1`). Plus we can't concatenate two s1 and s32 to make the signature of administrator because this will be two block size!
2022-03-28 11:07:02 +13:00

3.1 KiB
Raw Blame History

Cipher Block Chaining CBC-MAC

CBC

If the cookie is only the username (or the first part of the cookie is the username) and you want to impersonate the username "admin". Then, you can create the username "bdmin" and bruteforce the first byte of the cookie.

CBC-MAC

In cryptography, a cipher block chaining message authentication code (CBC-MAC) is a technique for constructing a message authentication code from a block cipher. The message is encrypted with some block cipher algorithm in CBC mode to create a chain of blocks such that each block depends on the proper encryption of the previous block. This interdependence ensures that a change to any of the plaintext bits will cause the final encrypted block to change in a way that cannot be predicted or counteracted without knowing the key to the block cipher.

To calculate the CBC-MAC of message m, one encrypts m in CBC mode with zero initialization vector and keeps the last block. The following figure sketches the computation of the CBC-MAC of a message comprising blocksm\_{1}\\|m\_{2}\\|\cdots \\|m\_{x} using a secret key k and a block cipher E:

CBC-MAC structure (en).svg

Vulnerability

With CBC-MAC usually the IV used is 0.
This is a problem because 2 known messages (m1 and m2) independently will generate 2 signatures (s1 and s2). So:

  • E(m1 XOR 0) = s1
  • E(m2 XOR 0) = s2

Then a message composed by m1 and m2 concatenated (m3) will generate 2 signatures (s31 and s32):

  • E(m1 XOR 0) = s31 = s1
  • E(m2 XOR s1) = s32

Which is possible to calculate without knowing the key of the encryption.

Imagine you are encrypting the name Administrator in 8bytes blocks:

  • Administ
  • rator\00\00\00

You can create a username called Administ (m1) and retrieve the signature (s1).
Then, you can create a username called the result of rator\00\00\00 XOR s1. This will generate E(m2 XOR s1 XOR 0) which is s32.
now, you can use s32 as the singature of the full name Administrator.

Summary

  1. Get the signature of username Administ (m1) which is s1
  2. Get the signature of username rator\x00\x00\x00 XOR s1 XOR 0 is s32**.**
  3. Set the cookie to s32 and it will be a valid cookie for the user Administrator.

Attack Controlling IV

If you can control the used IV the attack could be very easy.
If the cookies is just the username encrypted, to impersonate the user "administrator" you can create the user "Administrator" and you will get it's cookie.
Now, if you can control the IV, you can change the first Byte of the IV so IV[0] XOR "A" == IV'[0] XOR "a" and regenerate the cookie for the user Administrator. This cookie will be valid to impersonate the user administrator with the initial IV.

References

More information in https://en.wikipedia.org/wiki/CBC-MAC