Differences
This shows you the differences between two versions of the page.
|
ic:laboratoare:06 [2017/01/21 18:02] dan.dragan |
ic:laboratoare:06 [2020/11/03 10:04] (current) philip.dumitru |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Laboratorul 06 - CBC Padding Attack ===== | + | ===== Laboratorul 06 - AES Byte at a Time ECB Decryption ===== |
| + | ==== AES ECB ==== | ||
| + | The simplest of the encryption modes is the Electronic Codebook (ECB) mode (named after conventional physical codebooks). The message is divided into blocks, and each block is encrypted separately. | ||
| - | In this lab we'll try to implement the CBC-padding attack of Serge Vaudenay: | + | {{https://upload.wikimedia.org/wikipedia/commons/thumb/d/d6/ECB_encryption.svg/902px-ECB_encryption.svg.png?450|CBC encryption}} |
| - | http://link.springer.com/content/pdf/10.1007%2F3-540-46035-7_35.pdf | + | {{https://upload.wikimedia.org/wikipedia/commons/thumb/e/e6/ECB_decryption.svg/902px-ECB_decryption.svg.png?450|CBC decryption}} |
| - | See sections 3.1 to 3.3 of chapter 3 in the paper above. | + | Since each block of plaintext is encrypted with the key independently, identical blocks of plaintext will yield identical blocks of ciphertext. |
| + | Lots of people know that when you encrypt something in ECB mode, you can see penguins through it. | ||
| - | ==== About padding ==== | + | The vulnerability happens when: |
| - | Given a message of length L bytes, we need to pad with b more bytes such that L+b is a multiple of the cipher's block size (e.g. 16 bytes in the case of AES). Each of the last b bytes will have the value b. For example, for a message that has 30 bytes, we shall add two bytes with the value 0x02 at the end, obtaining m = [b1 | b2 | .. | b30 | 0x02 | 0x02], where bi are the 30 original bytes. | + | - You send an INPUT to the server. |
| + | - The server appends secret to INPUT -> INPUT||secret | ||
| + | - The server encrypts it with a secret key and a prefix -> AES-128-ECB(random-prefix || attacker-controlled || target-bytes, random-key) | ||
| + | - The server returns | ||
| - | ==== Attacking CBC-padding ==== | + | For the next exercises, we will use the following {{:ic:laboratoare:aesecb_Attack.zip|code stub}}. |
| - | The idea in short is the following: given a 1-block ciphertext c = [c1 | c2 | ... | c16], you can find its last byte by crafting a 2-block ciphetext c' = [r | c], where r = [r1 | r2 | ... | r16] contains random bytes. Then, by using an oracle that tells you whether the padding of the decryption of c' is correct or not, you can determine the value of c16. For this you just try all possible values of r16, until for one of them you will find that the oracle returns a successful result (it will do that for one value). In that case, due to the workings of CBC, you found out that r16 ⊕ LSB(Dec(k, c)) = 1. Hence you find that the last byte of the decryption of c is r16 ⊕ 1. | + | ==== Exercise 1 - Determining Block Size ==== |
| + | The first step in attacking a block-based cipher is to determine the size of the block. | ||
| + | Feed identical bytes of your-string to the function 1 at a time - start with 1 byte ("A"), then "AA", then "AAA" and so on. Discover the block size of the cipher. You know it, but do this step anyway. | ||
| + | <note tip> | ||
| + | Function **findBlockSize()** keeps on incrementing the padding length (and the message length also). | ||
| - | Once you found the last byte c16 of the decryption of c, you can work your way towards the following byte, c15. This time you need to target the two-byte padding [0x02 | 0x02]. For this you simply use for r16 the value LSB(Dec(k, c)) ⊕ 0x02, and try all values for r15 just as we did above for r16. In the same manner you can decrypt all the ciphertext blocks c1 ... c16. | + | How does the message length relates to the number of cypher blocks? |
