In this exercise we'll try to break a Linear Congruential Generator, that may be used to generate “poor” random numbers. We implemented such weak RNG to generate a sequence of bytes and then encrypted a plaintext message. The resulting ciphertext in hexadecimal is this:

a432109f58ff6a0f2e6cb280526708baece6680acc1f5fcdb9523129434ae9f6ae9edc2f224b73a8

You know that the LCG uses the following formula to produce each byte:

s_next = (a * s_prev + b) mod p

where both s_prev and s_next are byte values (between 0 and 255) and p is 257. Both a and b are values between 0 and 256.

You also know that the first 16 letters of the plaintext are “Let all creation” and that the ciphertext was generated by xor-ing a string of consecutive bytes generated by the LCG with the plaintext.

Can you break the LCG and predict the RNG stream so that in the end you find the entire plaintext ?

You may use this starting code:

'ex1_weak_rng.py'

import sys
import random
import string
import operator
 
#Parameters for weak LC RNG
class WeakRNG:
    "Simple class for weak RNG"
    def __init__(self):
        self.rstate = 0
        self.maxn = 255
        self.a = 0 #Set this to correct value
        self.b = 0 #Set this to correct value
        self.p = 257
 
    def init_state(self):
        "Initialise rstate"
        self.rstate = 0 #Set this to some value
        self.update_state()
 
    def update_state(self):
        "Update state"
        self.rstate = (self.a * self.rstate + self.b) % self.p
 
    def get_prg_byte(self):
        "Return a new PRG byte and update PRG state"
        b = self.rstate & 0xFF
        self.update_state()
        return b
 
def strxor(a, b): # xor two strings (trims the longer input)
  return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)])
 
def hexxor(a, b): # xor two hex strings (trims the longer input)
  ha = a.decode('hex')
  hb = b.decode('hex')
  return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)])
 
def main():
 
  #Initialise weak rng
  wr = WeakRNG()
  wr.init_state()
 
  #Print ciphertext
  CH = 'a432109f58ff6a0f2e6cb280526708baece6680acc1f5fcdb9523129434ae9f6ae9edc2f224b73a8'
  print "Full ciphertext in hexa: " + CH
 
  #Print known plaintext
  pknown = 'Let all creation'
  nb = len(pknown)
  print "Known plaintext: " + pknown
  pkh = pknown.encode('hex')
  print "Plaintext in hexa: " + pkh
 
  #Obtain first nb bytes of RNG
  gh = hexxor(pkh, CH[0:nb*2])
  print gh
  gbytes = []
  for i in range(nb):
    gbytes.append(ord(gh[2*i:2*i+2].decode('hex')))
  print "Bytes of RNG: "
  print gbytes
 
  #Break the LCG here:
  #1. find a and b
  #2. predict/generate rest of RNG bytes
  #3. decrypt plaintext
 
  # Print full plaintext
  p = ''
  print "Full plaintext is: " + p
 
 
if __name__ == "__main__":
  main()  

In this exercise we'll build a simple Linear Feedback Shift Register (LFSR). LFSRs produce random bit strings with good statistical properties, but are very easy to predict.

The register is a sequence of $n$ bits; a LFSR is defined by:

• an initial state (the initial bit contents of the register)
• a polynomial that describes how bit shifts should be performed

For example, given an $18$ bit LFSRm the polynomial $X^{18} + X^{11} + 1$ and the initial state:

  state = '001001001001001001'
                     *      *

we generate a new bit $b$ by $\mathsf{xor}$-ing bits $11$ ($0$) and $18$ ($1$), thus obtaining $b = 1$. We then shift the whole register to the right (thus dropping the right-most bit, which is the bit we add to the generated random sequence) and insert $b$ to the left. Thus, the new state is:

  state = '100100100100100100'

The process is repeated until the desired number of bits have been generated.

Using the above starting state and polynomial, generate $100$ random bits and run the monobit statistical test from the previous exercise to see if their frequency seems random.

The goal of this exercise is to implement the meet-in-the-middle attack on double DES. For this, you are given a starter code (see below), implemented using the Pycrypto library: https://pypi.python.org/pypi/pycrypto

Perform the following tasks:

• a) Install the pycrypto library
• b) Starting from the starter code (see below), write methods to encrypt and decrypt using double-DES (2DES), defined as follows:

<quote> 2DES( (k1,k2), m) = DES(k1, DES(k2, m))</quote>

• c) You are given the ciphertexts

c1 = 'cda98e4b247612e5b088a803b4277710f106beccf3d020ffcc577ddd889e2f32'

c2 = '54826ea0937a2c34d47f4595f3844445520c0995331e5d492f55abcf9d8dfadf'

as hex strings (i.e. you need to decode them to get the actual byte strings to use with DES, e.g. c1.decode('hex'))

Decrypt them using the following keys:

k1 = 'Smerenie'

k2 = 'Dragoste'

The plaintext corresponding to c1 is m1='Fericiti cei saraci cu duhul, ca'. Find the plaintext m2 corresponding to c2.

