Differences
This shows you the differences between two versions of the page.
|
ic:res:tema1 [2016/11/07 20:18] veronica.velciu created |
ic:res:tema1 [2019/11/07 23:19] (current) romeo.horeanga |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Homework 1 ===== | + | <hidden> |
| + | ===== Homework - BEAST Attack on TLS ===== | ||
| - | Let us see what goes wrong when a stream cipher key is used more than once. Below are eleven hexencoded ciphertexts that are the result of encrypting eleven plaintexts with a stream cipher, all with the same stream cipher key. Your goal is to decrypt the last ciphertext, and submit the secret message within it as solution. | + | ==== Cipher Block Chaining (CBC) ==== |
| - | Hint: XOR the ciphertexts together, and consider what happens when a space is XORed with a character in [a-zA-Z]. | + | SSLv3/TLS1.0 are protocols to encrypt/decrypt and secure your data. In our case, they both use the CBC cipher mode chaining. The plaintext is divided into block regarding the encryption algorithm (AES, DES, 3DES) and the length is a multiple of 8 or 16. If the plaintext does not fill the length, a [[https://en.wikipedia.org/wiki/Padding_(cryptography)#PKCS7|padding]] is added at the end to complete the missing space. |
| + | In CBC mode, each block of plaintext is XORed with the previous ciphertext block before being encrypted. This way, each ciphertext block depends on all plaintext blocks processed up to that point. | ||
| - | ciphertext #1: | + | C[i] = Ek(P[i] XOR C[i-1]), C[0] = IV |
| - | 315c4eeaa8b5f8aaf9174145bf43e1784b8fa00dc71d885a804e5ee9fa40b16349c146fb778cdf2d3aff021dfff5b403b5 10d0d0455468aeb98622b137dae857553ccd8883a7bc37520e06e515d22c954eba5025b8cc57ee59418ce7dc6bc4 1556bdb36bbca3e8774301fbcaa3b83b220809560987815f65286764703de0f3d524400a19b159610b11ef3e | + | P[i] = Dk(C[i]) XOR C[i-1], P[0] = IV |
| - | ciphertext #2: | + | To make each message unique, an initialization vector must be used in the first block. When encrypting with CBC mode, the Initialization Vector (IV) is: |
| + | * Random | ||
| + | * Unpredictable | ||
| + | * Not secret | ||
| - | 234c02ecbbfbafa3ed18510abd11fa724fcda2018a1a8342cf064bbde548b12b07df44ba7191d9606ef4081ffde5ad46 a5069d9f7f543bedb9c861bf29c7e205132eda9382b0bc2c5c4b45f919cf3a9f1cb74151f6d551f4480c82b2cb24cc5b0 28aa76eb7b4ab24171ab3cdadb8356f | + | {{:ac:laboratoare:601px-CBC_encryption.svg.png?450|CBC encryption}} |
| + | {{:ac:laboratoare:601px-CBC_decryption.svg.png?450|CBC decryption}} | ||
| - | ciphertext #3: | + | ==== BEAST Attack ==== |
| - | 32510ba9a7b2bba9b8005d43a304b5714cc0bb0c8a34884dd91304b8ad40b62b07df44ba6e9d8a2368e51d04e0e7 b207b70b9b8261112bacb6c866a232dfe257527dc29398f5f3251a0d47e503c66e935de81230b59b7afb5f41afa8d661cb | + | In TLS1.0 and SSLv3 the first IV of the request is random, fine. But to gain some time and not generate a new random IV every time, the implementation of TLS1.0 and SSLv3 used the last block of the previous cipher text has an IV. In other words, the IV is now guessable. We will assume the length of each block will be 16 (AES) and the attacker can set up a MITM to retrieve all the ciphertext. Additionally, the attacker can inject malicious code in the victim's browser and can use a socket to send data in the name of the client. This is called a [[https://en.wikipedia.org/wiki/Chosen-plaintext_attack|Chosen plaintext attack]] and can be seen below. Original description: [[http://nerdoholic.org/uploads/dergln/beast_part2/ssl_jun21.pdf|BEAST paper 2011]]. |
