Show page

Differences

This shows you the differences between two versions of the page.

--- sasc:laboratoare:05 [2015/04/23 20:03]
marios.choudary [Your task]
+++ sasc:laboratoare:05 [2017/03/23 19:53] (current)
marios.choudary
@@ Line 1: / Line 1: @@
-===== Laboratorul 05. =====
+===== Lab 05 - DES =====
-In this lab we'll try to implement the CBC-padding attack of Serge Vaudenay:
-http://link.springer.com/content/pdf/10.1007%2F3-540-46035-7_35.pdf
-See sections 3.1 to 3.3 of chapter 3 in the paper above.
+In this lab we'll do some exercises with DES and some of its variants, as we discussed in the last lecture:
+http://cs.curs.pub.ro/2014/pluginfile.php/13095/mod_resource/content/2/sasc_curs4_5.pdf
-==== About padding ====
+==== Exercise 1 (2p) ====
-Given a message of length L bytes, we need to pad with b more bytes such that L+b is a multiple of the cipher's block size (e.g. 16 bytes in the case of AES). Each of the last b bytes will have the value b. For example, for a message that has 30 bytes, we shall add two bytes with the value 0x02 at the end, obtaining m = [b1 | b2 | .. | b30 | 0x02 | 0x02], where bi are the 30 original bytes.
-==== Attacking CBC-padding ====
+Remember DESX defined as the operation DESX( (k1,k2,k3), m) = k1 ⊕ DES(k2, m ⊕ k3),
+where k1, k3 have 64 bits (same as input/output of DES) and k2 has 56 bits (DES key size).
+Show a brute force (exhaustive key search) attack on DESX that runs in time $O(2^{120})$.
-The idea in short is the following: given a 1-block ciphertext c = [c1 | c2 | ... | c16], you can find its last byte by crafting a 2-block ciphetext c' = [r | c], where r = [r1 | r2 | ... | r16] contains random bytes. Then, by using an oracle that tells you whether the padding of the decryption of c' is correct or not, you can determine the value of c16. For this you just try all possible values of r16, until for one of them you will find that the oracle returns a successful result (it will do that for one value). In that case, due to the workings of CBC, you found out that r16 ⊕ LSB(Dec(k, c)) = 1. Hence you find that the last byte of the decryption of c is r16 ⊕ 1.
+<note tip>
+Try using a couple of (message, ciphertext) pairs and see if you can get rid of k1
+somehow in order to speed up a brute force attack.
+</note>
-Once you found the last byte c16 of the decryption of c, you can work your way towards the following byte, c15. This time you need to target the two-byte padding [0x02 | 0x02]. For this you simply use for r16 the value LSB(Dec(k, c)) ⊕ 0x02, and try all values for r15 just as we did above for r16. In the same manner you can decrypt all the ciphertext blocks c1 ... c16.
+==== Exercise 2 (3p) ====
-You can then repeat the above process for any ciphertext of arbitrary length. Simply apply the attack on all blocks.
+Show why the following schemes do not bring any real advantage compared to DES:
+  * a) c = k1 ⊕ DES(k2, m)
+  * b) c = DES(k2, m ⊕ k1)
 <note tip>
-To obtain a message that was encrypted with CBC, you also need the initial value (IV) and then you need to apply CBC decryption using the values obtained above. Those are just intermediary values, and not the actual message.
+You may use a similar approach to what you did in the previous exercise.
-Check the course for details:
-http://cs.curs.pub.ro/2014/pluginfile.php/13369/mod_resource/content/2/sasc_curs6.pdf
 </note>
+==== Exercise 3 (5p) ====
+The goal of this exercise is to implement the meet-in-the-middle attack on double DES.
+For this, you are given a starter code (see below), implemented using the Pycrypto library:
+https://pypi.python.org/pypi/pycrypto
+Perform the following tasks:
+  * a) Install the pycrypto library
+  * b) Starting from the starter code (see below), write methods to encrypt and decrypt using double-DES (2DES), defined as follows:
+<quote> 2DES( (k1,k2), m) = DES(k1, DES(k2, m))</quote>
+  * c) You are given the ciphertexts
+c1 = 'cda98e4b247612e5b088a803b4277710f106beccf3d020ffcc577ddd889e2f32'
-==== Your task ====
+c2 = '54826ea0937a2c34d47f4595f3844445520c0995331e5d492f55abcf9d8dfadf'
-You are given the following ciphertext:
+as hex strings (i.e. you need to decode them to get the actual byte strings to use with DES, e.g. c1.decode('hex'))
-b43d4b821332868fece8149eea14a2b0a98c7bed43cc1cf75f4e778cb315dc1d92
-d0340e0aab4900ca8af9adaee761e2affa3e9996d81483e950b913492b
+Decrypt them using the following keys:
-and a padding oracle (see below in the Python script), which knows the key that was used to encrypt the ciphertext and which will answer 1 if the padding of the ciphertext is correct and 0 otherwise.