• d) Decrypt the entire ciphertext (c1 || c2) with k1 and k2 using 2DES and check it matches the messages m1||m2 above.
• e) You are given the following ciphertext/plaintext pairs:

m1 = 'Pocainta' (in byte string, i.e. can be used directly with Pycrypto DES)

c1 = '9f98dbd6fe5f785d' (in hex string, you need to hex-decode)

m2 = 'Iertarea'

c2 = '6e266642ef3069c2'

Due to a problem with the PRG, you also know the last 6-bytes of each key (note we now have a different key than for the previous exercises): k1 (last 6 bytes) = 'oIkvH5' k2 (last 6 bytes) = 'GK4EoU'

To build a table, I recommend using a list of tuples, where you add new (key,enc) pairs as follows:

tb = []
tb.append(('keyval', 'encva'))

To sort the table, you can do this:

tbs = sorted(tb, key=itemgetter(1))

To search with binary search, first select just the second column (to search the encryptions):

tenc = [value for _,value in tbs]

then use the bisect library (e.g. bisect.bisect_left) https://docs.python.org/2/library/bisect.html

The starter code is this:

import sys
import random
import string
from operator import itemgetter
import time
import bisect
from Crypto.Cipher import DES

def strxor(a, b): # xor two strings (trims the longer input)
  return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)])

def hexxor(a, b): # xor two hex strings (trims the longer input)
  ha = a.decode('hex')
  hb = b.decode('hex')
  return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)])

def bitxor(a, b): # xor two bit strings (trims the longer input)
  return "".join([str(int(x)^int(y)) for (x, y) in zip(a, b)])

def str2bin(ss):
  """
    Transform a string (e.g. 'Hello') into a string of bits
  """
  bs = ''
  for c in ss:
    bs = bs + bin(ord(c))[2:].zfill(8)
  return bs

def str2int(ss):
  """
    Transform a string (e.g. 'Hello') into a (long) integer by converting
    first to a bistream
  """
  bs = str2bin(ss)
  li = int(bs, 2)
  return li

def hex2bin(hs):
  """
    Transform a hex string (e.g. 'a2') into a string of bits (e.g.10100010)
  """
  bs = ''
  for c in hs:
    bs = bs + bin(int(c,16))[2:].zfill(4)
  return bs

def bin2hex(bs):
  """
    Transform a bit string into a hex string
  """
  bv = int(bs,2)
  return int2hexstring(bv)

def byte2bin(bval):
  """
    Transform a byte (8-bit) value into a bitstring
  """
  return bin(bval)[2:].zfill(8)

def int2hexstring(bval):
  """
    Transform an int value into a hexstring (even number of characters)
  """
  hs = hex(bval)[2:]
  lh = len(hs)
  return hs.zfill(lh + lh%2)

def get_index(a, x):
  'Locate the leftmost value exactly equal to x in list a'
  i = bisect.bisect_left(a, x)
  if i != len(a) and a[i] == x:
    return i
  else:
    return -1

def des_enc(k, m):
  """
  Encrypt a message m with a key k using DES as follows:
  c = DES(k, m)

  Args:
    m should be a bytestring (i.e. a sequence of characters such as 'Hello' or '\x02\x04')
    k should be a bytestring of length exactly 8 bytes.

  Note that for DES the key is given as 8 bytes, where the last bit of
  each byte is just a parity bit, giving the actual key of 56 bits, as expected for DES.
  The parity bits are ignored.

  Return:
    The bytestring ciphertext c
  """
  d = DES.new(k)
  c = d.encrypt(m)

  return c

def des_dec(k, c):
  """
  Decrypt a message c with a key k using DES as follows:
  m = DES(k, c)

  Args:
    c should be a bytestring (i.e. a sequence of characters such as 'Hello' or '\x02\x04')
    k should be a bytestring of length exactly 8 bytes.

  Note that for DES the key is given as 8 bytes, where the last bit of
  each byte is just a parity bit, giving the actual key of 56 bits, as expected for DES.
  The parity bits are ignored.

  Return:
    The bytestring plaintext m
  """
  d = DES.new(k)
  m = d.decrypt(c)

  return m
  
def main():

  # Exercitiu pentru test des2_enc
  key1 = 'Smerenie'
  key2 = 'Dragoste'
  m1_given = 'Fericiti cei saraci cu duhul, ca'
  c1 = 'cda98e4b247612e5b088a803b4277710f106beccf3d020ffcc577ddd889e2f32'
  # TODO: implement des2_enc and des2_dec
  m1 = des2_dec(key1, key2, c1.decode('hex'))

  print 'ciphertext: ' + c1
  print 'plaintext: ' + m1
  print 'plaintext in hexa: ' + m1.encode('hex')

  # TODO: run meet-in-the-middle attack for the following plaintext/ciphertext
  m1 = 'Pocainta'
  c1 = '9f98dbd6fe5f785d' # in hex string
  m2 = 'Iertarea'
  c2 = '6e266642ef3069c2'
  
  # Note: you only need to search for the first 2 bytes of the each key:
  k1 = '??oIkvH5'
  k2 = '??GK4EoU'



if __name__ == "__main__":
  main()