Ejemplo n.º 1
0
def oracle_cbc(P):
    request = format_request(P)
    compressed_request = zlib.compress(request.encode('ascii'))
    key = util.randbytes(16)
    iv = util.randbytes(16)
    cipher = AES.new(key, AES.MODE_CBC, iv)
    encrypted_request = cipher.encrypt(util.padPKCS7(compressed_request, 16))
    return len(encrypted_request)
Ejemplo n.º 2
0
def encryption_oracle(s):
    key = util.randbytes(16)
    cipher = AES.new(key, AES.MODE_ECB)
    if random.randint(0, 1) == 0:
        print('Encrypting with ECB')
    else:
        print('Encrypting with CBC')
        IV = util.randbytes(16)
        cipher = challenge10.CBC(cipher, IV)
    s = util.randbytes(random.randint(5, 10)) + s + util.randbytes(random.randint(5, 10))
    s = util.padPKCS7(s, 16)
    return cipher.encrypt(s)
Ejemplo n.º 3
0
def encryption_oracle(s):
    global key
    global prefix
    if key is None:
        key = util.randbytes(16)
    if prefix is None:
        # TODO(akalin): Extend to arbitrary sizes.
        randcount = random.randint(16, 32)
        prefix = util.randbytes(randcount)
    cipher = AES.new(key, AES.MODE_ECB)
    s = util.padPKCS7(prefix + s + base64.b64decode(challenge12.encodedSuffix), 16)
    return cipher.encrypt(s)
Ejemplo n.º 4
0
def encryption_oracle(s):
    global key
    if key is None:
        key = util.randbytes(16)
    cipher = AES.new(key, AES.MODE_ECB)
    s = util.padPKCS7(s + base64.b64decode(encodedSuffix), 16)
    return cipher.encrypt(s)
Ejemplo n.º 5
0
def oracle_ctr(P):
    request = format_request(P)
    compressed_request = zlib.compress(request.encode('ascii'))
    key = util.randbytes(16)
    ctr = Counter.new(128)
    cipher = AES.new(key, AES.MODE_CTR, counter=ctr)
    encrypted_request = cipher.encrypt(compressed_request)
    return len(encrypted_request)
Ejemplo n.º 6
0
def decipher_last_block_previous_byte(iv, s, padding_oracle, knownI, knownP):
    k = len(knownI) + 1
    prefix = util.randbytes(16 - k)
    for i in range(256):
        c1 = s[-32:-16] if len(s) > 16 else iv
        c1p = prefix + bytes([i]) + bytes([ch ^ k for ch in knownI])
        sp = s[:-32] + c1p + s[-16:]
        if padding_oracle(iv, sp):
            iPrev = i ^ k
            pPrev = c1[-k] ^ iPrev
            return (bytes([iPrev] + list(knownI)), bytes([pPrev] + list(knownP)))
    raise Exception('unexpected')
Ejemplo n.º 7
0
def frontend_send_message(sender, recipient, amount):
    global key
    global last_sent_message
    if not re.match(b'^[A-Za-z]+$', sender):
        raise Exception(b'Invalid sender ' + sender)
    if not re.match(b'^[A-Za-z]+$', recipient):
        raise Exception(b'Invalid recipient ' + recipient)
    amount = int(amount)
    message = b'from=' + sender + b'&to=' + recipient + b'&amount=' + str(amount).encode('ascii')
    iv = util.randbytes(16)
    last_sent_message = message + iv + CBC_MAC(key, iv, message)
    print('C:', last_sent_message)
    backend_process_message(last_sent_message)
Ejemplo n.º 8
0
def ciphertext_oracle():
    s = base64.b64decode(random.choice(strings))
    iv = util.randbytes(16)
    cipher = challenge10.CBC(AES.new(key, AES.MODE_ECB), iv)
    return (iv, cipher.encrypt(util.padPKCS7(s, 16)))
Ejemplo n.º 9
0
import util