| + | {{ :ac:laboratoare:beast_attack.png?500 |BEAST Attack}} | ||
| - | ciphertext #4: | + | In this attack we assume the client is using a secret COOKIE to authenticate to the server and the attacker would like to |
| + | obtain this COOKIE. Furthermore, we assume that the attacker can force the client (via the malicious script) to send an encryption of any message followed by the secret COOKIE (this would be a response to a server request). | ||
| - | 32510ba9aab2a8a4fd06414fb517b5605cc0aa0dc91a8908c2064ba8ad5ea06a029056f47a8ad3306ef5021eafe1ac 01a81197847a5c68a1b78769a37bc8f4575432c198ccb4ef63590256e305cd3a9544ee4160ead45aef520489e7da7d 835402bca670bda8eb775200b8dabbba246b130f040d8ec6447e2c767f3d30ed81ea2e4c1404e1315a1010e7229be6636aaa | + | Let's say that we want to find the first character of the COOKIE, we will instruct the victim to encrypt the following message: 'B'*15 + COOKIE. Remember that the block length is 16 bytes, therefore the first block of the message will be 'BBBBBBBBBBBBBBB?' (let's call it m1). |
| - | ciphertext #5: | + | Because this is the first request, the IV will be random. Observing the ciphertext we can extract two informations: 'Ek(m1 XOR IV)' and 'F[-16:]' will be the IV for the second request. |
| - | 3f561ba9adb4b6ebec54424ba317b564418fac0dd35f8c08d31a1fe9e24fe56808c213f17c81d9607cee021dafe1e001 b21ade877a5e68bea88d61b93ac5ee0d562e8e9582f5ef375f0a4ae20ed86e935de81230b59b73fb4302cd95d770c6 5b40aaa065f2a5e33a5a0bb5dcaba43722130f042f8ec85b7c2070 | + | For the second request we know what the IV will be. Let's send the same message as in the first request. We will get: Ek(m1 XOR F[-16:0]) as the first block. Last block of the ciphertext ('S[-16:]') will be the next IV. |
| - | ciphertext #6: | + | For the third request, we will craft a special block P = m_guess XOR F[-16:] XOR S[-16:0], where m_guess is 'B'*15 + our guess for the first character of the cookie. Try to find what the first block of the third ciphertext should look like. Use the technique to find the entire secret cookie. |
| - | 32510bfbacfbb9befd54415da243e1695ecabd58c519cd4bd2061bbde24eb76a19d84aba34d8de287be84d07e7e9a 30ee714979c7e1123a8bd9822a33ecaf512472e8e8f8db3f9635c1949e640c621854eba0d79eccf52ff111284b4cc61 d11902aebc66f2b2e436434eacc0aba938220b084800c2ca4e693522643573b2c4ce35050b0cf774201f0fe52ac9f26 d71b6cf61a711cc229f77ace7aa88a2f19983122b11be87a59c355d25f8e4 | + | <code python 'beast_attack.py'> |
| + | #!/usr/bin/env python | ||
| + | # -*- coding: utf-8 -*- | ||
| - | ciphertext #7: | + | ''' |
| + | TLS BEAST attack - PoC | ||
| + | Implementation of the cryptographic path behind the attack | ||
| + | ''' | ||
| - | 32510bfbacfbb9befd54415da243e1695ecabd58c519cd4bd90f1fa6ea5ba47b01c909ba7696cf606ef40c04afe1ac0a a8148dd066592ded9f8774b529c7ea125d298e8883f5e9305f4b44f915cb2bd05af51373fd9b4af511039fa2d96f8341 4aaaf261bda2e97b170fb5cce2a53e675c154c0d9681596934777e2275b381ce2e40582afe67650b13e72287ff2270 abcf73bb028932836fbdecfecee0a3b894473c1bbeb6b4913a536ce4f9b13f1efff71ea313c8661dd9a4ce | + | import random |
| + | import binascii | ||
| + | import sys | ||
| + | from Crypto.Cipher import AES | ||
| + | from Crypto import Random | ||
| - | ciphertext #8: | + | SECRET_COOKIE = "ID=3ef729ccf0cc5" |
