Show page

Differences

This shows you the differences between two versions of the page.

--- ac:teme:01 [2017/11/06 16:04]
marios.choudary created
+++ ac:teme:01 [2018/11/27 11:05] (current)
tiberiu.iorgulescu [Exercise 1 - Timing attack]
@@ Line 1: / Line 1: @@
-===== Tema 1 - CBC Padding Attack =====
+===== Tema recuperare =====
-In this homework you'll try to implement the CBC-padding attack of Serge Vaudenay:
+==== Exercise 1 - Timing attack ====
+<note important>
+Because of some problems with timing, the exercise doesn't always work anymore, except for when you use very long delays. It is enough to get the first bytes right to complete the exercise. You might have to change the slow_foo() function or the number of iterations for each byte.
+</note>
+In this exercise you will perform a timing attack against CBC-MAC.
+You are given access to a CBC-MAC $\mathsf{Verify}$ oracle, which tests whether the received tag matches the one computed using the secret key. Timing attacks exploit naive equality comparisons between the received and computed MACs (for example, the comparison is done byte by byte; more checks means more latency).
+Your task is to produce a forged tag for the message 'Hristos a inviat' without knowing the key. Do this by iterating through all possible values for a specific byte; when the oracle's latency for a certain value seems larger than the rest, it suggests that the equality test returned True and the oracle passed to the next byte.
+Try to start by finding the first byte and checking your result with the timing attack.
+You can use ''time.clock()'' before and after each oracle query to measure its runtime.
+<note important>
+The oracle's latency is subject to noise; for the best results, you may need to run each query multiple times (try 30) and compute the mean latency.
+</note>
+TODO1: Implement the CBC-MAC function.
+<note>
+To check your implementation of CBC-MAC is correct, verify that this (plaintext,tag) verifies fine:
+plaintext = 'Placinta de mere'
+tag = '07d2771038d62b94fce106cff957da0f'  (in hex, you need to apply decode to get a bytestream)
+</note>
+TODO2: Implement the MAC time verification attack and obtain the desired MAC without knowing the key.
+<note>
+Try to print the resulting tag in hex (with tag.encode(hex)). It should start with 51 and end with 81.
+</note>
+<file python timing.py>
+import sys
+import random
+import string
+import time
+import itertools
+import operator
+import base64
+from Crypto.Cipher import AES
+from Crypto.Hash import SHA256
+def slow_foo():
+    p = 181
+    k = 2
+    while k < p:
+        if p % k == 0:
+            return
+        k += 1
+def aes_enc(k, m):
+  """
+  Encrypt a message m with a key k in ECB mode using AES as follows:
+  c = AES(k, m)
+  Args:
+    m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
+    k should be a bytestring of length exactly 16 bytes.
+  Return:
+    The bytestring ciphertext c
+  """
+  aes = AES.new(k)
+  c = aes.encrypt(m)
+  return c
+def aes_dec(k, c):
+  """
+  Decrypt a ciphertext c with a key k in ECB mode using AES as follows:
+  m = AES(k, c)
+  Args:
+    c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
+    k should be a bytestring of length exactly 16 bytes.
+  Return:
+    The bytestring message m
+  """
+  aes = AES.new(k)
+  m = aes.decrypt(c)
+  return m
+def aes_enc_cbc(k, m, iv):
+  """
+  Encrypt a message m with a key k in CBC mode using AES as follows:
+  c = AES(k, m)
+  Args:
+    m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
+    k should be a bytestring of length exactly 16 bytes.
+    iv should be a bytestring of length exactly 16 bytes.
+  Return:
+    The bytestring ciphertext c
+  """
+  aes = AES.new(k, AES.MODE_CBC, iv)