strings = [
    b'MDAwMDAwTm93IHRoYXQgdGhlIHBhcnR5IGlzIGp1bXBpbmc=',
    b'MDAwMDAxV2l0aCB0aGUgYmFzcyBraWNrZWQgaW4gYW5kIHRoZSBWZWdhJ3MgYXJlIHB1bXBpbic=',
    b'MDAwMDAyUXVpY2sgdG8gdGhlIHBvaW50LCB0byB0aGUgcG9pbnQsIG5vIGZha2luZw==',
    b'MDAwMDAzQ29va2luZyBNQydzIGxpa2UgYSBwb3VuZCBvZiBiYWNvbg==',
    b'MDAwMDA0QnVybmluZyAnZW0sIGlmIHlvdSBhaW4ndCBxdWljayBhbmQgbmltYmxl',
    b'MDAwMDA1SSBnbyBjcmF6eSB3aGVuIEkgaGVhciBhIGN5bWJhbA==',
    b'MDAwMDA2QW5kIGEgaGlnaCBoYXQgd2l0aCBhIHNvdXBlZCB1cCB0ZW1wbw==',
    b'MDAwMDA3SSdtIG9uIGEgcm9sbCwgaXQncyB0aW1lIHRvIGdvIHNvbG8=',
    b'MDAwMDA4b2xsaW4nIGluIG15IGZpdmUgcG9pbnQgb2g=',
    b'MDAwMDA5aXRoIG15IHJhZy10b3AgZG93biBzbyBteSBoYWlyIGNhbiBibG93'
]

key = util.randbytes(16)

def ciphertext_oracle():
    s = base64.b64decode(random.choice(strings))
    iv = util.randbytes(16)
    cipher = challenge10.CBC(AES.new(key, AES.MODE_ECB), iv)
    return (iv, cipher.encrypt(util.padPKCS7(s, 16)))

def padding_oracle(iv, s):
    cipher = challenge10.CBC(AES.new(key, AES.MODE_ECB), iv)
    paddedT = cipher.decrypt(s)
    try:
        t = challenge15.unpadPKCS7(paddedT)
    except ValueError:
        return False
    return True
Ejemplo n.º 10
0
from Crypto.Util.strxor import strxor_c
from Crypto.Util.strxor import strxor
import binascii
import challenge28
import http.server
import socketserver
import time
import urllib.parse
import util

PORT = 9000
DELAY = 0.05

blocksize = 64
key = util.randbytes(100)


def sha1(x):
    return challenge28.SHA1(x).digest()


def hmacSHA1(key, message):
    if len(key) > blocksize:
        key = sha1(key)
    if len(key) < blocksize:
        key += b'\x00' * (blocksize - len(key))

    opad = strxor_c(key, 0x5c)
    ipad = strxor_c(key, 0x36)

    return sha1(opad + sha1(ipad + message))
Ejemplo n.º 11
0
def confirmECB(encryption_oracle, blocksize):
    s = util.randbytes(blocksize) * 2
    t = encryption_oracle(s)
    if t[0:blocksize] != t[blocksize:2 * blocksize]:
        raise Exception('Not using ECB')
Ejemplo n.º 12
0
def encryption_oracle(plaintext):
    prefix = util.randbytes(random.randint(4, 20))
    cipher = MT19937Cipher(key)
    return cipher.encrypt(prefix + plaintext)
Ejemplo n.º 13
0
def confirmECB(encryption_oracle, blocksize):
    s = util.randbytes(blocksize) * 2
    t = encryption_oracle(s)
    if t[0:blocksize] != t[blocksize : 2 * blocksize]:
        raise Exception("Not using ECB")
Ejemplo n.º 14
0
    print('C: writing p...')
    util.writenum(p)

    print('C: writing g...')
    util.writenum(g)

    print('C: writing A...')
    util.writenum(A)

    print('C: reading B...')
    B = util.readnum()

    s = pow(B, a, p)
    key = util.derivekey(s)

    iv = util.randbytes(16)
    encryptedMessage = util.encrypt(key, iv, message)

    print('C: writing encrypted message...')
    util.writebytes(encryptedMessage)

    print('C: writing iv...')
    util.writebytes(iv)