+k1 = 'Smerenie'
-Your task is to decrypt the message by using the CBC-padding attack.
+k2 = 'Dragoste'
+The plaintext corresponding to c1 is m1='Fericiti cei saraci cu duhul, ca'. Find the plaintext m2 corresponding to c2.
 <note tip>
-You are not allowed to use the key from the file, but you can (and you may have to) use the IV in order to decrypt the entire message.
+With the Pycrypto library, DES is given a key in 8 bytes (64 bits) rather than 7 (56 bits). However, the last bit in each byte is considered as a parity bit, but in fact ignored in this library, leaving the actual key in 56 bits. For this and the following exercises, we assume the entire key as 64 bits, given for example as 8 characters, as above.
+Note also that for this exercises, we shall be using the default values when initialising the DES cipher (i.e. ECB mode and no IV).
 </note>
-Here is a starting python script, which contains your padding oracle:
+  * d) Decrypt the entire ciphertext (c1 || c2) with k1 and k2 using 2DES and check it matches the messages m1||m2 above.
+  * e) You are given the following ciphertext/plaintext pairs:
+m1 = 'Pocainta' (in byte string, i.e. can be used directly with Pycrypto DES)
+c1 = '9f98dbd6fe5f785d' (in hex string, you need to hex-decode)
+m2 = 'Iertarea'
+c2 = '6e266642ef3069c2'
+Due to a problem with the PRG, you also know the last 6-bytes of each key (note we now have a different key than for the previous exercises):
+k1 (last 6 bytes) = 'oIkvH5'
+k2 (last 6 bytes) = 'GK4EoU'
+To build a table, I recommend using a list of tuples, where you add new (key,enc) pairs as follows:
+<code>
+tb = []
+tb.append(('keyval', 'encva'))
+</code>
+To sort the table, you can do this:
+<code>
+tbs = sorted(tb, key=itemgetter(1))
+</code>
+To search with binary search, first select just the second column (to search the encryptions):
+<code>
+tenc = [value for _,value in tbs]
+</code>
+then use the bisect library (e.g. bisect.bisect_left)
+https://docs.python.org/2/library/bisect.html
+The starter code is this:
 <code>
@@ Line 45: / Line 99: @@
 import random
 import string
+from operator import itemgetter
 import time
-from Crypto.Cipher import AES
+import bisect
+from Crypto.Cipher import DES
-IV = 'Hristos a inviat'
-KEY = 'Sfantul Gheorghe'
 def strxor(a, b): # xor two strings (trims the longer input)
@@ Line 109: / Line 162: @@
   lh = len(hs)
   return hs.zfill(lh + lh%2)
-def check_cbcpad(c):
-  """
-  Oracle for checking if a given ciphertext has correct CBC-padding.
-  That is, it checks that the last n bytes all have the value n.
-  Args:
+def get_index(a, x):
-    c is the ciphertext to be checked. Note: the key is supposed to be
+  'Locate the leftmost value exactly equal to x in list a'
-    known just by the oracle.
+  i = bisect.bisect_left(a, x)
+  if i != len(a) and a[i] == x:
+    return i
+  else:
+    return -1
-  Return 1 if the pad is correct, 0 otherwise.
+def des_enc(k, m):
   """
-  m = aes_dec_cbc(KEY, c, IV)
+  Encrypt a message m with a key k using DES as follows:
-  lm = len(m)
+  c = DES(k, m)
-  lb = ord(m[lm-1])
-  if lb > lm:
+  Args:
-    return 0
+    m should be a bytestring (i.e. a sequence of characters such as 'Hello' or '\x02\x04')
+    k should be a bytestring of length exactly 8 bytes.
