Differences
This shows you the differences between two versions of the page.
|
ic:res:tema1 [2018/11/21 12:41] tiberiu.iorgulescu |
ic:res:tema1 [2019/11/07 23:19] (current) romeo.horeanga |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | <hidden> | ||
| ===== Homework - BEAST Attack on TLS ===== | ===== Homework - BEAST Attack on TLS ===== | ||
| Line 23: | Line 24: | ||
| {{ :ac:laboratoare:beast_attack.png?500 |BEAST Attack}} | {{ :ac:laboratoare:beast_attack.png?500 |BEAST Attack}} | ||
| + | In this attack we assume the client is using a secret COOKIE to authenticate to the server and the attacker would like to | ||
| + | obtain this COOKIE. Furthermore, we assume that the attacker can force the client (via the malicious script) to send an encryption of any message followed by the secret COOKIE (this would be a response to a server request). | ||
| Let's say that we want to find the first character of the COOKIE, we will instruct the victim to encrypt the following message: 'B'*15 + COOKIE. Remember that the block length is 16 bytes, therefore the first block of the message will be 'BBBBBBBBBBBBBBB?' (let's call it m1). | Let's say that we want to find the first character of the COOKIE, we will instruct the victim to encrypt the following message: 'B'*15 + COOKIE. Remember that the block length is 16 bytes, therefore the first block of the message will be 'BBBBBBBBBBBBBBB?' (let's call it m1). | ||
| Line 125: | Line 128: | ||
| - | # the attacker don't know the flag | + | # the attacker doesn't know the flag |
| secret = run_three_request() | secret = run_three_request() | ||
| found = ''.join(secret) | found = ''.join(secret) | ||
| print "\n" + found | print "\n" + found | ||
| + | </code> | ||
| + | </hidden> | ||
| + | ===== Homework - AES Byte at a Time ECB Decryption ===== | ||
| + | |||
| + | ==== AES ECB ==== | ||
| + | The simplest of the encryption modes is the Electronic Codebook (ECB) mode (named after conventional physical codebooks[10]). The message is divided into blocks, and each block is encrypted separately. | ||
| + | |||
| + | {{https://upload.wikimedia.org/wikipedia/commons/thumb/d/d6/ECB_encryption.svg/902px-ECB_encryption.svg.png?450|CBC encryption}} | ||
| + | {{https://upload.wikimedia.org/wikipedia/commons/thumb/e/e6/ECB_decryption.svg/902px-ECB_decryption.svg.png?450|CBC decryption}} | ||
| + | |||
| + | Since each block of plaintext is encrypted with the key independently, identical blocks of plaintext will yield identical blocks of ciphertext. | ||
| + | Lots of people know that when you encrypt something in ECB mode, you can see penguins through it. | ||
| + | |||
| + | The vulnerability happens when: | ||
| + | - You send an INPUT to the server. | ||
| + | - The server appends secret to INPUT -> INPUT||secret | ||
| + | - The server encrypts it with a secret key and a prefix -> AES-128-ECB(random-prefix || attacker-controlled || target-bytes, random-key) | ||
| + | - The server returns | ||
| + | |||
| + | ==== Byte-at-a-time ECB decryption ==== | ||
| + | * Determining Block Size | ||
| + | The first step in attacking a block-based cipher is to determine the size of the block. | ||
| + | Feed identical bytes of your-string to the function 1 at a time - start with 1 byte ("A"), then "AA", then "AAA" and so on. Discover the block size of the cipher. You know it, but do this step anyway. | ||
| + | |||
| + | * Determining Prefix size | ||
| + | We give some chosen plaintext of increasing length to the oracle. When we detect a block that does not change with the addition of one more byte of chosen plaintext, this means this block only contains prefix and chosen plaintext. Eg: | ||