    print('C: reading encrypted message...')
    encryptedMessage2 = util.readbytes()
    message2 = util.decrypt(key, iv, encryptedMessage2)
    if message2 != message:
        raise Exception(message2 + ' != ' + message)
finally:
    sock.close()
Ejemplo n.º 15
0
def encryption_oracle(plaintext):
    prefix = util.randbytes(random.randint(4, 20))
    cipher = MT19937Cipher(key)
    return cipher.encrypt(prefix + plaintext)
Ejemplo n.º 16
0
from Crypto.Random import random
import challenge28
import struct
import util

def padSHA1(s):
    l = len(s) * 8
    s += b'\x80'
    s += b'\x00' * ((56 - (len(s) % 64)) % 64)
    s += struct.pack('>Q', l)
    return s

keylen = random.randint(0, 100)
key = util.randbytes(keylen)

def validate(message, digest):
    return challenge28.authSHA1(key, message) == digest

message = b'comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon'
messageDigest = challenge28.authSHA1(key, message)

def forgeHash(keylen, message, digest, suffix):
    paddedForgedMessageWithKey = padSHA1(key + message) + suffix
    forgedMessage = paddedForgedMessageWithKey[keylen:]
    h = struct.unpack('>5I', digest)
    forgedDigest = challenge28.SHA1(suffix, h[0], h[1], h[2], h[3], h[4], len(paddedForgedMessageWithKey) * 8).digest()
    return (forgedMessage, forgedDigest)

def forgeValidatingHash(maxkeylen, message, digest, suffix):
    for i in range(maxkeylen):
        (forgedMessage, forgedDigest) = forgeHash(i, message, digest, suffix)
Ejemplo n.º 17
0
        i += 1

    if not statesToIndices:
        raise Exception('unexpected')

    s, h = findCollisionInSet(hashFn, iv, blockLength, statesToIndices)
    return s, statesToIndices[h]

def findSecondPreimage(m, hashFn, iv, blockLength, hashLength):
    blockCount = (len(m) + blockLength - 1) // blockLength
    k = blockCount.bit_length()
    prefixState, blocks = makeExpandablePrefix(hashFn, iv, blockLength, k)

    intermediateStateIter = getIntermediateStates(m, hashFn, iv, blockLength)
    bridge, collisionBlockCount = findIntermediateStateCollision(hashFn, prefixState, blockLength, hashLength, intermediateStateIter, k)

    m2 = makeExpandedPrefix(blockLength, blocks, k, collisionBlockCount) + bridge
    m2 += m[len(m2):]
    return m2

if __name__ == '__main__':
    m = util.randbytes(100)
    h = challenge52.badHash(m, b'')
    m2 = findSecondPreimage(m, challenge52.badHash, b'', challenge52.badHashBlockLength, challenge52.badHashHashLength)
    h2 = challenge52.badHash(m2, b'')
    print(m, m2, h, h2)
    if len(m2) != len(m):
        raise Exception('{0} != {1}'.format(len(m2), len(m)))
    if h2 != h:
        raise Exception(h2 + b' != ' + h)
Ejemplo n.º 18
0
def authMD4(key, message):
    md4obj = md4.md4()
    md4obj.update(key + message)
    return md4obj.digest()


def padMD4(s):
    l = len(s) * 8
    s += b'\x80'
    s += b'\x00' * ((56 - (len(s) % 64)) % 64)
    s += struct.pack("<2I", l & 0xffffffff, (l >> 32) & 0xffffffff)
    return s


keylen = random.randint(0, 100)
key = util.randbytes(keylen)


def validate(message, digest):
    return authMD4(key, message) == digest


message = b'comment1=cooking%20MCs;userdata=foo;comment2=%20like%20a%20pound%20of%20bacon'
messageDigest = authMD4(key, message)


def forgeHash(keylen, message, digest, suffix):
    paddedForgedMessageWithKey = padMD4(key + message) + suffix
    forgedMessage = paddedForgedMessageWithKey[keylen:]
    h = struct.unpack('<4I', digest)
    md4obj = md4.md4(h[0], h[1], h[2], h[3])