| - | 315c4eeaa8b5f8bffd11155ea506b56041c6a00c8a08854dd21a4bbde54ce56801d943ba708b8a3574f40c00fff9e00f a1439fd0654327a3bfc860b92f89ee04132ecb9298f5fd2d5e4b45e40ecc3b9d59e9417df7c95bba410e9aa2ca24c54 74da2f276baa3ac325918b2daada43d6712150441c2e04f6565517f317da9d3 | + | """ |
| + | AES-CBC | ||
| + | function encrypt, decrypt, pad, unpad | ||
| + | You can fix the IV in the function encrypt() because TLS 1.0 fix the IV | ||
| + | for the second, third... request (to gain time) | ||
| + | """ | ||
| + | def pad(s): | ||
| + | return s + (16 - len(s) % 16) * chr(16 - len(s) % 16) | ||
| - | ciphertext #9: | + | def unpad(s): |
| + | return s[:-ord(s[len(s)-1:])] | ||
| - | 271946f9bbb2aeadec111841a81abc300ecaa01bd8069d5cc91005e9fe4aad6e04d513e96d99de2569bc5e50eeeca 709b50a8a987f4264edb6896fb537d0a716132ddc938fb0f836480e06ed0fcd6e9759f40462f9cf57f4564186a2c1778f 1543efa270bda5e933421cbe88a4a52222190f471e9bd15f652b653b7071aec59a2705081ffe72651d08f822c9ed6d7 | + | # we admit the handshake produce a secret key for the session |
| - | 6e48b63ab15d0208573a7eef027 | + | # we can use this function without having access to the secret key |
| + | def encrypt( msg, iv_p=None): | ||
| + | raw = pad(msg + SECRET_COOKIE) # SECRET_COOKIE is always appended | ||
| + | if iv_p is None: | ||
| + | iv = Random.new().read( AES.block_size ) | ||
| + | else: | ||
| + | iv = iv_p | ||
| + | global key | ||
| + | key = Random.new().read( AES.block_size ) | ||
| + | cipher = AES.new('V38lKILOJmtpQMHp', AES.MODE_CBC, iv ) | ||
| + | return cipher.encrypt( raw ) | ||
| - | ciphertext #10: | + | """ |
| + | The PoC of BEAST attack - | ||
| + | Implementation of the cryptographic path behind the attack | ||
| + | - the attacker can retrieve the request send be the client | ||
| + | - but also make the client send requests with the plain text of his choice | ||
| + | """ | ||
| + | def xor_strings(xs, ys, zs): | ||
| + | return "".join(chr(ord(x) ^ ord(y) ^ ord(z)) for x, y, z in zip(xs, ys, zs)) | ||
| - | 466d06ece998b7a2fb1d464fed2ced7641ddaa3cc31c9941cf110abbf409ed39598005b3399ccfafb61d0315fca0a314 be138a9f32503bedac8067f03adbf3575c3b8edc9ba7f537530541ab0f9f3cd04ff50d66f1d559ba520e89a2cb2a83 | + | def xor_block(vector_init, previous_cipher, p_guess): |
| + | xored = xor_strings(vector_init, previous_cipher, p_guess) | ||
| + | return xored | ||
| - | target ciphertext (decrypt this one): | + | def split_len(seq, length): |
| + | return [seq[i:i+length] for i in range(0, len(seq), length)] | ||
| - | 32510ba9babebbbefd001547a810e67149caee11d945cd7fc81a05e9f85aac650e9052ba6a8cd8257bf14d13e6f0a8 03b54fde9e77472dbff89d71b57bddef121336cb85ccb8f3315f4b52e301d16e9f52f904 | ||
| - | <note tip>The ciphertexts were generated with a script like this</note> | + | # the PoC start here |
| - | <code> | + | def run_three_request(): |
| - | import sys | + | secret = [] |
| + | fixed_known = "ID=" | ||
| - | MSGS=(--- 11secretmessages ---) | + | # the part of the request the atacker knows, can be null |
| + | known_so_far = fixed_known | ||
| - | def strxor(a, b): # xor two strings (trims the longer input) | + | # padding is the length we need to add to known_so_far to create a length of 15 bytes |
| - | return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)]) | + | padding = 16 - len(known_so_far) - 1 |
| - | + | known_so_far = "a"*padding + known_so_far | |
| - | def random(size=16): | + | length_block = 16 |