| - | + | ||
| - | You can then repeat the above process for any ciphertext of arbitrary length. Simply apply the attack on all blocks. | + | |
| - | + | ||
| - | <note tip> | + | |
| - | To obtain a message that was encrypted with CBC, you also need the initial value (IV) and then you need to apply CBC decryption using the values obtained above. Those are just intermediary values, and not the actual message. | + | |
| - | Check the course for details: | + | |
| - | http://cs.curs.pub.ro/2014/pluginfile.php/13369/mod_resource/content/2/sasc_curs6.pdf | + | |
| </note> | </note> | ||
| + | ==== Exercise 2 - Determining Prefix size ==== | ||
| + | We give some chosen plaintext of increasing length to the oracle. When we detect a block that does not change with the addition of one more byte of chosen plaintext, this means this block only contains prefix and chosen plaintext. Eg: | ||
| + | <code> | ||
| + | RRTT TT | ||
| + | RRXT TTT | ||
| + | RRXX TTTT | ||
| + | RRXX XTTT T *detected that first block did not change* | ||
| + | RRXT TTT | ||
| + | </code> | ||
| + | Using R to denote the random prefix, X for the input we would give to the oracle (hereafter called the chosen plaintext) and T for target. | ||
| - | ==== Your task ==== | + | Now we know the pad length required to align the target to blocks. |
| - | + | ||
| - | You are given the following ciphertext: | + | |
| - | 553b43d4b821332868fece8149eea14a2b0a98c7bed43cc1cf75f4e778cb315dc1d92 | + | |
| - | 8d0340e0aab4900ca8af9adaee761e2affa3e9996d81483e950b913492b | + | |
| - | + | ||
| - | + | ||
| - | and a padding oracle (see the method "check_cbcpad" below), which knows the key that was used to encrypt the ciphertext and which will answer 1 if the padding of the ciphertext is correct and 0 otherwise. | + | |
| - | + | ||
| - | Your task is to decrypt the message by using the CBC-padding attack. | + | |
| <note tip> | <note tip> | ||
| - | You are not allowed to use the key from the file, but you can (and you may have to) use the IV in order to decrypt the entire message. | + | We also know that (prefix + pad - 1) % block_size = 0 |
| </note> | </note> | ||
| - | Here is a starting python script, which contains your padding oracle: | + | <note important> |
| + | What happens if the prefix is longer than the block size? | ||
| + | </note> | ||
| + | |||
| + | ==== Exercise 3 - ECB Byte at a Time Attack ==== | ||
| + | Suppose we have a block cipher that takes a 16 byte plaintext and produces a 16 byte ciphertext. We use this block cipher to encrypt two blocks worth of unknown data, call them m1 and m2. Additionally we are allowed to prepend some data to these two blocks, let's call it m0 (we control this data). | ||
| + | Note that in this scheme nothing prevents us from choosing an m0 that is 16 bytes long. This means we effectively have an encryption oracle for a full block, since the first block returned in this case would be Enc(m0) if ECB mode is being used. This means we can get the encryption of arbitrary blocks of data, which will come in handy. | ||
| + | We can set m0 equal to 15 known bytes, and if we have an encryption oracle we can brute force the last byte: | ||
| <code> | <code> | ||
| - | import sys | + | Block 1 Block 2 Block 3 |
| - | import random | + | |RRXXXXXXXXXXXXX?|?......?|?......?| |
| - | import string | + | |----known----||--m1---| |
| - | import time | + | |
| - | from Crypto.Cipher import AES | + | |
| - | + | ||
| - | IV = 'Hristos a inviat' | + | |
| - | + | ||
| - | def strxor(a, b): # xor two strings (trims the longer input) | + | |
| - | return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)]) | + | |