| + | <code> | ||
| + | RRTT TT | ||
| + | RRXT TTT | ||
| + | RRXX TTTT | ||
| + | RRXX XTTT T *detected that first block did not change* | ||
| + | RRXT TTT | ||
| + | </code> | ||
| + | Using R to denote the random prefix, X for the input we would give to the oracle (hereafter called the chosen plaintext) and T for target. | ||
| + | |||
| + | * ECB Byte at a Time Attack | ||
| + | |||
| + | Suppose we have a block cipher that takes a 16 byte plaintext and produces a 16 byte ciphertext. We use this block cipher to encrypt two blocks worth of unknown data, call them m1 and m2. Additionally we are allowed to prepend some data to these two blocks, let's call it m0 (we control this data). | ||
| + | Note that in this scheme nothing prevents us from choosing an m0 that is 16 bytes long. This means we effectively have an encryption oracle for a full block, since the first block returned in this case would be Enc(m0) if ECB mode is being used. This means we can get the encryption of arbitrary blocks of data, which will come in handy. | ||
| + | We can set m0 equal to 15 known bytes, and if we have an encryption oracle we can brute force the last byte: | ||
| + | <code> | ||
| + | Block 1 Block 2 Block 3 | ||
| + | |RRXXXXXXXXXXXXX?|?......?|?......?| | ||
| + | |----known----||--m1---| | ||
| + | </code> | ||
| + | We just have to send all 256 possible guesses for Block 1 to the encryption oracle and see which one matches the output. Let's say we get a match on the byte encoding "w". We then repeat the process with a one byte shorter m0 to get the next byte in the same fashion: | ||
| + | <code> | ||
| + | Block 1 Block 2 Block 3 | ||
| + | |RRXXXXXXXXXXXXw?|?......?|?......?| | ||
| + | |----known----| | ||
| + | </code> | ||
| + | We can repeat this process for each byte until we have the whole first block m1, which let's say is "we attack at daw". Unfortunately at this point we can't reduce m0 by any more bytes since m0 would be 0 bytes and we would simply get: | ||
| + | <code> | ||
| + | M1 M2 | ||
| + | |we attack at daw|?......?| | ||
| + | |----known-----| | ||
| + | </code> | ||
| + | But we since we now know all of m1 we can use the sort of attack we used to recover the first byte of m1 to recover the first byte of m2. Suppose we again choose m0 to be of length 15 bytes: | ||
| + | <code> | ||
| + | Block 1 Block 2 Block 3 | ||
| + | |RRXXXXXXXXXXXXXw|e attack at daw?|?......?| | ||
| + | |------------known-------------| | ||
| + | </code> | ||
| + | There's only one unknown byte in Block 2 so all we have to do is again submit all 256 guesses to the encryption oracle, except this time for Block 2 instead of Block 1! This process can be repeated to decrypt an arbitrary amount of ciphertext that is ECB encrypted as long as we can prepend data to the plaintext and have access to an encryption oracle. | ||
| + | |||
| + | <code python 'AES_ECB_ByteAtATime.py'> | ||
| + | import base64 | ||
| + | import os | ||
| + | from random import randint | ||
| + | from Crypto.Cipher import AES | ||
| + | |||
| + | from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes | ||
| + | from cryptography.hazmat.backends import default_backend | ||
| + | backend = default_backend() | ||
| + | |||
| + | from math import ceil | ||
| + | def split_bytes_in_blocks(x, blocksize): | ||
| + | nb_blocks = ceil(len(x)/blocksize) | ||
| + | return [x[blocksize*i:blocksize*(i+1)] for i in range(nb_blocks)] | ||
| + | |||