+  c = aes.encrypt(m)
+  return c
+def aes_dec_cbc(k, c, iv):
+  """
+  Decrypt a ciphertext c with a key k in CBC mode using AES as follows:
+  m = AES(k, c)
+  Args:
+    c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
+    k should be a bytestring of length exactly 16 bytes.
+    iv should be a bytestring of length exactly 16 bytes.
+  Return:
+    The bytestring message m
+  """
+  aes = AES.new(k, AES.MODE_CBC, iv)
+  m = aes.decrypt(c)
+  return m
+def aes_cbc_mac(k, m):
+  """
+  Compute a CBC-MAC of message m with a key k using AES as follows:
+  t = AES-CBC-MAC(k=(k1,k2), m),
+  where k1 is used for the raw-CBC operation and k2 is used for the final
+  encryption.
+  k1 and k2 are derived from k as follows:
+  [k1|k2] = SHA256(k | "CBC MAC keys")
+  Note: the IV for CBC in this case will be 0.
+  Args:
+    m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
+    k should be a bytestring of length exactly 16 bytes.
+  Return:
+    The bytestring MAC t, of 16 bytes.
+  """
+  #Require good size
+  m = m.ljust(16)
+  k = k.ljust(16)
+  #Derive the keys for raw-CBC and for the final tag
+  #[k1 | k2] = SHA256(k + "CBC MAC keys")
+  #Get the MAC:
+  #1 - Do aes-CBC with k1 and iv=0, then keep only last block (last 16 bytes) of encryption
+  #2 - Perform another AES encryption (simple, without CBC) on the last block from #1 using k2
+  #t = tag
+  t = 16*'\x00'
+  return t
+def verify(message, tag):
+  key = 'Cozonace si oua '
+  # Get correct tag
+  goodtag = aes_cbc_mac(key, message)
+  # Compare tags
+  for i in range(16):
+    # Artificially extend byte comparison duration
+    slow_foo()
+    if tag[i] != goodtag[i]:
+      return False
+  return True
+def main():
+  message = 'Hristos a inviat'
+  # Step 1. Iterate through all possible first byte values, and call the
+  # Verify oracle for each of them
+  tag = 16*'\x00'
+  verify(message, tag)
+  # Step 2. Store the byte that caused the longest computation time
+  # Step 3. Continue the operation for each byte (except the last)
+  # Step 4. Guess the last byte, and query the oracle with the complete tag
+  mytag = '???'
+  result = verify(message, mytag)
+  if result == True:
+    print "Found tag: " + mytag
+if __name__ == "__main__":
+  main()
+</file>
+==== Exercise 2 - Merkle's Puzzles ====
+Alice wants to share a secret with Bob, but she knows that if she explicitly tells it to Bob, Eve somehow will find out (she hears everything). So she and Bob establish a small game which helps them think about the same secret, without saying it. The game goes like this:
+  * Alice sends to Bot a list of puzzles. A puzzle looks like this:
+$\mathsf{Puzzle}_i = \mathsf{AES}(\mathsf{key} = 0^{14} \| i, \mathsf{plaintext = Puzzle} \| i \| secret_i)$
+where $secret_i$ represents the $i$-th secret Alice generated (represents 8 randomly generated bytes) and which should be figured out by Bob.
+  * Bob receives the puzzles and randomly chooses one. He knows the first 14 bytes of the key are 0, so he tries to brute-force the rest of the key until he finds a plain text starting with "Puzzle". This way, he knows Alice's secret (the last part of the plain text).
+  * Bob sends the index of the puzzle that he solved, in order to let Alice know which secret they agreed on.
+In the end, both Alice and Bob share the same secret, and Eve has no clue about it.
+Your job is to implement this mechanism starting from the following skeleton:
+<file python merkle.py>
+import random
+import string
+from Crypto.Cipher import AES
+import os
+def aes_enc(k, m):
+  """
+  Encrypt a message m with a key k in ECB mode using AES as follows:
+  c = AES(k, m)
+  Args:
+    m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