| - | return open("/dev/urandom").read(size) | + | secret_length = len(SECRET_COOKIE) |
| - | def encrypt(key, msg): | + | """ |
| - | c = strxor(key, msg) | + | TODO: |
| - | + | while not found entire cookie: | |
| - | print c.encode('hex') | + | for i in range(256): |
| - | return c | + | # send first request |
| + | # send second request | ||
| + | # send third request | ||
| - | def main(): | + | if success: |
| - | key = random(1024) | + | # update findings |
| - | ciphertexts = [encrypt(key, msg) for msg in MSGS] | + | # go to next step |
| + | |||
| + | for sending requests use encrypt(chosen_plaintext, iv), keep in mind that SECRET_COOKIE is always appended | ||
| + | first request should use iv=None to generate a fresh one, next ones should set the iv according to the protocol | ||
| + | """ | ||
| + | |||
| + | return secret | ||
| + | |||
| + | |||
| + | # the attacker doesn't know the flag | ||
| + | secret = run_three_request() | ||
| + | |||
| + | found = ''.join(secret) | ||
| + | print "\n" + found | ||
| </code> | </code> | ||
| + | </hidden> | ||
| + | ===== Homework - AES Byte at a Time ECB Decryption ===== | ||
| - | <note tip>You may use the following Python code as a starting point</note> | + | ==== AES ECB ==== |
| - | <code> | + | The simplest of the encryption modes is the Electronic Codebook (ECB) mode (named after conventional physical codebooks[10]). The message is divided into blocks, and each block is encrypted separately. |
| - | import sys | + | |
| - | import random | + | |
| - | import string | + | |
| - | import operator | + | |
| - | MSGS = ( | + | {{https://upload.wikimedia.org/wikipedia/commons/thumb/d/d6/ECB_encryption.svg/902px-ECB_encryption.svg.png?450|CBC encryption}} |
| - | '315c4eeaa8b5f8aaf9174145bf43e1784b8fa00dc71d885a804e5ee9fa40b16349c146fb778cdf2d3aff021dfff5b403b510d0d0455468aeb98622b137dae857553ccd8883a7bc37520e06e515d22c954eba5025b8cc57ee59418ce7dc6bc41556bdb36bbca3e8774301fbcaa3b83b220809560987815f65286764703de0f3d524400a19b159610b11ef3e', | + | {{https://upload.wikimedia.org/wikipedia/commons/thumb/e/e6/ECB_decryption.svg/902px-ECB_decryption.svg.png?450|CBC decryption}} |
| - | '234c02ecbbfbafa3ed18510abd11fa724fcda2018a1a8342cf064bbde548b12b07df44ba7191d9606ef4081ffde5ad46a5069d9f7f543bedb9c861bf29c7e205132eda9382b0bc2c5c4b45f919cf3a9f1cb74151f6d551f4480c82b2cb24cc5b028aa76eb7b4ab24171ab3cdadb8356f', | + | |
| - | '32510ba9a7b2bba9b8005d43a304b5714cc0bb0c8a34884dd91304b8ad40b62b07df44ba6e9d8a2368e51d04e0e7b207b70b9b8261112bacb6c866a232dfe257527dc29398f5f3251a0d47e503c66e935de81230b59b7afb5f41afa8d661cb', | + | |
| - | '32510ba9aab2a8a4fd06414fb517b5605cc0aa0dc91a8908c2064ba8ad5ea06a029056f47a8ad3306ef5021eafe1ac01a81197847a5c68a1b78769a37bc8f4575432c198ccb4ef63590256e305cd3a9544ee4160ead45aef520489e7da7d835402bca670bda8eb775200b8dabbba246b130f040d8ec6447e2c767f3d30ed81ea2e4c1404e1315a1010e7229be6636aaa', | + | |
| - | '3f561ba9adb4b6ebec54424ba317b564418fac0dd35f8c08d31a1fe9e24fe56808c213f17c81d9607cee021dafe1e001b21ade877a5e68bea88d61b93ac5ee0d562e8e9582f5ef375f0a4ae20ed86e935de81230b59b73fb4302cd95d770c65b40aaa065f2a5e33a5a0bb5dcaba43722130f042f8ec85b7c2070', | + | |
| - | '32510bfbacfbb9befd54415da243e1695ecabd58c519cd4bd2061bbde24eb76a19d84aba34d8de287be84d07e7e9a30ee714979c7e1123a8bd9822a33ecaf512472e8e8f8db3f9635c1949e640c621854eba0d79eccf52ff111284b4cc61d11902aebc66f2b2e436434eacc0aba938220b084800c2ca4e693522643573b2c4ce35050b0cf774201f0fe52ac9f26d71b6cf61a711cc229f77ace7aa88a2f19983122b11be87a59c355d25f8e4', | + | |
