Show page

Differences

This shows you the differences between two versions of the page.

--- ac:laboratoare:03 [2018/09/26 21:46]
tiberiu.iorgulescu
+++ ac:laboratoare:03 [2024/11/07 01:56] (current)
dimitrie.valu
@@ Line 1: / Line 1: @@
-<hidden>
+===== Lab 03 - CBC Padding Oracle Attack =====
-===== Lab 03 - PRGs and DES =====
+This laboratory will cover Sergey Vaudenay's attack on CBC padding. To solve the lab, open [[https://colab.research.google.com/drive/1SW_oF5J_EASiTqg5IhdAY-_mPDccF85G|this Colab notebook]] and copy it into your own drive for persistence.
-==== Exercise 1 (4p) ====
-In this exercise we'll try to break a Linear Congruential Generator, that may be used to generate "poor" random numbers.
-We implemented such weak RNG to generate a sequence of bytes and then encrypted a plaintext message.
-The resulting ciphertext in hexadecimal is this:
-<code>
-a432109f58ff6a0f2e6cb280526708baece6680acc1f5fcdb9523129434ae9f6ae9edc2f224b73a8
-</code>
-You know that the LCG uses the following formula to produce each byte:
-s_next = (a * s_prev + b) mod p
-where both s_prev and s_next are byte values (between 0 and 255) and p is 257.
-Both a and b are values between 0 and 256.
-You also know that the first 16 letters of the plaintext are "Let all creation" and that the ciphertext was generated by xor-ing a string of consecutive bytes generated by the LCG with the plaintext.
-Can you break the LCG and predict the RNG stream so that in the end you find the entire plaintext ?
-You may use this starting code:
-<code python 'ex1_weak_rng.py'>
-import sys
-import random
-import string
-import operator
-#Parameters for weak LC RNG
-class WeakRNG:
-    "Simple class for weak RNG"
-    def __init__(self):
-        self.rstate = 0
-        self.maxn = 255
-        self.a = 0 #Set this to correct value
-        self.b = 0 #Set this to correct value
-        self.p = 257
-    def init_state(self):
-        "Initialise rstate"
-        self.rstate = 0 #Set this to some value
-        self.update_state()
-    def update_state(self):
-        "Update state"
-        self.rstate = (self.a * self.rstate + self.b) % self.p
-    def get_prg_byte(self):
-        "Return a new PRG byte and update PRG state"
-        b = self.rstate & 0xFF
-        self.update_state()
-        return b
-def strxor(a, b): # xor two strings (trims the longer input)
-  return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)])
-def hexxor(a, b): # xor two hex strings (trims the longer input)
-  ha = a.decode('hex')
-  hb = b.decode('hex')
-  return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)])
-def main():
-  #Initialise weak rng
-  wr = WeakRNG()
-  wr.init_state()
-  #Print ciphertext
-  CH = 'a432109f58ff6a0f2e6cb280526708baece6680acc1f5fcdb9523129434ae9f6ae9edc2f224b73a8'
-  print "Full ciphertext in hexa: " + CH
-  #Print known plaintext
-  pknown = 'Let all creation'
-  nb = len(pknown)
-  print "Known plaintext: " + pknown
-  pkh = pknown.encode('hex')
-  print "Plaintext in hexa: " + pkh
-  #Obtain first nb bytes of RNG
-  gh = hexxor(pkh, CH[0:nb*2])
-  print gh
-  gbytes = []
-  for i in range(nb):
-    gbytes.append(ord(gh[2*i:2*i+2].decode('hex')))
-  print "Bytes of RNG: "
-  print gbytes
-  #Break the LCG here:
-  #1. find a and b
-  #2. predict/generate rest of RNG bytes
-  #3. decrypt plaintext
-  # Print full plaintext
-  p = ''
-  print "Full plaintext is: " + p
-if __name__ == "__main__":
-  main()
-</code>
-==== Exercise 2 - LFSR (3p) ====
-In this exercise we'll build a simple Linear Feedback Shift Register (LFSR). LFSRs produce random bit strings with good statistical properties, but are very easy to predict.
