Show page

Differences

This shows you the differences between two versions of the page.

--- ic:laboratoare:06 [2020/09/26 18:51]
philip.dumitru Replaced lab06 with AES ECB attack
+++ ic:laboratoare:06 [2020/11/03 10:04] (current)
philip.dumitru
@@ Line 1: / Line 1: @@
-<hidden>
-===== Laboratorul 06 - CBC Padding Attack =====
-In this lab we'll try to implement the CBC-padding attack of Serge Vaudenay:
-http://link.springer.com/content/pdf/10.1007%2F3-540-46035-7_35.pdf
-See sections 3.1 to 3.3 of chapter 3 in the paper above.
-Another useful link:
-https://robertheaton.com/2013/07/29/padding-oracle-attack/
-==== About padding ====
-Given a message of length L bytes, we need to pad with b more bytes such that L+b is a multiple of the cipher's block size (e.g. 16 bytes in the case of AES). Each of the last b bytes will have the value b. For example, for a message that has 30 bytes, we shall add two bytes with the value 0x02 at the end, obtaining m = [b1 | b2 | .. | b30 | 0x02 | 0x02], where bi are the 30 original bytes.
-==== Attacking CBC-padding ====
-The idea in short is the following: given a 1-block ciphertext c = [c1 | c2 | ... | c16], you can find its last byte by crafting a 2-block ciphetext c' = [r | c], where r = [r1 | r2 | ... | r16] contains random bytes. Then, by using an oracle that tells you whether the padding of the decryption of c' is correct or not, you can determine the value of c16. For this you just try all possible values of r16, until for one of them you will find that the oracle returns a successful result (it will do that for one value). In that case, due to the workings of CBC, you found out that r16 ⊕ LSB(Dec(k, c)) = 1. Hence you find that the last byte of the decryption of c is r16 ⊕ 1.
-Once you found the last byte c16 of the decryption of c, you can work your way towards the following byte, c15. This time you need to target the two-byte padding [0x02 | 0x02]. For this you simply use for r16 the value LSB(Dec(k, c)) ⊕ 0x02, and try all values for r15 just as we did above for r16. In the same manner you can decrypt all the ciphertext blocks c1 ... c16.
-You can then repeat the above process for any ciphertext of arbitrary length. Simply apply the attack on all blocks.
-<note>
-During the attack on the last byte, you might actually find two values that
-return a correct pad. That means that one resulted in the expected last pad
-($0x16$), while the other //luckily// resulted in having the last two values
-($0x15|0x15$). You can easily detect which is which by changing the value of
-the one before the last byte and see if the pad still verifies.
-</note>
-<note tip>
-To obtain a message that was encrypted with CBC, you also need the initial value (IV) and then you need to apply CBC decryption using the values obtained above. Those are just intermediary values, and not the actual message.
-Check the course for details:
-http://cs.curs.pub.ro/2014/pluginfile.php/13369/mod_resource/content/2/sasc_curs6.pdf
-</note>
-==== Your task ====
-You are given the aciphertext and a padding oracle (see the method "check_cbcpad" below), which knows the key that was used to encrypt the ciphertext and which will answer 1 if the padding of the ciphertext is correct and 0 otherwise.
-Your task is to decrypt the message by using the CBC-padding attack.
-<note tip>
-You are not allowed to use the key from the file, but you can (and you may have to) use the IV in order to decrypt the entire message.
-</note>
-Here is an archive with the starting python script, which contains your padding oracle:
-{{:ic:laboratoare:lab6.zip|here}}
-</hidden>
-<hidden>The solution is {{:ic:laboratoare:sol_lab6.zip|here}}.</hidden>
 ===== Laboratorul 06 - AES Byte at a Time ECB Decryption =====

Administrativ

Cursuri

Laboratoare

Resurse

Teme

Tema 1 (2025)

ic/laboratoare/06.1601135518.txt.gz · Last modified: 2020/09/26 18:51 by philip.dumitru

Show page Old revisions

Media Manager Back to top