| - | '32510bfbacfbb9befd54415da243e1695ecabd58c519cd4bd90f1fa6ea5ba47b01c909ba7696cf606ef40c04afe1ac0aa8148dd066592ded9f8774b529c7ea125d298e8883f5e9305f4b44f915cb2bd05af51373fd9b4af511039fa2d96f83414aaaf261bda2e97b170fb5cce2a53e675c154c0d9681596934777e2275b381ce2e40582afe67650b13e72287ff2270abcf73bb028932836fbdecfecee0a3b894473c1bbeb6b4913a536ce4f9b13f1efff71ea313c8661dd9a4ce', | + | |
| - | '315c4eeaa8b5f8bffd11155ea506b56041c6a00c8a08854dd21a4bbde54ce56801d943ba708b8a3574f40c00fff9e00fa1439fd0654327a3bfc860b92f89ee04132ecb9298f5fd2d5e4b45e40ecc3b9d59e9417df7c95bba410e9aa2ca24c5474da2f276baa3ac325918b2daada43d6712150441c2e04f6565517f317da9d3', | + | |
| - | '271946f9bbb2aeadec111841a81abc300ecaa01bd8069d5cc91005e9fe4aad6e04d513e96d99de2569bc5e50eeeca709b50a8a987f4264edb6896fb537d0a716132ddc938fb0f836480e06ed0fcd6e9759f40462f9cf57f4564186a2c1778f1543efa270bda5e933421cbe88a4a52222190f471e9bd15f652b653b7071aec59a2705081ffe72651d08f822c9ed6d76e48b63ab15d0208573a7eef027', | + | |
| - | '466d06ece998b7a2fb1d464fed2ced7641ddaa3cc31c9941cf110abbf409ed39598005b3399ccfafb61d0315fca0a314be138a9f32503bedac8067f03adbf3575c3b8edc9ba7f537530541ab0f9f3cd04ff50d66f1d559ba520e89a2cb2a83' | + | |
| - | ) | + | |
| - | TARGET = '32510ba9babebbbefd001547a810e67149caee11d945cd7fc81a05e9f85aac650e9052ba6a8cd8257bf14d13e6f0a803b54fde9e77472dbff89d71b57bddef121336cb85ccb8f3315f4b52e301d16e9f52f904' | + | |
| - | def strxor(a, b): # xor two strings (trims the longer input) | + | Since each block of plaintext is encrypted with the key independently, identical blocks of plaintext will yield identical blocks of ciphertext. |
| - | return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)]) | + | Lots of people know that when you encrypt something in ECB mode, you can see penguins through it. |
| - | def hexxor(a, b): # xor two hex strings (trims the longer input) | + | The vulnerability happens when: |
| - | ha = a.decode('hex') | + | - You send an INPUT to the server. |
| - | hb = b.decode('hex') | + | - The server appends secret to INPUT -> INPUT||secret |
| - | return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)]) | + | - The server encrypts it with a secret key and a prefix -> AES-128-ECB(random-prefix || attacker-controlled || target-bytes, random-key) |
| + | - The server returns | ||
| - | def main(): | + | ==== Byte-at-a-time ECB decryption ==== |
| - | # do something here | + | * Determining Block Size |
| - | print 'Hello' | + | The first step in attacking a block-based cipher is to determine the size of the block. |
| + | Feed identical bytes of your-string to the function 1 at a time - start with 1 byte ("A"), then "AA", then "AAA" and so on. Discover the block size of the cipher. You know it, but do this step anyway. | ||
| - | if __name__ == "__main__": | + | * Determining Prefix size |
| - | main() | + | We give some chosen plaintext of increasing length to the oracle. When we detect a block that does not change with the addition of one more byte of chosen plaintext, this means this block only contains prefix and chosen plaintext. Eg: |
| - | | + | <code> |
| + | RRTT TT | ||
| + | RRXT TTT | ||
| + | RRXX TTTT | ||
| + | RRXX XTTT T *detected that first block did not change* | ||
| + | RRXT TTT | ||
| </code> | </code> | ||
