Cryptographic Attacks NEW
Cryptography is hard to get right. The algorithms might be mathematically sound, but implementations are full of vulnerabilities: weak random numbers, timing leaks, padding oracles, protocol flaws. Attackers don't break the math—they break everything around it.
The Crypto Reality
"Don't roll your own crypto" exists for a reason. Even experts make mistakes. The history of cryptography is littered with "provably secure" systems that fell to implementation attacks.
Cryptographic Attack Categories
┌─────────────────────────────────────────────────────────────────────────────┐
│ CRYPTOGRAPHIC ATTACK SURFACE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ALGORITHM ATTACKS IMPLEMENTATION PROTOCOL ATTACKS │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ • Weak ciphers │ │ • Timing attacks│ │ • Downgrade │ │
│ │ • Short keys │ │ • Padding oracle│ │ • Replay │ │
│ │ • Broken hashes │ │ • Side channels │ │ • MITM │ │
│ │ • ECB mode │ │ • RNG failures │ │ • Renegotiation │ │
│ └─────────────────┘ │ • Memory leaks │ └─────────────────┘ │
│ └─────────────────┘ │
│ │
│ KEY MANAGEMENT HUMAN FACTORS │
│ ┌─────────────────┐ ┌─────────────────┐ │
│ │ • Hardcoded keys│ │ • Weak passwords│ │
│ │ • Key reuse │ │ • Social eng │ │
│ │ • Weak KDF │ │ • Phishing │ │
│ │ • IV reuse │ │ • Rubber hose │ │
│ └─────────────────┘ └─────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Weak Algorithms Still in Use
Broken Cryptography
# AVOID THESE - Cryptographically broken:
# Hashes (collision/preimage attacks):
MD5 # Collisions in seconds
SHA1 # Collision demonstrated (SHAttered, 2017)
# Symmetric ciphers:
DES # 56-bit key - brute forced in hours
3DES # Deprecated, Sweet32 attack
RC4 # Multiple biases, broken
Blowfish # 64-bit block, Sweet32 vulnerable
# Asymmetric:
RSA-1024 # Factorable with sufficient compute
RSA with PKCS#1 v1.5 # Bleichenbacher attack
# Modes of operation:
ECB # Patterns leak through (see: ECB penguin)
# Key derivation:
Simple hash of password # Use bcrypt/scrypt/Argon2
# What to use instead:
AES-256-GCM, ChaCha20-Poly1305 # Symmetric
SHA-256, SHA-3, BLAKE3 # Hashing
RSA-2048+ with OAEP, Ed25519 # Asymmetric
Argon2id, bcrypt # Password hashingPadding Oracle Attacks
When a server reveals whether decryption padding is valid, attackers can decrypt ciphertext byte-by-byte without knowing the key.
Concept: Padding Oracle Attack
# CBC mode with PKCS#7 padding
# Valid padding (last byte indicates pad length):
plaintext: [...data...][0x03][0x03][0x03] ✓
plaintext: [...data...][0x01] ✓
# Invalid padding:
plaintext: [...data...][0x03][0x03][0x05] ✗ (inconsistent)
# Attack:
# 1. Send modified ciphertext to server
# 2. Server decrypts, checks padding
# 3. Different error = padding valid vs invalid
# 4. Oracle reveals one bit of information
# 5. Repeat ~256 times per byte to decrypt
# How attackers detect the oracle:
# - Different HTTP status codes (200 vs 500)
# - Different error messages
# - Different response times
# - Different response lengths
# Famous vulnerabilities:
# - ASP.NET Padding Oracle (2010) - full app compromise
# - Lucky Thirteen - TLS timing attack
# - POODLE - SSL 3.0 padding attack
PadBuster
Padding Oracle
Automated padding oracle exploitation tool.
padbuster http://target.com/decrypt?data= [encrypted] 16 -encoding 0
Timing Attacks
When cryptographic operations take different times based on secret data, attackers can extract secrets by measuring execution time.
Python: Vulnerable String Comparison
# VULNERABLE - timing leaks password length and characters
def check_password(input_password, real_password):
if len(input_password) != len(real_password):
return False # Leaks length!
for i in range(len(input_password)):
if input_password[i] != real_password[i]:
return False # Leaks position of first wrong char!
return True
# Attack:
# 1. Try passwords of different lengths, measure time
# 2. Correct length takes longer (passes length check)
# 3. Try each character position, measure time
# 4. Correct characters take longer (loop continues)
# SECURE - constant time comparison
import hmac
def check_password_secure(input_password, real_password):
return hmac.compare_digest(input_password, real_password)
# Always takes same time regardless of where mismatch occursRemote Timing Attacks
Concept: Network Timing
# Can timing attacks work over the network?
# YES - with enough measurements
# Technique: Statistical analysis
# 1. Send request, measure response time
# 2. Repeat thousands of times
# 3. Statistical analysis reveals microsecond differences
# 4. Network jitter averages out with enough samples
# Real-world examples:
# - Remote timing attack on OpenSSL (RSA)
# - SSH username enumeration via timing
# - Web app token comparison timing
# Mitigation:
# - Constant-time comparisons
# - Add random delays (not ideal)
# - Process all requests identicallySide-Channel Attacks
Extract secrets through physical observations: power consumption, electromagnetic emissions, sound, cache behavior.
