Recent changes

This is an old revision of the document!

Lab 08 - MACs

In this lab we'll do some exercises with Message Authentication Codes.

Exercise 1 - Existential Unforgeability

In this exercise we will attack an insecure MAC algorithm by showing that an adversary can forge a (message, tag) pair without first querying a $\mathsf{Tag}$ oracle with the message.

Let $F$ be a $\mathsf{PRF}$. Show that the following MAC is insecure by constructing an efficient adversary with non-negligible advantage. The key is $k \in \{0, 1\}^n$, and for any message $m = m1 \| m2$ with $\left|m_1\right| = \left|m_2\right| = n$, the MAC is computed as:

$\mathsf{Tag}(k, m_1 \| m_2) = F_k(m_1) \| F_k(F_k(m_2)) $

Exercise 2 - Timing attack

In this exercise you will perform a timing attack against CBC-MAC.

You are given access to a CBC-MAC $\mathsf{Verify}$ oracle, which tests whether the received tag matches the one computed using the secret key. Timing attacks exploit naive equality comparisons between the received and computed MACs (for example, the comparison is done byte by byte; more checks means more latency).

Your task is to produce a forged tag for the message 'Hristos a inviat' without knowing the key. Do this by iterating through all possible values for a specific byte; when the oracle's latency for a certain value seems larger than the rest, it suggests that the equality test returned True and the oracle passed to the next byte.

Try to start by finding the first byte and checking your result with the timing attack.

You can use time.clock() before and after each oracle query to measure its runtime.

The oracle's latency is subject to noise; for the best results, you may need to run each query multiple times (try 30) and compute the mean latency.

TODO1: Implement the CBC-MAC function.

TODO2: Implement the MAC time verification attack and obtain the desired MAC without knowing the key.

timing.py
import sys
import random
import string
import time
import itertools
import operator
import base64
 
from Crypto.Cipher import AES
from Crypto.Hash import SHA256
 
def aes_enc(k, m):
  """ 
  Encrypt a message m with a key k in ECB mode using AES as follows:
  c = AES(k, m)
 
  Args:
    m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
    k should be a bytestring of length exactly 16 bytes.
 
  Return:
    The bytestring ciphertext c
  """
  aes = AES.new(k)
  c = aes.encrypt(m)
 
  return c
 
def aes_dec(k, c):
  """
  Decrypt a ciphertext c with a key k in ECB mode using AES as follows:
  m = AES(k, c)
 
  Args:
    c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
    k should be a bytestring of length exactly 16 bytes.
 
  Return:
    The bytestring message m
  """
  aes = AES.new(k)
  m = aes.decrypt(c)
 
  return m
 
def aes_enc_cbc(k, m, iv):
  """
  Encrypt a message m with a key k in CBC mode using AES as follows:
  c = AES(k, m)
 
  Args:
    m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
    k should be a bytestring of length exactly 16 bytes.
    iv should be a bytestring of length exactly 16 bytes.
 
  Return:
    The bytestring ciphertext c
  """
  aes = AES.new(k, AES.MODE_CBC, iv)
  c = aes.encrypt(m)
 
  return c
 
def aes_dec_cbc(k, c, iv):
  """
  Decrypt a ciphertext c with a key k in CBC mode using AES as follows:
  m = AES(k, c)
 
  Args:
    c should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
    k should be a bytestring of length exactly 16 bytes.
    iv should be a bytestring of length exactly 16 bytes.
 
  Return:
    The bytestring message m
  """
  aes = AES.new(k, AES.MODE_CBC, iv)
  m = aes.decrypt(c)
 
  return m
 
def aes_cbc_mac(k, m):
  """
  Compute a CBC-MAC of message m with a key k using AES as follows:
  t = AES-CBC-MAC(k=(k1,k2), m),
  where k1 is used for the raw-CBC operation and k2 is used for the final
  encryption.
 
  k1 and k2 are derived from k as follows:
  [k1|k2] = SHA256(k | "CBC MAC keys")
 
  Note: the IV for CBC in this case will be 0.
 
