## Lab 06 - CBC Padding Attack

In this lab we'll try to implement the CBC-padding attack of Serge Vaudenay: http://link.springer.com/content/pdf/10.1007%2F3-540-46035-7_35.pdf

See sections 3.1 to 3.3 of chapter 3 in the paper above.

You may also use this: http://robertheaton.com/2013/07/29/padding-oracle-attack/

Given a message of length L bytes, we need to pad with b more bytes such that L+b is a multiple of the cipher's block size (e.g. 16 bytes in the case of AES). Each of the last b bytes will have the value b. For example, for a message that has 30 bytes, we shall add two bytes with the value 0x02 at the end, obtaining m = [b1 | b2 | .. | b30 | 0x02 | 0x02], where bi are the 30 original bytes.

The idea in short is the following: given a 1-block ciphertext c = [c1 | c2 | … | c16], you can find its last byte by crafting a 2-block ciphetext c' = [r | c], where r = [r1 | r2 | … | r16] contains random bytes. Then, by using an oracle that tells you whether the padding of the decryption of c' is correct or not, you can determine the value of c16. For this you just try all possible values of r16, until for one of them you will find that the oracle returns a successful result (it will do that for one value). In that case, due to the workings of CBC, you found out that r16 ⊕ LSB(Dec(k, c)) = 1. Hence you find that the last byte of the decryption of c is r16 ⊕ 1.

Once you found the last byte c16 of the decryption of c, you can work your way towards the following byte, c15. This time you need to target the two-byte padding [0x02 | 0x02]. For this you simply use for r16 the value LSB(Dec(k, c)) ⊕ 0x02, and try all values for r15 just as we did above for r16. In the same manner you can decrypt all the ciphertext blocks c1 … c16.

You can then repeat the above process for any ciphertext of arbitrary length. Simply apply the attack on all blocks.

To obtain a message that was encrypted with CBC, you also need the initial value (IV) and then you need to apply CBC decryption using the values obtained above. Those are just intermediary values, and not the actual message. Check the course for details: http://cs.curs.pub.ro/2014/pluginfile.php/13369/mod_resource/content/2/sasc_curs6.pdf

You are given the following ciphertext: 553b43d4b821332868fece8149eea14a2b0a98c7bed43cc1cf75f4e778cb315dc1d92 8d0340e0aab4900ca8af9adaee761e2affa3e9996d81483e950b913492b

and a padding oracle (see the method “check_cbcpad” below), which knows the key that was used to encrypt the ciphertext and which will answer 1 if the padding of the ciphertext is correct and 0 otherwise.

You are not allowed to use the key from the file, but you can (and you may have to) use the IV in order to decrypt the entire message.

import sys
import random
import string
import time
from Crypto.Cipher import AES

IV = 'Hristos a inviat'

def strxor(a, b): # xor two strings (trims the longer input)
return "".join([chr(ord(x) ^ ord(y)) for (x, y) in zip(a, b)])

def hexxor(a, b): # xor two hex strings (trims the longer input)
ha = a.decode('hex')
hb = b.decode('hex')
return "".join([chr(ord(x) ^ ord(y)).encode('hex') for (x, y) in zip(ha, hb)])

def bitxor(a, b): # xor two bit strings (trims the longer input)
return "".join([str(int(x)^int(y)) for (x, y) in zip(a, b)])

def str2bin(ss):
"""
Transform a string (e.g. 'Hello') into a string of bits
"""
bs = ''
for c in ss:
bs = bs + bin(ord(c))[2:].zfill(8)
return bs

def str2int(ss):
"""
Transform a string (e.g. 'Hello') into a (long) integer by converting
first to a bistream
"""
bs = str2bin(ss)
li = int(bs, 2)
return li

def hex2bin(hs):
"""
Transform a hex string (e.g. 'a2') into a string of bits (e.g.10100010)
"""
bs = ''
for c in hs:
bs = bs + bin(int(c,16))[2:].zfill(4)
return bs

def bin2hex(bs):
"""
Transform a bit string into a hex string
"""
bv = int(bs,2)
return int2hexstring(bv)

def byte2bin(bval):
"""
Transform a byte (8-bit) value into a bitstring
"""
return bin(bval)[2:].zfill(8)

def int2hexstring(bval):
"""
Transform an int value into a hexstring (even number of characters)
"""
hs = hex(bval)[2:]
lh = len(hs)
return hs.zfill(lh + lh%2)

"""
Oracle for checking if a given ciphertext has correct CBC-padding.
That is, it checks that the last n bytes all have the value n.

Args:
c is the ciphertext to be checked. Note: the key is supposed to be
known just by the oracle.

Return 1 if the pad is correct, 0 otherwise.
"""
ko = 'Sfantul Gheorghe'
m = aes_dec_cbc(ko, c, IV)
lm = len(m)
lb = ord(m[lm-1])

if lb > lm:
return 0

for k in range(lb):
if ord(m[lm-1-k]) != lb:
return 0

return 1

def aes_enc(k, m):
"""
Encrypt a message m with a key k in ECB mode using AES as follows:
c = AES(k, m)

Args:
m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
k should be a bytestring of length exactly 16 bytes.

Return:
The bytestring ciphertext c
"""
aes = AES.new(k)
c = aes.encrypt(m)

return c

def aes_dec(k, c):
"""
Decrypt a ciphertext c with a key k in ECB mode using AES as follows:
m = AES(k, c)

Args:
c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
k should be a bytestring of length exactly 16 bytes.

Return:
The bytestring message m
"""
aes = AES.new(k)
m = aes.decrypt(c)

return m

def aes_enc_cbc(k, m, iv):
"""
Encrypt a message m with a key k in CBC mode using AES as follows:
c = AES(k, m)

Args:
m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
k should be a bytestring of length exactly 16 bytes.
iv should be a bytestring of length exactly 16 bytes.

Return:
The bytestring ciphertext c
"""
aes = AES.new(k, AES.MODE_CBC, iv)
c = aes.encrypt(m)

return c

def aes_dec_cbc(k, c, iv):
"""
Decrypt a ciphertext c with a key k in CBC mode using AES as follows:
m = AES(k, c)

Args:
c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
k should be a bytestring of length exactly 16 bytes.
iv should be a bytestring of length exactly 16 bytes.

Return:
The bytestring message m
"""
aes = AES.new(k, AES.MODE_CBC, iv)
m = aes.decrypt(c)

return m

def main():

# Find the message corresponding to this ciphertext by using the cbc-padding attack
ct = c.decode('hex')

main() 