| + | Using R to denote the random prefix, X for the input we would give to the oracle (hereafter called the chosen plaintext) and T for target. | ||
| + | * ECB Byte at a Time Attack | ||
| + | |||
| + | Suppose we have a block cipher that takes a 16 byte plaintext and produces a 16 byte ciphertext. We use this block cipher to encrypt two blocks worth of unknown data, call them m1 and m2. Additionally we are allowed to prepend some data to these two blocks, let's call it m0 (we control this data). | ||
| + | Note that in this scheme nothing prevents us from choosing an m0 that is 16 bytes long. This means we effectively have an encryption oracle for a full block, since the first block returned in this case would be Enc(m0) if ECB mode is being used. This means we can get the encryption of arbitrary blocks of data, which will come in handy. | ||
| + | We can set m0 equal to 15 known bytes, and if we have an encryption oracle we can brute force the last byte: | ||
| + | <code> | ||
| + | Block 1 Block 2 Block 3 | ||
| + | |RRXXXXXXXXXXXXX?|?......?|?......?| | ||
| + | |----known----||--m1---| | ||
| + | </code> | ||
| + | We just have to send all 256 possible guesses for Block 1 to the encryption oracle and see which one matches the output. Let's say we get a match on the byte encoding "w". We then repeat the process with a one byte shorter m0 to get the next byte in the same fashion: | ||
| + | <code> | ||
| + | Block 1 Block 2 Block 3 | ||
| + | |RRXXXXXXXXXXXXw?|?......?|?......?| | ||
| + | |----known----| | ||
| + | </code> | ||
| + | We can repeat this process for each byte until we have the whole first block m1, which let's say is "we attack at daw". Unfortunately at this point we can't reduce m0 by any more bytes since m0 would be 0 bytes and we would simply get: | ||
| + | <code> | ||
| + | M1 M2 | ||
| + | |we attack at daw|?......?| | ||
| + | |----known-----| | ||
| + | </code> | ||
| + | But we since we now know all of m1 we can use the sort of attack we used to recover the first byte of m1 to recover the first byte of m2. Suppose we again choose m0 to be of length 15 bytes: | ||
| + | <code> | ||
| + | Block 1 Block 2 Block 3 | ||
| + | |RRXXXXXXXXXXXXXw|e attack at daw?|?......?| | ||
| + | |------------known-------------| | ||
| + | </code> | ||
| + | There's only one unknown byte in Block 2 so all we have to do is again submit all 256 guesses to the encryption oracle, except this time for Block 2 instead of Block 1! This process can be repeated to decrypt an arbitrary amount of ciphertext that is ECB encrypted as long as we can prepend data to the plaintext and have access to an encryption oracle. | ||
| + | |||
| + | <code python 'AES_ECB_ByteAtATime.py'> | ||
| + | import base64 | ||
| + | import os | ||
| + | from random import randint | ||
| + | from Crypto.Cipher import AES | ||
| + | |||
| + | from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes | ||
| + | from cryptography.hazmat.backends import default_backend | ||
| + | backend = default_backend() | ||
| + | |||
| + | from math import ceil | ||
| + | def split_bytes_in_blocks(x, blocksize): | ||
| + | nb_blocks = ceil(len(x)/blocksize) | ||
| + | return [x[blocksize*i:blocksize*(i+1)] for i in range(nb_blocks)] | ||
| + | |||
| + | def pkcs7_padding(message, block_size): | ||
| + | padding_length = block_size - ( len(message) % block_size ) | ||
| + | if padding_length == 0: | ||