| - | + | ||
| - | def hexxor(a, b): # xor two hex strings (trims the longer input) | + | |
| - | ha = a.decode('hex') | + | |
| - | hb = b.decode('hex') | + | |
| - | return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)]) | + | |
| - | + | ||
| - | def bitxor(a, b): # xor two bit strings (trims the longer input) | + | |
| - | return "".join([str(int(x)^int(y)) for (x, y) in zip(a, b)]) | + | |
| - | + | ||
| - | def str2bin(ss): | + | |
| - | """ | + | |
| - | Transform a string (e.g. 'Hello') into a string of bits | + | |
| - | """ | + | |
| - | bs = '' | + | |
| - | for c in ss: | + | |
| - | bs = bs + bin(ord(c))[2:].zfill(8) | + | |
| - | return bs | + | |
| - | + | ||
| - | def str2int(ss): | + | |
| - | """ | + | |
| - | Transform a string (e.g. 'Hello') into a (long) integer by converting | + | |
| - | first to a bistream | + | |
| - | """ | + | |
| - | bs = str2bin(ss) | + | |
| - | li = int(bs, 2) | + | |
| - | return li | + | |
| - | + | ||
| - | def hex2bin(hs): | + | |
| - | """ | + | |
| - | Transform a hex string (e.g. 'a2') into a string of bits (e.g.10100010) | + | |
| - | """ | + | |
| - | bs = '' | + | |
| - | for c in hs: | + | |
| - | bs = bs + bin(int(c,16))[2:].zfill(4) | + | |
| - | return bs | + | |
| - | + | ||
| - | def bin2hex(bs): | + | |
| - | """ | + | |
| - | Transform a bit string into a hex string | + | |
| - | """ | + | |
| - | bv = int(bs,2) | + | |
| - | return int2hexstring(bv) | + | |
| - | + | ||
| - | def byte2bin(bval): | + | |
| - | """ | + | |
| - | Transform a byte (8-bit) value into a bitstring | + | |
| - | """ | + | |
| - | return bin(bval)[2:].zfill(8) | + | |
| - | + | ||
| - | def int2hexstring(bval): | + | |
| - | """ | + | |
| - | Transform an int value into a hexstring (even number of characters) | + | |
| - | """ | + | |
| - | hs = hex(bval)[2:] | + | |
| - | lh = len(hs) | + | |
| - | return hs.zfill(lh + lh%2) | + | |
| - | + | ||
| - | def check_cbcpad(c): | + | |
| - | """ | + | |
| - | Oracle for checking if a given ciphertext has correct CBC-padding. | + | |
| - | That is, it checks that the last n bytes all have the value n. | + | |
| - | + | ||
| - | Args: | + | |
| - | c is the ciphertext to be checked. Note: the key is supposed to be | + | |
| - | known just by the oracle. | + | |
| - | + | ||
| - | Return 1 if the pad is correct, 0 otherwise. | + | |
| - | """ | + | |
| - | ko = 'Sfantul Gheorghe' | + | |
| - | m = aes_dec_cbc(ko, c, IV) | + | |
| - | lm = len(m) | + | |
| - | lb = ord(m[lm-1]) | + | |
| - | + | ||
| - | if lb > lm: | + | |
| - | return 0 | + | |
| - | + | ||
| - | for k in range(lb): | + | |
| - | if ord(m[lm-1-k]) != lb: | + | |
| - | return 0 | + | |
| - | + | ||
| - | return 1 | + | |
| - | + | ||
| - | def aes_enc(k, m): | + | |
| - | """ | + | |
| - | Encrypt a message m with a key k in ECB mode using AES as follows: | + | |
| - | c = AES(k, m) | + | |
| - | + | ||
| - | Args: | + | |
| - | m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...') | + | |
| - | k should be a bytestring of length exactly 16 bytes. | + | |
| - | + | ||
| - | Return: | + | |
| - | The bytestring ciphertext c | + | |
| - | """ | + | |
| - | aes = AES.new(k) | + | |
| - | c = aes.encrypt(m) | + | |
| - | + | ||
| - | return c | + | |
| - | + | ||
| - | def aes_dec(k, c): | + | |
| - | """ | + | |
| - | Decrypt a ciphertext c with a key k in ECB mode using AES as follows: | + | |
| - | m = AES(k, c) | + | |
| - | + | ||
| - | Args: | + | |
| - | c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...') | + | |
| - | k should be a bytestring of length exactly 16 bytes. | + | |
| - | + | ||
| - | Return: | + | |
| - | The bytestring message m | + | |
| - | """ | + | |
| - | aes = AES.new(k) | + | |