| + | def pkcs7_padding(message, block_size): | ||
| + | padding_length = block_size - ( len(message) % block_size ) | ||
| + | if padding_length == 0: | ||
| + | padding_length = block_size | ||
| + | padding = bytes([padding_length]) * padding_length | ||
| + | return message + padding | ||
| + | |||
| + | def pkcs7_strip(data): | ||
| + | padding_length = data[-1] | ||
| + | return data[:- padding_length] | ||
| + | |||
| + | def encrypt_aes_128_ecb(msg, key): | ||
| + | padded_msg = pkcs7_padding(msg, block_size=16) | ||
| + | cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=backend) | ||
| + | encryptor = cipher.encryptor() | ||
| + | return encryptor.update(padded_msg) + encryptor.finalize() | ||
| + | |||
| + | def decrypt_aes_128_ecb(ctxt, key): | ||
| + | cipher = Cipher(algorithms.AES(key), modes.ECB(), backend=backend) | ||
| + | decryptor = cipher.decryptor() | ||
| + | decrypted_data = decryptor.update(ctxt) + decryptor.finalize() | ||
| + | message = pkcs7_strip(decrypted_data) | ||
| + | return message | ||
| + | |||
| + | # You are not suppose to see this | ||
| + | class Oracle: | ||
| + | def __init__(self): | ||
| + | self.key = 'Mambo NumberFive'.encode() | ||
| + | self.prefix = 'PREF'.encode() | ||
| + | self.target = base64.b64decode( #You are suppose to break this | ||
| + | "Q2xhcCB5b3VyIGhhbmQgb25jZSBhbmQgY2xhcCB5b3VyIGhhbmRzIHR3aWNlCkFuZCBpZiBpdCBsb29rcyBsaWtlIHRoaXMgdGhlbiB5b3UgZG9pbmcgaXQgcmlnaHQ=" | ||
| + | ) | ||
| + | def encrypt(self, message): | ||
| + | return encrypt_aes_128_ecb( | ||
| + | self.prefix + message + self.target, | ||
| + | self.key | ||
| + | ) | ||
| + | |||
| + | def findBlockSize(): | ||
| + | initialLength = len(Oracle().encrypt(b'')) | ||
| + | i = 0 | ||
| + | while 1: # Feed identical bytes of your-string to the function 1 at a time until you get the block length | ||
| + | #You will also need to determine here the size of fixed prefix + target + pad | ||
| + | #And the minimum size of the plaintext to make a new block | ||
| + | length = len(Oracle().encrypt(b'X'*i)) | ||
| + | i+=1 | ||
| + | |||
| + | return blockSize, sizeOfTheFixedPrefixPlusTarget, minimumSizeToAlighPlaintext | ||
| + | |||
| + | def findPrefixSize(block_size): | ||
| + | previous_blocks = None | ||
| + | #Find the situation where prefix_size + padding_size - 1 = block_size | ||
| + | ### Use split_bytes_in_blocks to get blocks of size(block_size) | ||
| + | |||
| + | return prefix_size | ||
| + | |||
| + | |||
| + | def recoverOneByteAtATime(blockSize, prefixSize, targetSize): | ||
| + | know_target_bytes = b"" | ||
| + | for _ in range(targetSize): | ||
| + | # r+p+k+1 = 0 mod B | ||
| + | r = prefixSize | ||
| + | k = len(know_target_bytes) | ||
| + | |||
| + | padding_length = (-k-1-r) % blockSize | ||
| + | padding = b"X" * padding_length | ||
| + | |||
| + | # target block plaintext contains only known characters except its last character | ||
| + | |||
| + | # trying every possibility for the last character | ||
| + | |||
| + | print(know_target_bytes.decode()) | ||
| + | |||
| + | #Find block size, prefix size, and length of plaintext size to allign blocks | ||
| + | blockSize, sizeOfTheFixedPrefixPlusTarget, minimumSizeToAlighPlaintext = findBlockSize(); | ||
| + | |||
| + | #Find size of the prefix | ||
| + | prefixSize = findPrefixSize(blockSize) | ||
| + | |||
| + | #Size of the target | ||
| + | targetSize = sizeOfTheFixedPrefixPlusTarget - minimumSizeToAlighPlaintext - prefixSize | ||
| + | |||
| + | recoverOneByteAtATime(blockSize, prefixSize, targetSize) | ||
| </code> | </code> | ||
