Differences
This shows you the differences between two versions of the page.
|
sasc:laboratoare:08 [2016/02/21 19:13] sergiu.costea |
sasc:laboratoare:08 [2017/04/24 17:27] (current) dan.dragan |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ===== Lab 08 ===== | + | ===== Lab 08 - MACs, Hashes, OpenSSL ===== |
| - | In this lab we'll implement a side-channel attack known as **Correlation Power Analysis**. | + | ==== Exercise 1 - Timing attack ==== |
| - | The principle is quite simple: | + | In this exercise you will perform a timing attack against CBC-MAC. |
| - | - Choose your target (generally the S-box output of some block cipher - in our case AES) | + | |
| - | - Obtain a large number (thousands) of leakage samples for that target, when processing different plaintexts | + | |
| - | - Choose a suitable leakage model (usually the hamming weight of the target value) | + | |
| - | - For each possible key candidate (e.g. all values from 0 to 255), compute [[http://en.wikipedia.org/wiki/Pearson_product-moment_correlation_coefficient || Person's correlation coefficient]] between the leakage model estimate for that key candidate and the leakage traces. | + | |
| - | - Decide for the key that gives maximum correlation | + | |
| + | You are given access to a CBC-MAC $\mathsf{Verify}$ oracle, which tests whether the received tag matches the one computed using the secret key. Timing attacks exploit naive equality comparisons between the received and computed MACs (for example, the comparison is done byte by byte; more checks means more latency). | ||
| - | We'll discuss more in detail at the lab. | + | Your task is to produce a forged tag for the message 'Hristos a inviat' without knowing the key. Do this by iterating through all possible values for a specific byte; when the oracle's latency for a certain value seems larger than the rest, it suggests that the equality test returned True and the oracle passed to the next byte. |
| - | In this lab we shall use Octave: | + | Try to start by finding the first byte and checking your result with the timing attack. |
| - | [[http://www.gnu.org/software/octave/ | Octave main page]] | + | You can use ''time.clock()'' before and after each oracle query to measure its runtime. |
| - | [[http://wiki.octave.org/Octave_for_Windows | Download link for Windows]] | + | |
| + | <note important> | ||
| + | The oracle's latency is subject to noise; for the best results, you may need to run each query multiple times (try 30) and compute the mean latency. | ||
| + | </note> | ||
| - | You might also need these additional packages: | + | TODO1: Implement the CBC-MAC function. |
| - | [[http://sourceforge.net/projects/octave/files/Octave%20Windows%20binaries/ | Link for additional packages]] | + | <note> |
| + | To check your implementation of CBC-MAC is correct, verify that this (plaintext,tag) verifies fine: | ||
| + | plaintext = 'Placinta de mere' | ||
| + | tag = '07d2771038d62b94fce106cff957da0f' (in hex, you need to apply decode to get a bytestream) | ||
| + | </note> | ||
| - | Use these files as starting point: | + | TODO2: Implement the MAC time verification attack and obtain the desired MAC without knowing the key. |
| - | {{:sasc:laboratoare:lab6.zip|}} | + | |
| + | <note> | ||
| + | Try to print the resulting tag in hex (with tag.encode(hex)). It should start with 51 and end with 81. | ||
| + | </note> | ||
| + | |||
| + | <file python timing.py> | ||
| + | import sys | ||
| + | import random | ||
| + | import string | ||
| + | import time | ||
| + | import itertools | ||
| + | import operator | ||
| + | import base64 | ||
| + | | ||
| + | from Crypto.Cipher import AES | ||
| + | from Crypto.Hash import SHA256 | ||
| + | |||
| + | def slow_foo(): | ||
| + | p = 181 | ||
| + | k = 2 | ||
| + | while k < p: | ||
| + | if p % k == 0: | ||
| + | return | ||
| + | k += 1 | ||
| + | | ||
| + | def aes_enc(k, m): | ||
| + | """ | ||
| + | Encrypt a message m with a key k in ECB mode using AES as follows: | ||