| - | m = aes.decrypt(c) | + | |
| - | + | ||
| - | return m | + | |
| - | + | ||
| - | def aes_enc_cbc(k, m, iv): | + | |
| - | """ | + | |
| - | Encrypt a message m with a key k in CBC mode using AES as follows: | + | |
| - | c = AES(k, m) | + | |
| - | + | ||
| - | Args: | + | |
| - | m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...') | + | |
| - | k should be a bytestring of length exactly 16 bytes. | + | |
| - | iv should be a bytestring of length exactly 16 bytes. | + | |
| - | + | ||
| - | Return: | + | |
| - | The bytestring ciphertext c | + | |
| - | """ | + | |
| - | aes = AES.new(k, AES.MODE_CBC, iv) | + | |
| - | c = aes.encrypt(m) | + | |
| - | + | ||
| - | return c | + | |
| - | + | ||
| - | def aes_dec_cbc(k, c, iv): | + | |
| - | """ | + | |
| - | Decrypt a ciphertext c with a key k in CBC mode using AES as follows: | + | |
| - | m = AES(k, c) | + | |
| - | + | ||
| - | Args: | + | |
| - | c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...') | + | |
| - | k should be a bytestring of length exactly 16 bytes. | + | |
| - | iv should be a bytestring of length exactly 16 bytes. | + | |
| - | + | ||
| - | Return: | + | |
| - | The bytestring message m | + | |
| - | """ | + | |
| - | aes = AES.new(k, AES.MODE_CBC, iv) | + | |
| - | m = aes.decrypt(c) | + | |
| - | + | ||
| - | return m | + | |
| - | + | ||
| - | def main(): | + | |
| - | + | ||
| - | # Find the message corresponding to this ciphertext by using the cbc-padding attack | + | |
| - | c = '553b43d4b821332868fece8149eea14a2b0a98c7bed43cc1cf75f4e778cb315dc1d928d0340e0aab4900ca8af9adaee761e2affa3e9996d81483e950b913492b' | + | |
| - | ct = c.decode('hex') | + | |
| - | + | ||
| - | #Check correct padding | + | |
| - | print 'Oracle check of pad = ' + str(check_cbcpad(ct)) | + | |
| - | + | ||
| - | # TODO: implement the CBC-padding attack to find the message corresponding to the above ciphertext | + | |
| - | # Note: you cannot use the key known by the oracle | + | |
| - | # You can use the known IV in order to recover the full message | + | |
| - | + | ||
| - | + | ||
| - | if __name__ == "__main__": | + | |
| - | main() | + | |
| </code> | </code> | ||
| - | + | We just have to send all 256 possible guesses for Block 1 to the encryption oracle and see which one matches the output. Let's say we get a match on the byte encoding "w". We then repeat the process with a one byte shorter m0 to get the next byte in the same fashion: | |
| - | The solution is {{:ic:laboratoare:lab6_sol.zip|here}}. | + | <code> |
| + | Block 1 Block 2 Block 3 | ||
| + | |RRXXXXXXXXXXXXw?|?......?|?......?| | ||
| + | |----known----| | ||
| + | </code> | ||
| + | We can repeat this process for each byte until we have the whole first block m1, which let's say is "we attack at daw". Unfortunately at this point we can't reduce m0 by any more bytes since m0 would be 0 bytes and we would simply get: | ||
| + | <code> | ||
| + | M1 M2 | ||
| + | |we attack at daw|?......?| | ||
| + | |----known-----| | ||
| + | </code> | ||
| + | But we since we now know all of m1 we can use the sort of attack we used to recover the first byte of m1 to recover the first byte of m2. Suppose we again choose m0 to be of length 15 bytes: | ||
| + | <code> | ||
| + | Block 1 Block 2 Block 3 | ||
| + | |RRXXXXXXXXXXXXXw|e attack at daw?|?......?| | ||
| + | |------------known-------------| | ||
| + | </code> | ||
| + | There's only one unknown byte in Block 2 so all we have to do is again submit all 256 guesses to the encryption oracle, except this time for Block 2 instead of Block 1! This process can be repeated to decrypt an arbitrary amount of ciphertext that is ECB encrypted as long as we can prepend data to the plaintext and have access to an encryption oracle. | ||