+    k should be a bytestring of length exactly 16 bytes.
+  Return:
+    The bytestring ciphertext c
+  """
+  aes = AES.new(k)
+  c = aes.encrypt(m)
+  return c
+def aes_dec(k, c):
+  """
+  Decrypt a ciphertext c with a key k in ECB mode using AES as follows:
+  m = AES(k, c)
+  Args:
+    c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
+    k should be a bytestring of length exactly 16 bytes.
+  Return:
+    The bytestring message m
+  """
+  aes = AES.new(k)
+  m = aes.decrypt(c)
+  return m
+alice_keys = []
+bob_key = []
+# TODO This is Alice. She generates 2^16 random keys and 2^16 puzzles.
+# A puzzle has the following formula:
+# puzzle[i] = aes_enc(key = 0..0 + i, plaintext ="Puzzle" + chr(i) + chr(j) + alice_keys[i])
+# This function shall fill in the alice_keys list and shall return a list of 2^16 puzzles.
+def gen_puzzles():
+  # TODO
+# TODO This is Bob. He tries to solve one random puzzle. His purpose is to solve one random puzzle
+# offered by Alice.
+# This function shall fill in the bob_key list with the secret discovered by Bob.
+# The function shall return the index of the chosen puzzle.
+def solve_puzzle(puzzles):
+  # TODO
+def main():
+  # Alice generates some puzzles
+  puzzles = gen_puzzles()
+  # Bob solves one random puzzle and discovers the secret
+  x = solve_puzzle(puzzles)
+  print "Bob's secret key: " + bob_key[0]
+  # Alice receives the puzzle index from Bob and now knows the secret
+  print "Alice's secret key: " + alice_keys[x]
+  # The secret should be the same, even if it was not explicitly shared
+  if bob_key[0] == alice_keys[x]:
+    print ":)"
+  else:
+    print ":("
+if __name__ == "__main__":
+  main()
+</file>
+==== Exercise 3 - CBC Padding Attack ====
+In this exercise you'll try to implement the CBC-padding attack of Serge Vaudenay:
 http://link.springer.com/content/pdf/10.1007%2F3-540-46035-7_35.pdf
-See sections 3.1 to 3.3 of chapter 3 in the paper above.
+See sections 3.1 to 3.3 of chapter 3 in the paper above for more details.
 Another useful link:
 https://robertheaton.com/2013/07/29/padding-oracle-attack/
-==== About padding ====
+=== About padding ===
 Given a message of length L bytes, we need to pad with b more bytes such that L+b is a multiple of the cipher's block size (e.g. 16 bytes in the case of AES). Each of the last b bytes will have the value b. For example, for a message that has 30 bytes, we shall add two bytes with the value 0x02 at the end, obtaining m = [b1 | b2 | .. | b30 | 0x02 | 0x02], where bi are the 30 original bytes.
-==== Attacking CBC-padding ====
+=== Attacking CBC-padding ===
 The idea in short is the following: given a 1-block ciphertext c = [c1 | c2 | ... | c16], you can find its last byte by crafting a 2-block ciphetext c' = [r | c], where r = [r1 | r2 | ... | r16] contains random bytes. Then, by using an oracle that tells you whether the padding of the decryption of c' is correct or not, you can determine the value of c16. For this you just try all possible values of r16, until for one of them you will find that the oracle returns a successful result (it will do that for one value). In that case, due to the workings of CBC, you found out that r16 ⊕ LSB(Dec(k, c)) = 1. Hence you find that the last byte of the decryption of c is r16 ⊕ 1.
@@ Line 28: / Line 315: @@
-==== Your task ====
+=== Your task ===
 You are given the following ciphertext:
@@ Line 129: / Line 416: @@
   lb = ord(m[lm-1])
-  if lb > lm:
+  if lb > lm or lb == 0:
     return 0
@@ Line 226: / Line 513: @@
 </code>
+<hidden>
+The solution is {{:ic:laboratoare:lab11_sol.zip|here}}.
+</hidden>

Labs

Resources

ac/teme/01.1509977091.txt.gz · Last modified: 2017/11/06 16:04 by marios.choudary

Show page Old revisions

Media Manager Back to top