-The register is a sequence of $n$ bits; a LFSR is defined by:
-  * an initial state (the initial bit contents of the register)
-  * a polynomial that describes how bit shifts should be performed
-For example, given an $18$ bit LFSRm the polynomial $X^{18} + X^{11} + 1$ and the initial state:
-<code>
-  state = '001001001001001001'
-                     *      *
-</code>
-we generate a new bit $b$ by $\mathsf{xor}$-ing bits $11$ ($0$) and $18$ ($1$), thus obtaining $b = 1$. We then shift the whole register to the right (thus dropping the right-most bit, which is the bit we add to the generated random sequence) and insert $b$ to the left. Thus, the new state is:
-<code>
-  state = '100100100100100100'
-</code>
-The process is repeated until the desired number of bits have been generated.
-Using the above starting state and polynomial, generate $100$ random bits and run the monobit statistical test from the previous exercise to see if their frequency seems random.
-==== Exercise 3 (5p) ====
-The goal of this exercise is to implement the meet-in-the-middle attack on double DES.
-For this, you are given a starter code (see below), implemented using the Pycrypto library:
-https://pypi.python.org/pypi/pycrypto
-Perform the following tasks:
-  * a) Install the pycrypto library
-  * b) Starting from the starter code (see below), write methods to encrypt and decrypt using double-DES (2DES), defined as follows:
-<quote> 2DES( (k1,k2), m) = DES(k1, DES(k2, m))</quote>
-  * c) You are given the ciphertexts
-c1 = 'cda98e4b247612e5b088a803b4277710f106beccf3d020ffcc577ddd889e2f32'
-c2 = '54826ea0937a2c34d47f4595f3844445520c0995331e5d492f55abcf9d8dfadf'
-as hex strings (i.e. you need to decode them to get the actual byte strings to use with DES, e.g. c1.decode('hex'))
-Decrypt them using the following keys:
-k1 = 'Smerenie'
-k2 = 'Dragoste'
-The plaintext corresponding to c1 is m1='Fericiti cei saraci cu duhul, ca'. Find the plaintext m2 corresponding to c2.
-<note tip>
-With the Pycrypto library, DES is given a key in 8 bytes (64 bits) rather than 7 (56 bits). However, the last bit in each byte is considered as a parity bit, but in fact ignored in this library, leaving the actual key in 56 bits. For this and the following exercises, we assume the entire key as 64 bits, given for example as 8 characters, as above.
-Note also that for this exercises, we shall be using the default values when initialising the DES cipher (i.e. ECB mode and no IV).
-</note>
-  * d) Decrypt the entire ciphertext (c1 || c2) with k1 and k2 using 2DES and check it matches the messages m1||m2 above.
-  * e) You are given the following ciphertext/plaintext pairs:
-m1 = 'Pocainta' (in byte string, i.e. can be used directly with Pycrypto DES)
-c1 = '9f98dbd6fe5f785d' (in hex string, you need to hex-decode)
-m2 = 'Iertarea'
-c2 = '6e266642ef3069c2'
-Due to a problem with the PRG, you also know the last 6-bytes of each key (note we now have a different key than for the previous exercises):
-k1 (last 6 bytes) = 'oIkvH5'
-k2 (last 6 bytes) = 'GK4EoU'
-To build a table, I recommend using a list of tuples, where you add new (key,enc) pairs as follows:
-<code>
-tb = []
-tb.append(('keyval', 'encva'))
-</code>
-To sort the table, you can do this:
-<code>
-tbs = sorted(tb, key=itemgetter(1))
-</code>
-To search with binary search, first select just the second column (to search the encryptions):
-<code>
-tenc = [value for _,value in tbs]
-</code>
-then use the bisect library (e.g. bisect.bisect_left)
-https://docs.python.org/2/library/bisect.html
-The starter code is this:
-<code>
-import sys
-import random
-import string
-from operator import itemgetter
-import time