-  for k in range(lb):
+  Note that for DES the key is given as 8 bytes, where the last bit of
-    if ord(m[lm-1-k]) != lb:
+  each byte is just a parity bit, giving the actual key of 56 bits, as expected for DES.
-      return 0
+  The parity bits are ignored.
-  return 1
-def aes_enc(k, m):
-  """
-  Encrypt a message m with a key k in ECB mode using AES as follows:
-  c = AES(k, m)
-  Args:
-    m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
-    k should be a bytestring of length exactly 16 bytes.
   Return:
     The bytestring ciphertext c
   """
-  aes = AES.new(k)
+  d = DES.new(k)
-  c = aes.encrypt(m)
+  c = d.encrypt(m)
   return c
-def aes_dec(k, c):
+def des_dec(k, c):
   """
-  Decrypt a ciphertext c with a key k in ECB mode using AES as follows:
+  Decrypt a message c with a key k using DES as follows:
-  m = AES(k, c)
+  m = DES(k, c)
   Args:
-    c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
+    c should be a bytestring (i.e. a sequence of characters such as 'Hello' or '\x02\x04')
-    k should be a bytestring of length exactly 16 bytes.
+    k should be a bytestring of length exactly 8 bytes.
-  Return:
+  Note that for DES the key is given as 8 bytes, where the last bit of
-    The bytestring message m
+  each byte is just a parity bit, giving the actual key of 56 bits, as expected for DES.
-  """
+  The parity bits are ignored.
-  aes = AES.new(k)
-  m = aes.decrypt(c)
-  return m
-def aes_enc_cbc(k, m, iv):
-  """
-  Encrypt a message m with a key k in CBC mode using AES as follows:
-  c = AES(k, m)
-  Args:
-    m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
-    k should be a bytestring of length exactly 16 bytes.
-    iv should be a bytestring of length exactly 16 bytes.
   Return:
-    The bytestring ciphertext c
+    The bytestring plaintext m
   """
-  aes = AES.new(k, AES.MODE_CBC, iv)
+  d = DES.new(k)
-  c = aes.encrypt(m)
+  m = d.decrypt(c)
-  return c
-def aes_dec_cbc(k, c, iv):
-  """
-  Decrypt a ciphertext c with a key k in CBC mode using AES as follows:
-  m = AES(k, c)
-  Args:
-    c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
-    k should be a bytestring of length exactly 16 bytes.
-    iv should be a bytestring of length exactly 16 bytes.
-  Return:
-    The bytestring message m
-  """
-  aes = AES.new(k, AES.MODE_CBC, iv)
-  m = aes.decrypt(c)
   return m
 def main():
-  # Find the message corresponding to this ciphertext by using the cbc-padding attack
+  # Exercitiu pentru test des2_enc
-  c = '553b43d4b821332868fece8149eea14a2b0a98c7bed43cc1cf75f4e778cb315dc1d928d0340e0aab4900ca8af9adaee761e2affa3e9996d81483e950b913492b'
+  key1 = 'Smerenie'
-  ct = c.decode('hex') # use this one with AES decrypt
+  key2 = 'Dragoste'
+  m1_given = 'Fericiti cei saraci cu duhul, ca'
+  c1 = 'cda98e4b247612e5b088a803b4277710f106beccf3d020ffcc577ddd889e2f32'
+  # TODO: implement des2_enc and des2_dec
+  m1 = des2_dec(key1, key2, c1.decode('hex'))
-  #Check correct padding
+  print 'ciphertext: ' + c1
-  print 'Oracle check of pad = ' + str(check_cbcpad(ct))
+  print 'plaintext: ' + m1
+  print 'plaintext in hexa: ' + m1.encode('hex')
+  # TODO: run meet-in-the-middle attack for the following plaintext/ciphertext
+  m1 = 'Pocainta'
+  c1 = '9f98dbd6fe5f785d' # in hex string
+  m2 = 'Iertarea'
+  c2 = '6e266642ef3069c2'
+  # Note: you only need to search for the first 2 bytes of the each key:
+  k1 = '??oIkvH5'
+  k2 = '??GK4EoU'
-  # TODO: implement CBC-padding attack to find the message corresponding to the above ciphertext
-  # Note: you cannot use the key above to simply decrypt, but you must implement the CBC-padding attack
-  # However: you may use the IV in order to recover the full message
@@ Line 221: / Line 242: @@
   main()
 </code>