| + | c = AES(k, m) | ||
| + | | ||
| + | Args: | ||
| + | m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...') | ||
| + | k should be a bytestring of length exactly 16 bytes. | ||
| + | |||
| + | Return: | ||
| + | The bytestring ciphertext c | ||
| + | """ | ||
| + | aes = AES.new(k) | ||
| + | c = aes.encrypt(m) | ||
| + | |||
| + | return c | ||
| + | |||
| + | def aes_dec(k, c): | ||
| + | """ | ||
| + | Decrypt a ciphertext c with a key k in ECB mode using AES as follows: | ||
| + | m = AES(k, c) | ||
| + | |||
| + | Args: | ||
| + | c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...') | ||
| + | k should be a bytestring of length exactly 16 bytes. | ||
| + | |||
| + | Return: | ||
| + | The bytestring message m | ||
| + | """ | ||
| + | aes = AES.new(k) | ||
| + | m = aes.decrypt(c) | ||
| + | | ||
| + | return m | ||
| + | |||
| + | def aes_enc_cbc(k, m, iv): | ||
| + | """ | ||
| + | Encrypt a message m with a key k in CBC mode using AES as follows: | ||
| + | c = AES(k, m) | ||
| + | |||
| + | Args: | ||
| + | m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...') | ||
| + | k should be a bytestring of length exactly 16 bytes. | ||
| + | iv should be a bytestring of length exactly 16 bytes. | ||
| + | |||
| + | Return: | ||
| + | The bytestring ciphertext c | ||
| + | """ | ||
| + | aes = AES.new(k, AES.MODE_CBC, iv) | ||
| + | c = aes.encrypt(m) | ||
| + | |||
| + | return c | ||
| + | |||
| + | def aes_dec_cbc(k, c, iv): | ||
| + | """ | ||
| + | Decrypt a ciphertext c with a key k in CBC mode using AES as follows: | ||
| + | m = AES(k, c) | ||
| + | |||
| + | Args: | ||
| + | c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...') | ||
| + | k should be a bytestring of length exactly 16 bytes. | ||
| + | iv should be a bytestring of length exactly 16 bytes. | ||
| + | |||
| + | Return: | ||
| + | The bytestring message m | ||
| + | """ | ||
| + | aes = AES.new(k, AES.MODE_CBC, iv) | ||
| + | m = aes.decrypt(c) | ||
| + | |||
| + | return m | ||
| + | | ||
| + | def aes_cbc_mac(k, m): | ||
| + | """ | ||
| + | Compute a CBC-MAC of message m with a key k using AES as follows: | ||
| + | t = AES-CBC-MAC(k=(k1,k2), m), | ||
| + | where k1 is used for the raw-CBC operation and k2 is used for the final | ||
| + | encryption. | ||
| + | |||
| + | k1 and k2 are derived from k as follows: | ||
| + | [k1|k2] = SHA256(k | "CBC MAC keys") | ||
| + | |||
| + | Note: the IV for CBC in this case will be 0. | ||
| + | |||
| + | Args: | ||
| + | m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...') | ||
| + | k should be a bytestring of length exactly 16 bytes. | ||
| + | |||
| + | Return: | ||
| + | The bytestring MAC t, of 16 bytes. | ||
| + | """ | ||
| + | |||
| + | #Require good size | ||
| + | m = m.ljust(16) | ||
| + | k = k.ljust(16) | ||
| + | |||
| + | #Derive the keys for raw-CBC and for the final tag | ||
| + | #[k1 | k2] = SHA256(k + "CBC MAC keys") | ||
| + | |||
| + | #Get the MAC: | ||
| + | #1 - Do aes-CBC with k1 and iv=0, then keep only last block (last 16 bytes) of encryption | ||
| + | #2 - Perform another AES encryption (simple, without CBC) on the last block from #1 using k2 | ||
| + | #t = tag | ||
| + | t = 16*'\x00' | ||
| + | |||
| + | return t | ||
| + | |||
| + | def verify(message, tag): | ||
| + | key = 'Cozonace si oua ' | ||
| + | |||
| + | # Get correct tag | ||
| + | goodtag = aes_cbc_mac(key, message) | ||
| + | | ||
| + | # Compare tags | ||
| + | for i in range(16): | ||
| + | # Artificially extend byte comparison duration | ||
| + | slow_foo() | ||
| + | if tag[i] != goodtag[i]: | ||
| + | return False | ||
| + | |||
| + | return True | ||
| + | |||
| + | |||
| + | def main(): | ||
| + | message = 'Hristos a inviat' | ||
| + | |||
| + | # Step 1. Iterate through all possible first byte values, and call the | ||
| + | # Verify oracle for each of them | ||
| + | tag = 16*'\x00' | ||
| + | verify(message, tag) | ||
| + | |||
| + | # Step 2. Store the byte that caused the longest computation time | ||