  Args:
    m should be a bytestring multiple of 16 bytes (i.e. a sequence of characters such as 'Hello...' or '\x02\x04...')
    k should be a bytestring of length exactly 16 bytes.
 
  Return:
    The bytestring MAC t, of 16 bytes.
  """
 
  #Require good size
  m = m.ljust(16)
  k = k.ljust(16)
 
  #Derive the keys for raw-CBC and for the final tag
  #[k1 | k2] = SHA256(k + "CBC MAC keys")
 
  #Get the MAC:
  #1 - Do aes-CBC with k1 and iv=0, then keep only last block (last 16 bytes) of encryption
  #2 - Perform another AES encryption (simple, without CBC) on the last block from #1 using k2
  #t = tag
  t = 16*'\x00'
 
  return t
 
def verify(message, tag):
  key = 'Cozonace si oua '
 
  # Get correct tag
  goodtag = aes_cbc_mac(key, message)
 
  # Compare tags
  for i in range(16):
    # Artificially extend byte comparison duration
    time.sleep(0.1)
    if tag[i] != goodtag[i]:
      return False
 
  return True
 
 
def main():
  message = 'Hristos a inviat'
 
  # Step 1. Iterate through all possible first byte values, and call the
  # Verify oracle for each of them
  tag = 16*'\x00'
  verify(message, tag)
 
  # Step 2. Store the byte which caused the longest computation time
 
  # Step 3. Continue the operation for each byte (except the last)
 
  # Step 4. Guess the last byte, and query the oracle with the complete tag
  mytag = '???'
  result = verify(message, mytag)
  if result == True:
    print "Found tag: " + mytag
 
if __name__ == "__main__":
  main()

Exercise 3 - Birthday attack

In this exercise you will perform a Birthday attack on SHA256.

Your goal is to find two messages, $M_1$ and $M_2$, such that for the first four bytes $\mathsf{SHA256}(M_1) = \mathsf{SHA256}(M_2)$.

The collision will be $32$ bits long, which means you will need $2^{16}$ random messages in your attack. Note that the attack is not guaranteed to succeed; on average, two iterations of the attack are required to find a collision.

birthday.py
import sys
import string
import base64
 
from Crypto.Hash import SHA256
 
def raw2hex(raw):
    return raw.encode('hex')
 
 
def hex2raw(hexstring):
    return base64.b16decode(hexstring)
 
hexdigits = '0123456789ABCDEF'
 
def hash(message):
    h = SHA256.new()
    h.update(message)
    return h.digest()
 
 
def main():
    # Try to find a collision on the first 4 bytes (32 bits)
 
    # Step 1. Generate 2^16 different random messages
 
    # Step 2. Compute hashes
 
    # Step 3. Check if there exist two hashes that match in the first
    # four bytes.
 
    # Step 3a. If a match is found, print the messages and hashes
 
    # Step 3b. If no match is found, repeat the attack with a new set
    # of random messages
 
    pass
 
if __name__ == "__main__":
    main()

Laboratoare

Lab 01 - Introduction

Lab 02 - Shift and Vigenère ciphers

Lab 03 - PRGs

Lab 04 - PRGs, PRFs and PRPs

Lab 05 - DES

Lab 06 - CBC Padding Attack

Lab 07 - Correlation Power Analysis

Lab 08 - MACs, Hashes, OpenSSL

Lab 09 - OpenSSL AEAD

Lab 10 - Public key encryption

Resurse

Homework 1

Table of Contents

sasc/laboratoare/08.1461664872.txt.gz · Last modified: 2016/04/26 13:01 by sergiu.costea
Old revisions
Media ManagerBack to top
CC Attribution-Share Alike 3.0 Unported
www.chimeric.de Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0