Cache Timing Attacks
Concept: Cache-Based Attacks
# CPU caches create timing differences based on memory access
# Flush+Reload Attack:
# 1. Attacker flushes cache line (clflush instruction)
# 2. Victim executes cryptographic code
# 3. Attacker measures reload time
# 4. Fast = victim accessed that memory (cache hit)
# 5. Slow = victim didn't access it (cache miss)
# Attack on AES T-table implementation:
# - AES uses lookup tables indexed by key-dependent values
# - Cache timing reveals which table indices accessed
# - Recovers AES key byte-by-byte
# Famous attacks:
# - Spectre: Speculative execution leaks data
# - Meltdown: Read kernel memory from userspace
# - RIDL, Fallout, ZombieLoad: MDS attacks
# Mitigations:
# - Constant-time implementations (no secret-dependent branches)
# - Cache partitioning
# - Disable speculative execution (huge perf hit)TLS/SSL Attacks
TLS Attack History
# Major TLS vulnerabilities timeline:
# BEAST (2011) - Browser Exploit Against SSL/TLS
# - CBC IV predictability in TLS 1.0
# - Decrypt HTTPS cookies
# CRIME (2012) - Compression Ratio Info-leak Made Easy
# - TLS compression leaks secret data
# - Extract session tokens
# BREACH (2013) - Browser Reconnaissance and Exfil via Adaptive Compression
# - HTTP compression version of CRIME
# - Still relevant if compression enabled
# Heartbleed (2014) - OpenSSL CVE-2014-0160
# - Memory disclosure bug
# - Read server's private key from memory
# - 17% of "secure" web servers affected
# POODLE (2014) - Padding Oracle On Downgraded Legacy Encryption
# - SSL 3.0 padding vulnerability
# - Downgrade attack + padding oracle
# FREAK (2015) - Factoring RSA Export Keys
# - Downgrade to export-grade 512-bit RSA
# - Factor key, MITM connection
# Logjam (2015) - Weak DH Parameters
# - Downgrade to 512-bit DH
# - Precomputation attack on common primes
# DROWN (2016) - Decrypting RSA with Obsolete and Weakened eNcryption
# - SSLv2 oracle attacks
# - Decrypt modern TLS if server supports SSLv2
# ROBOT (2017) - Return Of Bleichenbacher's Oracle Threat
# - 19-year-old RSA PKCS#1 attack still works
# - Affected Facebook, PayPal
testssl.sh
TLS Scanner
Comprehensive TLS/SSL vulnerability scanner.
./testssl.sh --vulnerable https://target.com
Random Number Generator Failures
RNG Vulnerabilities
# Cryptography requires unpredictable random numbers
# RNG failures = complete system compromise
# Common failures:
# 1. Seeding with predictable values
srand(time(NULL)); // Predictable seed - ~1 second resolution
key = rand(); // Attacker can brute force
# 2. Low entropy at boot
# VMs cloned from snapshot have same RNG state
# Embedded devices boot with no entropy
# 3. Flawed implementations
# Debian OpenSSL bug (2008): Only 32,768 possible keys
# Discovered after 2 years in production
# 4. Backdoors
# Dual_EC_DRBG - NSA backdoor in NIST standard
# If you know the secret point, predict all outputs
# What to use:
/dev/urandom # Linux - always use this
CryptGenRandom() # Windows
getrandom() # Modern Linux syscall
secrets module # Python 3.6+
# Test for weak RNG:
# - Statistical tests (NIST SP 800-22)
# - Entropy estimation
# - Pattern analysisHash Length Extension
MD5, SHA1, and SHA256 are vulnerable to length extension. If you know H(secret || message), you can compute H(secret || message || padding || extension) without knowing the secret.
Hash Length Extension Attack
# Vulnerable pattern:
signature = SHA256(secret_key + user_data)
# API validates: SHA256(secret + "user=bob") == provided_signature
# Attack:
# Given: SHA256(secret + "user=bob") = abc123...
# Attacker can compute: SHA256(secret + "user=bob" + padding + "&admin=true")
# Without knowing secret!
# Why it works:
# Merkle–Damgård construction (MD5, SHA1, SHA256)
# Hash state after processing = final hash output
# Attacker continues hashing from that state
# Tool: hashpump
hashpump -s 'original_signature' -d 'user=bob' -a '&admin=true' -k 16
# Mitigation:
# Use HMAC(key, message) instead of H(key || message)
# Or use SHA-3 / BLAKE2 (not vulnerable)Cryptographic Attack Tools
CyberChef
Crypto Swiss Knife
Web-based tool for encoding, encryption, and analysis.
gchq.github.io/CyberChef
PadBuster
Padding Oracle
Automated script for padding oracle attacks.
github.com/AonCyberLabs/PadBuster