def main(message, injection):
""" Your goal is to bypass the oracle's integrity check.
This will break UF-CMA security of the scheme and demonstrate a length
extension attack on the underlying SHA1 hash function, which relies on the
Merkle-Damgard construction internally.
Specifically, you must somehow craft a message that includes the given
parameter WITHIN the default message AND find a valid tag for it WITHOUT
querying the oracle.
Your attack should be able to inject any message you want, but we want you
to include your GT username specifically.
"""
print("forging message that includes %s within %s" % (injection, message))
#
# TODO: Find a way to break UF-CMA security of the scheme.
#
#
# The following is all purely sample code to familiarize yourself with some
# of the available functions and methods. YOU CAN DELETE IT ALL.
#
# forgery = message + injection
# tag = oracle.query(message)
# tag_bytes = crypto.s2b(tag)
# #tag initual state (tis)
# tis = int(tag_bytes, 16)
# a = tis >> 128
# b = (tis >> 96) & 0xffffffff
# c = (tis >> 64) & 0xffffffff
# d = (tis >> 32) & 0xffffffff
# e = tis & 0xffffffff
# inital_state = [a,b,c,d,e]
inital_state = initialize(message)
message_bytes = crypto.s2b(message)
message_padded = crypto.Sha1.pad_message(message_bytes, 512)
injection_bytes = crypto.s2b(injection)
# injection_padded = crypto.Sha1.pad_message(injection_bytes, 512)
forgery = message_padded + injection_bytes
sha = crypto.Sha1()
updated_tag = sha.sha1(injection_bytes, (len(message_padded) * 8) + 512,
initial_state=inital_state)
if oracle.check(crypto.b2s(forgery), updated_tag):
print("message BROKEDN")
else:
print("you failed")
return crypto.b2s(forgery), updated_tag
def main(message, injection):
""" Your goal is to bypass the oracle's integrity check.
This will break UF-CMA security of the scheme and demonstrate a length
extension attack on the underlying SHA1 hash function, which relies on the
Merkle-Damgard construction internally.
Specifically, you must somehow craft a message that includes the given
parameter WITHIN the default message AND find a valid tag for it WITHOUT
querying the oracle.
Your attack should be able to inject any message you want, but we want you
to include your GT username specifically.
"""
print("forging message that includes %s within %s" % (injection, message))
#
# TODO: Find a way to break UF-CMA security of the scheme.
#
#
# The following is all purely sample code to familiarize yourself with some
# of the available functions and methods. YOU CAN DELETE IT ALL.
#
forgery = message + injection
# you can make queries to the oracle
tag = oracle.query(message)
# craft new message/tag based on those queries
hasher = crypto.Sha1()
hasher.update(forgery + tag)
new_tag = hasher.hexdigest()
hasher.clear()
# convert easily between bytes and strings
assert crypto.b2s(crypto.s2b(message)) == message
assert crypto.s2b(crypto.b2s(b"cs6260")) == b"cs6260"
# use sha1 internals directly:
# hasher.sha1()
# hasher.pad_message()
# hasher.create_padding()
manual_tag = hasher.sha1(crypto.s2b(forgery + tag),
extra_length=0,
initial_state=None)
assert new_tag == manual_tag
# check the validity of novel tags
if oracle.verify(message, tag):
pass
return forgery, oracle.query(forgery)
def main(message, injection):
# Get original tag
original_tag = oracle.query(message)
# Get initial hasher state by parsing digest
state = get_initial_state()
# Iterate all possible key lengths, 1 - 100
for key_length in range(0, 110):
hasher = crypto.Sha1()
# Create original message payload, with unknown key of "****"
original_message = b'*' * key_length + crypto.s2b(message)
# Pad this message, removing key from beginning
padded_original = hasher.pad_message(original_message)[key_length:]
# Create our new message string, the original padded plus injection
new_message = padded_original + crypto.s2b(injection)
# Create a hash using extra padding and intial state
extra_length = int(
math.ceil((len(padded_original) + key_length) * 8 / 512.0)) * 512
new_hash = hasher.sha1(crypto.s2b(injection),
extra_length=extra_length,
initial_state=state)
# If the hash works, return it
if oracle.check(new_message, new_hash):
return crypto.b2s(new_message), new_hash
return crypto.s2b(""), ""
def main(message, injection):
""" Your goal is to bypass the oracle's integrity check.
This will break UF-CMA security of the scheme and demonstrate a length
extension attack on the underlying SHA1 hash function, which relies on the
Merkle-Damgard construction internally.
Specifically, you must somehow craft a message that includes the given
parameter WITHIN the default message AND find a valid tag for it WITHOUT
querying the oracle.
Your attack should be able to inject any message you want, but we want you
to include your GT username specifically.
"""
print("forging message that includes %s within %s" % (injection, message))
#
# TODO: Find a way to break UF-CMA security of the scheme.
#
#
# The following is all purely sample code to familiarize yourself with some
# of the available functions and methods. YOU CAN DELETE IT ALL.
#
inital_state = initialize(message)
message_bytes = crypto.s2b(message)
message_padded = crypto.Sha1.pad_message(message_bytes, 512)
injection_bytes = crypto.s2b(injection)
forgery = message_padded + injection_bytes
forgery_string = crypto.b2s(forgery)
sha = crypto.Sha1()
message_length = (len(message_padded) * 8) + 512
updated_tag = sha.sha1(injection_bytes,
message_length,
initial_state=inital_state)
# sanityCheck(forgery_string, updated_tag)
return forgery_string, updated_tag