| + | padding_length = block_size | ||
| + | padding = bytes([padding_length]) * padding_length | ||
| + | return message + padding | ||
| + | |||
| + | def pkcs7_strip(data): | ||
| + | padding_length = data[-1] | ||
| + | return data[:- padding_length] | ||
| + | |||
| + | def encrypt_aes_128_ecb(msg, key): | ||
| + | padded_msg = pkcs7_padding(msg, block_size=16) | ||
| + | cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=backend) | ||
| + | encryptor = cipher.encryptor() | ||
| + | return encryptor.update(padded_msg) + encryptor.finalize() | ||
| + | |||
| + | def decrypt_aes_128_ecb(ctxt, key): | ||
| + | cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=backend) | ||
| + | decryptor = cipher.decryptor() | ||
| + | decrypted_data = decryptor.update(ctxt) + decryptor.finalize() | ||
| + | message = pkcs7_strip(decrypted_data) | ||
| + | return message | ||
| + | |||
| + | # You are not suppose to see this | ||
| + | class Oracle: | ||
| + | def __init__(self): | ||
| + | self.key = 'Mambo NumberFive'.encode() | ||
| + | self.prefix = 'PREF'.encode() | ||
| + | self.target = base64.b64decode( #You are suppose to break this | ||
| + | "Q2xhcCB5b3VyIGhhbmQgb25jZSBhbmQgY2xhcCB5b3VyIGhhbmRzIHR3aWNlCkFuZCBpZiBpdCBsb29rcyBsaWtlIHRoaXMgdGhlbiB5b3UgZG9pbmcgaXQgcmlnaHQ=" | ||
| + | ) | ||
| + | def encrypt(self, message): | ||
| + | return encrypt_aes_128_ecb( | ||
| + | self.prefix + message + self.target, | ||
| + | self.key | ||
| + | ) | ||
| + | |||
| + | def findBlockSize(): | ||
| + | initialLength = len(Oracle().encrypt(b'')) | ||
| + | i = 0 | ||
| + | while 1: # Feed identical bytes of your-string to the function 1 at a time until you get the block length | ||
| + | #You will also need to determine here the size of fixed prefix + target + pad | ||
| + | #And the minimum size of the plaintext to make a new block | ||
| + | length = len(Oracle().encrypt(b'X'*i)) | ||
| + | i+=1 | ||
| + | |||
| + | return blockSize, sizeOfTheFixedPrefixPlusTarget, minimumSizeToAlighPlaintext | ||
| + | |||
| + | def findPrefixSize(block_size): | ||
| + | previous_blocks = None | ||
| + | #Find the situation where prefix_size + padding_size - 1 = block_size | ||
| + | ### Use split_bytes_in_blocks to get blocks of size(block_size) | ||
| + | |||
| + | return prefix_size | ||
| + | |||
| + | |||
| + | def recoverOneByteAtATime(blockSize, prefixSize, targetSize): | ||
| + | know_target_bytes = b"" | ||
| + | for _ in range(targetSize): | ||
| + | # r+p+k+1 = 0 mod B | ||
| + | r = prefixSize | ||
| + | k = len(know_target_bytes) | ||
| + | |||
| + | padding_length = (-k-1-r) % blockSize | ||
| + | padding = b"X" * padding_length | ||
| + | |||
| + | # target block plaintext contains only known characters except its last character | ||
| + | |||
| + | # trying every possibility for the last character | ||
| + | |||
| + | print(know_target_bytes.decode()) | ||
| + | |||
| + | #Find block size, prefix size, and length of plaintext size to allign blocks | ||
| + | blockSize, sizeOfTheFixedPrefixPlusTarget, minimumSizeToAlighPlaintext = findBlockSize(); | ||
| + | |||
| + | #Find size of the prefix | ||
| + | prefixSize = findPrefixSize(blockSize) | ||
| + | |||
| + | #Size of the target | ||
| + | targetSize = sizeOfTheFixedPrefixPlusTarget - minimumSizeToAlighPlaintext - prefixSize | ||
| + | |||
| + | recoverOneByteAtATime(blockSize, prefixSize, targetSize) | ||
| + | </code> | ||