-import bisect
-from Crypto.Cipher import DES
-def strxor(a, b): # xor two strings (trims the longer input)
-  return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)])
-def hexxor(a, b): # xor two hex strings (trims the longer input)
-  ha = a.decode('hex')
-  hb = b.decode('hex')
-  return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)])
-def bitxor(a, b): # xor two bit strings (trims the longer input)
-  return "".join([str(int(x)^int(y)) for (x, y) in zip(a, b)])
-def str2bin(ss):
-  """
-    Transform a string (e.g. 'Hello') into a string of bits
-  """
-  bs = ''
-  for c in ss:
-    bs = bs + bin(ord(c))[2:].zfill(8)
-  return bs
-def str2int(ss):
-  """
-    Transform a string (e.g. 'Hello') into a (long) integer by converting
-    first to a bistream
-  """
-  bs = str2bin(ss)
-  li = int(bs, 2)
-  return li
-def hex2bin(hs):
-  """
-    Transform a hex string (e.g. 'a2') into a string of bits (e.g.10100010)
-  """
-  bs = ''
-  for c in hs:
-    bs = bs + bin(int(c,16))[2:].zfill(4)
-  return bs
-def bin2hex(bs):
-  """
-    Transform a bit string into a hex string
-  """
-  bv = int(bs,2)
-  return int2hexstring(bv)
-def byte2bin(bval):
-  """
-    Transform a byte (8-bit) value into a bitstring
-  """
-  return bin(bval)[2:].zfill(8)
-def int2hexstring(bval):
-  """
-    Transform an int value into a hexstring (even number of characters)
-  """
-  hs = hex(bval)[2:]
-  lh = len(hs)
-  return hs.zfill(lh + lh%2)
-def get_index(a, x):
-  'Locate the leftmost value exactly equal to x in list a'
-  i = bisect.bisect_left(a, x)
-  if i != len(a) and a[i] == x:
-    return i
-  else:
-    return -1
-def des_enc(k, m):
-  """
-  Encrypt a message m with a key k using DES as follows:
-  c = DES(k, m)
-  Args:
-    m should be a bytestring (i.e. a sequence of characters such as 'Hello' or '\x02\x04')
-    k should be a bytestring of length exactly 8 bytes.
-  Note that for DES the key is given as 8 bytes, where the last bit of
-  each byte is just a parity bit, giving the actual key of 56 bits, as expected for DES.
-  The parity bits are ignored.
-  Return:
-    The bytestring ciphertext c
-  """
-  d = DES.new(k)
-  c = d.encrypt(m)
-  return c
-def des_dec(k, c):
-  """
-  Decrypt a message c with a key k using DES as follows:
-  m = DES(k, c)
-  Args:
-    c should be a bytestring (i.e. a sequence of characters such as 'Hello' or '\x02\x04')
-    k should be a bytestring of length exactly 8 bytes.
-  Note that for DES the key is given as 8 bytes, where the last bit of
-  each byte is just a parity bit, giving the actual key of 56 bits, as expected for DES.
-  The parity bits are ignored.
-  Return:
-    The bytestring plaintext m
-  """
-  d = DES.new(k)
-  m = d.decrypt(c)
-  return m
-def main():
-  # Exercitiu pentru test des2_enc
-  key1 = 'Smerenie'
-  key2 = 'Dragoste'
-  m1_given = 'Fericiti cei saraci cu duhul, ca'
-  c1 = 'cda98e4b247612e5b088a803b4277710f106beccf3d020ffcc577ddd889e2f32'
-  # TODO: implement des2_enc and des2_dec
-  m1 = des2_dec(key1, key2, c1.decode('hex'))
-  print 'ciphertext: ' + c1
-  print 'plaintext: ' + m1
-  print 'plaintext in hexa: ' + m1.encode('hex')
-  # TODO: run meet-in-the-middle attack for the following plaintext/ciphertext
-  m1 = 'Pocainta'
-  c1 = '9f98dbd6fe5f785d' # in hex string
-  m2 = 'Iertarea'
-  c2 = '6e266642ef3069c2'
-  # Note: you only need to search for the first 2 bytes of the each key:
-  k1 = '??oIkvH5'
-  k2 = '??GK4EoU'
-if __name__ == "__main__":
-  main()
-</code>
-</hidden>

Labs

Resources

ac/laboratoare/03.1537987613.txt.gz · Last modified: 2018/09/26 21:46 by tiberiu.iorgulescu

Show page Old revisions

Media Manager Back to top