| + | |||
| + | # Step 3. Continue the operation for each byte (except the last) | ||
| + | |||
| + | # Step 4. Guess the last byte, and query the oracle with the complete tag | ||
| + | mytag = '???' | ||
| + | result = verify(message, mytag) | ||
| + | if result == True: | ||
| + | print "Found tag: " + mytag | ||
| + | |||
| + | if __name__ == "__main__": | ||
| + | main() | ||
| + | </file> | ||
| + | |||
| + | ==== Exercise 2 ==== | ||
| + | |||
| + | In this first exercise we'll see how to compute hashes using the OpenSSL command line interface. | ||
| + | |||
| + | You can interact with the OpenSSL utilities in two ways: | ||
| + | * directly from bash, by using the ''openssl'' command followed by the desired command and parameters | ||
| + | * from the OpenSSL console, by using the ''openssl'' command without additional arguments. You can close the console by calling ''quit'' or ''exit''. | ||
| + | |||
| + | If the manual pages are correctly installed, you can consult the documentation via ''man <command_name>'' (e.g. ''man md5''). | ||
| + | |||
| + | |||
| + | Hashes are often used to check the integrity of downloaded files. We will now use OpenSSL to compute the MD5 and SHA-1 hashes of this page. | ||
| + | |||
| + | Download this page by running: | ||
| + | |||
| + | <code> | ||
| + | linux$ wget http://ocw.cs.pub.ro/courses/sasc/laboratoare/09 -O sasc.html | ||
| + | </code> | ||
| + | |||
| + | |||
| + | Use OpenSSL to compute the MD5 and SHA-1 hashes of the newly downloaded file; print the output in hexadecimal. | ||
| + | |||
| + | To check your results, you can use ''md5sum'' or ''sha1sum'' as an alternative way of computing the same hashes. | ||
| + | |||
| + | ==== Exercise 3 ==== | ||
| + | |||
| + | In this second exercise we'll use the command line to compute an HMAC, with SHA-1 as the hashing algorithm. | ||
| + | |||
| + | Recall from the lecture that for HMAC to be secure, we need to sample a random key $k \gets \mathcal{K}$. | ||
| + | |||
| + | We can generate random bytes using ''openssl rand''. To compute HMACs, check the documentation for ''openssl dgst''. | ||
| + | |||
| + | For this exercise, use OpenSSL commands to: | ||
| + | - generate a 16 byte random key | ||
| + | - use the key to compute the SHA-1 HMAC of the page downloaded in the previous exercise | ||
| + | |||
| + | |||
| + | ==== Exercise 4 ==== | ||
| + | |||
| + | In this exercise you will implement the Birthday attack on SHA-1 from the previous lab using OpenSSL. The goal is to obtain a collision in the first four bytes of the hash. | ||
| + | |||
| + | In contrast to previous labs, this time we'll use C. You can implement the attack from scratch, or start from our {{:sasc:laboratoare:birthday.tar.gz|archive here}}. | ||
| + | |||
| + | To compute a digest, you might find the code below useful: | ||
| + | |||
| + | <code C> | ||
| + | SHA_CTX context; | ||
| + | SHA1_Init(&context); | ||
| + | SHA1_Update(&context, buffer, length); | ||
| + | SHA1_Final(md, &context); /* md must point to at least 20 bytes of valid memory */ | ||
| + | </code> | ||
| + | |||
| + | <note important> | ||
| + | To compile using OpenSSL you will need to install the development version of the library which includes the header files. | ||
| + | |||
| + | Download the library from https://www.openssl.org/source/old/1.0.1/openssl-1.0.1f.tar.gz, and unpack it. | ||
| + | |||
| + | Open the unpacked folder from bash, and run the following commands: | ||
| + | <code bash> | ||
| + | linux$ ./config --prefix=/home/student/local --openssldir=/home/student/local/openssl | ||
| + | linux$ make | ||
| + | linux$ make install_sw | ||
| + | </code> | ||
| + | |||
| + | To fix the makefile using the new paths, change the variables at the start with the ones below: | ||
| + | <code makefile> | ||
| + | LDFLAGS=-L/home/student/local/lib -lcrypto | ||
| + | CFLAGS=-Wall -g -I/home/student/local/include | ||
| + | </code> | ||
| + | </note> | ||
